Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud Security: No Guarantees

The decision to shift storage and compute resources to the cloud is about more than the bottom line, and it's almost never a slam dunk, but it can pay big dividends, according to a new InformationWeek report, Fundamentals: Cloud vs. In-House IT: Spend Smart in 2012. According to eBay, if it could increase its data center utilization rate while using cloud services to handle spikes, a cloud provider could charge as much as four times the internal computation unit rate and eBay would still save money.

However, when adopting a cloud service--whether it's software as a service or platform as a service--enterprise IT organizations frequently make the assumption that the provider's security will be an improvement over the security of their own on-premise systems. Verifying that this is true, however, is tricky, and, in the end, there are no guarantees.

Vendors are able to provide their track record of outages and resolution times to potential and existing customers, and many outages make it into the headlines, but service providers have other ways to prove how solid their security is. Trust and verification comes, in part, through a personal relationship between the customer and the provider, says Carl Brooks, analyst of infrastructure and cloud computing at Tier1 Research. "It's a truism that Amazon and Google would have you believe that their security is better than what you can do, and to some extent that's true because they have a lot more to lose and a lot more to protect on their cloud infrastructures than a single organization would," he says.

Track records mostly provide only a perception of security being provided by cloud providers, he adds. Outages like the one Amazon experienced in April 2011 called the reliability and security of Amazon Web Services into question, but Brooks notes that Amazon's uptime is generally better than what enterprise IT organizations are typically able to provide (99.95% uptime versus 85% uptime).

The biggest providers, such as Amazon and Google, have teams dedicated to security, whereas an individual organization may have only one dedicated security professional. Demonstrable proof of security comes in the track record, but also in security audit certificates, Brooks says. The previous industry standard was a SAS 70 Type 2 audit, which is conducted by a security auditor and details the security controls in place and whether they are operating effectively. The new industry standard for security auditing is SSAE 16, replacing SAS 70 for reporting security controls of an organization.

Auditing services are on the rise in the cloud realm, says Zeus Kerravala, principal analyst at ZK Research, and it's likely to be a growing trend. "All cloud providers will tout their own strengths [obviously], so independent services used to measure them would be beneficial to buyers. Also, I think we'll see more use of virtual security appliances that enterprises can self-deploy into cloud environments," he says.

  • 1