• 11/24/2014
    8:00 AM
  • Rating: 
    0 votes
    Vote up!
    Vote down!

Is Cloud Security Actually Achievable?

There's no denying the growth of cloud services, but security is still their biggest hurdle.

Over the past year, the issue of cloud services and network security has received an enormous amount of media coverage, and rightfully so. Data breaches can have a devastating impact, not only on a company's bottom line, but also in terms of customer retention and brand loyalty. In fact, according to a recent survey by SafeNet, 65% of adult consumers are unlikely to do business again with a company after a financial data breach.

At the same time, leading cloud services providers -- like Microsoft, Cisco, and HP -- continue to expand their portfolios and market share of cloud-based offerings. Then again, earlier this year, a survey of CIOs and senior-level IT personnel noted that more than 70% of them cited security concerns as the biggest deployment hurdle for cloud-based services.

The fact of the matter is: Unless a network is completely isolated, it has potential security challenges. Perhaps the most fundamental question is whether cloud services are inherently less secure than on-premises networks or applications. So it's worth taking a closer look at what some of the top-level concerns are, and whether they are justified.

Lack of control/shared resources
Many organizations are simply not yet comfortable with turning over control of certain aspects of their hardware/software, along with sensitive customer information, to a third-party platform. Oftentimes this is rooted in concerns around process controls. For example, do issues get resolved with the same sense of urgency as they would in-house? Or, do I have the same ability to control who's managing my datacenter?

These questions go hand-in-hand with reservations about shared infrastructure and equipment. Most cloud services are structured in a multi-tenant environment. That can cause concern around partitioning and data control, and about the risk of an unauthorized person inadvertently or maliciously gaining access to private data.

Trust and security
When your IT systems are in-house, under strict regulations and protection, there is an obvious sense of security. Decision-makers know that their IT staff has been vetted and can be trusted when dealing with highly sensitive customer data. When it comes to the cloud, however, there isn't the same level of transparency. Someone completely unknown is now managing your datacenter.

Naturally, this raises concerns around ethical standards and security control procedures on the part of the cloud provider. Therefore it's more important than ever for organizations to do their homework when migrating to the cloud. If a service can't satisfy basic security expectations, not to mention the more stringent requirements (such as HIPAA and PCI DSS), then obviously it can't even be considered.

As discussed above, when it comes to cloud security, most organizations need to concentrate on three key areas of concern:

  1. Is my data safe?
  2. Is my data safe from other tenants?
  3. Is my data safe from the cloud provider itself?

In my next post, we'll take a look at how and when cloud-based services can actually be more secure than on-premises deployment, while eliminating costs and complexity. 


cloud security

Certainly, vetting a cloud provider's security before signing a contract is an obvious first step. I think in the past the problem has been a lack of transparency into security controls, but CSPs -- especially the major ones -- have come a long way on that front. 

Re: cloud security

The problem for the customer here is that not many will have the time or even knowhow for looking into a cloud service providers security record even if they are transparent to a certain extent. Its a difficult call for small business owners, who often have to take a chance in the end.

Re: cloud security

You're right David, it takes a lot of resources to do the vetting, which small organizations don't generally have. Perhaps looking at the Cloud Security Alliance's STAR registry can help, which provides insight into participating cloud providers' security. 

Re: cloud security

Actually @MarciaNWC that is quite a useful tool for service providers to use, but the end user is always going to sceptical of a trade body. Something that offers similar information, but is more independent would be accepted by the consumer. The problem is where will the financing come from? It's Catch 22!

Re: cloud security

Good point David, and I think your skepticism is warranted. A more independent body would be much more helpful, but like you say, resources are lacking. Government regulation like Pablo described as happening in the EU is highly unlikely in the US.

Re: cloud security

I believe that, in the next few years, we'll see a lot of tools to test basic security on the cloud and pinpoint your data on specif servers.

It is interesting that cloud computing is one of the main things discussed in the upcoming revision of the EU privacy directive. Things such as encryption, retention and location are being regulated.

Security is critical for everyone, but especially for heavily regulated industries such as banking and healthcare, who can't afford any data breach or losing information.

Re: cloud security

I hope so @PabloValerio as this would be a good boost for the industry, as both providers and consumers of these services will benefit from this knowledge.

Re: Is Cloud Security Actually Achievable?

Some may say it's weird that we're still struggling with this question so late into the cloud game, but the truth is that there are some key concerns at the center of the matter, which you've highlighted here. Any way you slice it the simple act of migrating creates a complex web of smaller and ancillary issues that are going to vary based largely on your industry. You mention HIPAA and similar kinds of compliance - for someone with no such concerns, they may well be wondering why others are still asking about cloud security. For the rest of us, well, maybe it's not so weird that we're still asking this question.

I've come around to the argument that your data is no less safe, in general, with a cloud provider than it is in your own data center. It's not more vulnerable to outages and disasters (it may in fact be less so), random or brute-force attacks that aren't necessarily targeted, and as exciting as it sounds to talk about it, I don't think 'inside jobs' are really all that likely (at least, not much more so than at your own company). The weight, in my mind, is definitely on the 'in-between' issues. Not in the increased likelihood of an attack, but in who's responsible if there is one. Not in the additional damage caused by an attack on your CSP, but in the additional fallout trying to explain to your customers (or to regulatory bodies) when you don't have all the info or all the answers. In the end, this is what decides whether those "cost savings" are actually net positives for you.

Re: Is Cloud Security Actually Achievable?

@zerox, I think you bring up a really key point: determining who is responsible in the event of an attack/security breach. I've heard experts say that organizations need to have an incident response plan figured out before signing on with a cloud provider.

Re: Is Cloud Security Actually Achievable?

I guess cloud security is concern since the birth of cloud, although we have seen people started using cloud storage as one of the option to reside their data. Moreover now even companies (including mine) recommend to save data in cloud until its confidentials and needs permission of authorities. I take it as cloud promotion and education, my company offers all employees to save their personal data on cloud.

Re: Is Cloud Security Actually Achievable?

Hi everyone,

@ Neil, Thanks to bring this actual topic about security. Great article, very clear and precise.

I think, for the problem of security in the cloud, each company must take care of their provider. Analyse the solutions and depending on the critical level of the applications they want to export into cloud; make a good choice. Actually we have some big cloud providers which work hard to improve the security features. Cloud providers do their best in term of security and there what could challenge them is the level of security of their competitors. So, enterprise cloud deciders have a big responsability :)

Right, waiting for the next article about this point!


Benefits of Cloud Computing
As much as we want data security to be the prime concern of companies when choosing cloud services, the fact of the matter is that some businesses have something else in mind. Going the way of the cloud means huge savings, since there would be lesser need for massive equipment and personnel. It appears then to be convenient and cost effective. Here is the dangerous part, when companies place these benefits first before data security.
Re: Benefits of Cloud Computing

In terms of Cloud i want control and security to be differentiated here, although they are closely related but still security is something which i find achievable, whether it is Cloud or inhouse DC therat for them are same and of equal chance.