Never Mind If Cloud Is Secure. Can You Prove It?

It doesn’t matter how secure cloud computing is, says Wayne Rash. To comply with regulations, you will have to prove it. 

There’s plenty of buzz around cloud computing. Some of it addresses the question of whether cloud computing is safe (with Google arguing that the cloud is more secure). But there is a further question: can you prove that it’s safe?

“Is cloud computing ready for prime time?” asked Amy DeCarlo, principal analyst for managed IT services at Current Analysis. “I would say no. There’s not a lot of transparency; there’s not a lot of confidence.”

And, even if your data really is secure in the cloud, you may not be able to prove it, said DeCarlo.

“[Public cloud providers] don’t have the pieces to meet the regulatory requirements; they don’t have the means to meet the compliance issues related to security,” she said. “That’s not to say there won’t be a time, or that cloud service providers can’t provide something useful to the enterprise.”

The issue, according to DeCarlo, is that cloud providers don’t meet current compliance rules. What’s more, some of those providers, such as Amazon.com, have said that they don’t intend to meet those rules and that they won’t allow compliance auditors on-site. This pretty much eliminates any chance of using public cloud providers for anything that must meet any of the government regulations involving protected data either in the United States or the European Union.

And it gets more complex.

“Any client using the public cloud that collects personally identifiable information is subject to the regulations of each state where they are,” explained IBM Director of Corporate Security Strategy Kris Lovejoy. This means that every place in which the data may reside, or through which the data must pass, can regulate how the data is protected. “How can you ask a company to respond to the requirements of every state, not to mention cross-border situations?” asked Lovejoy.

The use of the public cloud also implies the use of virtualisation to move data and compute requirements to the place that’s cheapest and/or most suitable. You have no good way of knowing where your data is, how it’s protected, or what other data and processing are going on in the same infrastructure. In fact, your provider probably doesn’t know, and neither does your auditor.

So, what can you do?

Right now, the public cloud is probably out of the question for any data that’s subject to government or industry compliance rules [which must raise questions about Conservative plans to put NHS data there – Editor].

But that doesn’t mean you can’t use the public cloud. “There are a lot of use cases for testing, development, beta testing and overflow for applications that don’t require compliance,” said Lori MacVittie, technical marketing manager for F5 Networks. “Workflows, data entry that’s not covered by compliance — things covered by best practices. There are plenty of applications that can go in the cloud.”

Applications that work well in the cloud typically have security designed into them from the beginning.

“Web apps have moved very well to the cloud,” said Scott Morrison, chief architect and vice president of engineering at Layer 7 Technologies. “The important thing is that you have to take lessons from good service-oriented architecture and good Web architecture. You have to put security into the architecture. You have to make applications secure; then they can move to the cloud.”

Morrison adds that it’s up to each enterprise to figure out what can be moved to the cloud. “Every application is different, and every application has something that will determine whether it can run in the cloud,” he explained. “You need to do an inventory. The cloud is shared, and you don’t have the physical demarcation between applications. A lot of security comes down to rigorous ideas that systems have physical boundaries. You can’t do that if you don’t own the whole show.”

Private Clouds

One way to balance security with the efficiency of the cloud is to deploy a private cloud. A private cloud is similar to the public cloud, except that it resides behind a corporate firewall to ensure that security and compliance needs are met. The US Department of Defense, said Level 7’s Morrison, uses one of the largest private clouds in the world.

Of course, before you can make a decision on whether to use the public cloud, a private cloud or no cloud at all, you have to know what you have and how it needs to be secured.

“Do people really know what their requirements are?” asked Dan Kusnetzky, vice president of research operations for The 451 Group. “Have they looked at the regulations and the implications on the ground for their data center?”

No matter where your data goes, said Kusnetzky, security can’t be taken for granted.

“Security is not a product that can be purchased,” he said. “It’s a way of life, an implementation of the proper architecture, and the proper selection of tools, programs and procedures. No product that I know of is either secure or insecure. The same is true of the cloud computing environment.”

More to Come

Right now, it’s unlikely that you can move your most critical information to the public cloud. However, that could soon change.

“I think the horse is out of the barn,” said Current Analysis’ DeCarlo. “This is something that’s going to go forward. We’ll see some stumbling. We’ve seen this with Google outages and Amazon. We’ve seen plenty of issues there already. But the concept is so appealing, there’s no reason this won’t take off. But I don’t think every application will be there or mission-critical applications will ever be there.”

Industry experts say providers will have to move quickly to satisfy customers’ pent-up desire for cloud computing options—and security.

“Hospitals are dying to put their data in the cloud,” said Joel Smith, CTO of AppRiver, a provider of systems for cloud computing. “There needs to be some sort of meet-in-the-middle agreement. They’re going to have to have providers who will allow auditors to visit the data center. Or the regulation folks will have to make some subset of rules for specific regulations.”

Kusnetzky suggests that companies will start with small steps toward the cloud. “There will be people who might take some ancillary operations of their systems and try them out,” he said.

Lovejoy thinks that, ultimately, cloud providers that want business from large companies will have no choice but to offer secure, compliant systems: “We’re going to be evolving to the point where cloud providers aren’t going to say, ‘I’m not going to do it.’ They’ll have to do it.”

rash.jpg

Contributing Analyst Wayne Rash can be reached at wayne.rash@ziffdavisenterprise.com.