Cloud Security

Before the Los Angeles City Council gave Google a $7.25 million contract to provide email as an online service for the city's 30,000 employees, it put Google through the wringer over information security.

The Los Angeles Police Department and the city attorney's office were concerned that any confidential information in email messages might be exposed if it were stored in the cloud, meaning on Google's servers instead of the city's own data center. The City Council echoed a concern heard in business boardrooms around the country as they consider cloud computing: Security was one of the leading issues, says Eduardo Hewitt, legislative deputy for City Councilman Tony Cardenas.

To win over the council, Google had to meet a laundry list of special security provisions, including:

Google also is offering minimum damage payments for various mishaps, including a confidentiality breach, faults in the network resulting from the actions of Google or CSC, or the personal injury of a city employee or contractor caused by Google or CSC. The amount of the damages payable in such instances is still being worked out, says Kevin Crawford, LA's assistant general manager of IT.

Why did the city need such measures, some of which exceed enterprise cloud computing deployments? "It was because of the newness of the product for the public sector," says Crawford. Various city agencies and constituents simply weren't convinced of the safety of cloud computing, so they demanded the additional stipulations. But Crawford says the city didn't pay extra for them, and in fact negotiated discounts off Google's list prices. "We're still getting 40 percent off retail," he says.

Jitters over the security of cloud computing, including concerns about its "newness," are by no means limited to the government sector. When InformationWeek Analytics asked 547 business technology pros what worries them about cloud computing, security concerns grabbed the top three spots, far outpacing issues of performance, disaster recovery, or vendor lock-in:

Cloud computing is getting considered because companies and government agencies are keenly interested in the lower licensing and staff support costs that cloud services promise. Faster deployment also works in cloud computing's favor. Yet security plays the foil to cost savings, and for many companies, security concerns end up sinking any move to the cloud.

Gartner Inc. predicts companies will spend about $10 billion this year on two types of cloud computing: infrastructure as a service, where companies buy raw computing power as needed, and software as a service, where they pay a subscription for online access to software, ranging from email to CRM to business intelligence.

While companies can subscribe to an ever-widening array of cloud services, IT departments don't have the same long history that they do with on-premises software, so they aren't as confident of where pain points such as security flaws may be. What new intrusion points are introduced? How can a company be sure that its data sitting in the vendor's data center is safe? When should information be encrypted? In our survey, 57 percent cited "security defects in the technology itself" as a top concern with cloud computing, more than any other concern.

Standards and best practices for cloud security are just emerging. "Security is and always should be a top consideration when companies are examining cloud services," says Steve Cakebread, former president and chief strategy officer at Salesforce.com, who's now on the board of eHealth, an online health insurance reseller, and Solarwinds, a network management vendor.

To understand potential security risks, companies must complete a thorough examination of a cloud service -- beginning with the networking layer, checking out the provider's operations, and working up to the cloud application.

While there isn't the same kind of well established, best-practices security checklist for cloud computing that there is for on-premises IT systems, here's one concept to bank on: It's still the user organization, meaning the IT teams that contract for cloud computing, that will be held responsible for the security of the data and apps they put in the cloud. "In the end, regulators will come after our IT department, not the cloud service provider, if security problems arise with our data," says Ash Patel, global CIO at Aon Consulting, one of three business units within Aon Corp., a $7.4 billion-a-year insurance consulting and service provider.

The first step for companies is determining whether cloud computing can benefit them. One reason companies turn to the cloud is to simplify their operations, letting staff focus more on core activities, similar to the rationale that drives many outsourcing decisions.

Sleek, a company that provides tutorial software to Texas schools to help students pass state-mandated exams, decided about two years ago to move its applications, which were running on about 30 Windows servers, to the cloud computing service of 3tera Inc. , which now runs the applications on four virtual servers. "We were reaching the point where it was becoming difficult for us to manage our servers. Moving it into the cloud solved that problem," says Jody Threet, VP of research and development at Sleek.

Yet cost savings are driving cloud adoption more than anything these days, and the recession has accelerated the choices. Cloud computing trades the capital spending model " up-front investments in hardware, networking, and software licenses " for operating costs that are based on monthly fees.

Booth Newspapers, a Michigan publisher with 1.5 million readers, has been hard hit, like much of the newspaper industry in the economic downturn, and it opted for a software-as-a-service approach to security when layoffs loomed. The chain, with about 500 employees, had to renew its antivirus software at the end of 2008.

"We were in the process of downsizing and needed to cut a few positions from our IT staff," says Ron Klock, director of information systems. Rather than continue having staff maintain the company's antivirus software, Booth opted for a security service from Zscaler Inc. , which provides cloud-based firewall, virus protection, and content filtering. After the change, the media company cut a couple of full-time positions from its 50-person IT staff.

One of the biggest risks of cloud computing is that of the unknown, since many of the providers are relatively young startups or new to offering cloud services.

"Each cloud company is different as to how much they invest in security, based on size and stage of growth, and also on sophistication of the management team," says Cakebread, the board member and former Salesforce executive. Mark Nicolett, research VP at Gartner, says vendors' focus is foremost on their core competencies, such as data backup or delivering a human resources application: "Security is usually the last component added to any new technology, and cloud computing is no exception."

It's notable that the Los Angeles City Council made encrypted email a requirement with Google. One can't assume that encryption is available in all cloud services. Applications like email that are used by both consumers and businesses often won't have encryption. Encryption creates a lot of overhead, and suppliers don't want to degrade application performance or absorb the cost if customers don't put a premium on it.

CIO Patel took a conservative approach in deciding how to secure Aon Consulting's data links and how much data would reside in its service provider's cloud environment when it contracted with Echopass, a contact center supplier that had been helping Aon field customer inquiries for two years. Aon Consulting opted for a private T1 line from Verizon Communications Inc. (NYSE: VZ) from its data center to Echopass's service.

"We didn't feel comfortable sending our information over the Internet," Patel notes. In addition, Aon had Verizon layer encryption on both ends of the connection, so that data is protected as it moves off its site to the Echopass data center. "We feel that our information is secure once it leaves the corporate network and enters the cloud," says Patel.

Businesses should ensure that potential cloud service providers offer, at minimum, the standard security protections they have on their own premises: intrusion detection and prevention software, firewalls, strong user authentication, and content monitoring.

One of the checks Sleek made before moving to 3Tera's service was the strength of the perimeter network around the vendor's data center. "In deploying our application, we wanted to make sure that no one would be able to get direct access to our data," says Sleek's Threet. When users connect to 3Tera's data center, a proxy server processes the requests and forwards them to the back-end servers, thereby restricting visibility into those systems.

From a security perspective, companies need to think of their networks now extending beyond their own physical environments and into the supplier's data center. As companies stitch more cloud services together, that challenge multiplies. A related complication comes from the fact that cloud services have been designed in vacuums, with each vendor securing its own connections but not the others.

While security tops the list of worries, it's also a big selling point for cloud computing, especially for small and midsized businesses that can't afford to have their own top-flight IT security pros on staff. "We don't want to get into the security business and instead want to hand that over to someone else," says Paul Wyatt, chief operating officer at Recurrent Energy, a 45-person solar energy systems startup with $275 million in venture capital, which has placed all of its IT infrastructure in the cloud.

The thinking goes that since cloud providers are in the IT business, they can afford to devote a lot more resources to security. They should be able to monitor for security patches and apply them more efficiently than most enterprises. "The level of security available in the cloud can be better than that available in the traditional data center," says Nils Puhlmann, VP of risk management at Qualys Inc. , an online provider of security software.

The flip side to that argument is that the more data that goes into the cloud " and the more valuable that data " the more appealing it becomes as an attack target. "Cloud computing attracts hackers because so much corporate data is concentrated in one place," says Gartner VP Nicolett.

That's why companies, once they've worked their way through the network security issues of transferring data to and from a cloud provider, need to probe the vendor's data center operations. SAS-70, a set of security controls and business continuity processes from the American Institute of Certified Public Accountants, is fast becoming the closest thing to a benchmark for cloud computing operators.

An InformationWeek Analytics report this year looked at 12 infrastructure-as-a-service providers and found that nine of them had SAS-70 certification. That requires testing and an audit of the company's controls. Cloud provider Rackspace Managed Hosting , for example, provides SAS-70 reports for each customer to show how their data is secured and backed up, says Adrian Otto, cloud developer at Rackspace.

Companies should also ask if cloud vendors undergo security assessments by third parties or internal security teams. Most do, though our research found that only five of 12 made those assessments available to potential customers.

Once convinced of a cloud provider's security, companies must determine how comfortable they feel putting data and applications in the cloud. Most move slowly, often starting with one type of application " Salesforce's CRM service, for example " or one type of activity, such as development and testing.

Only a brave few dive in as completely as Recurrent Energy, which finances, builds, and operates solar energy distribution systems. "We don't have a data center now and hope we can keep it that way as our business grows," says COO Wyatt. "We don't think that maintaining hardware, database management systems, networks, application software, or identify management security benefits our business, so we prefer that someone else do that work for us."

Besides the operating efficiency, Wyatt believes the cloud helps in collaboration with business partners. That's where authentication systems play a key role. "We need to provide our financial partners with information about their projects but don't want them looking at any of our proprietary data or possibly information from competitors," says Wyatt.

Recurrent uses SpringCM Inc. 's content management in the cloud service to meet that goal. The service stores a variety of business documents related to the building of energy distribution systems, from building blueprints to local, state, and federal construction regulations. The documents have to be stored for varying lengths " from a few months to decades " and have varying degrees of confidentiality. Sometimes, an employee needs to access one document held in a folder with a variety of other material. SpringCM provides the individual with access to that item but nothing else in the folder.

Cloud computing appeals to startups, even well funded ones such as Recurrent, for a list of reasons: They don't have legacy, on-premises applications; they would rather not invest capital in equipment; and they don't have the economies of scale that larger companies can get from running their own data centers.

Cloud computing's been a tougher sell for large enterprises " though that attitude is changing fast, as the recession is making some of the downsides of cloud computing seem more palatable. Cloud operating standards will help ease concerns as well, since they allow for more predictable integration, more auditable security processes, and more confidence that companies could move their data elsewhere if a cloud contract goes south. Work on such standards, however, is just beginning. (See next page: Cloud Standards Are a Work in Progress.)

In terms of security, large enterprises are generally more comfortable with their own security personnel and policies than they are handing data to a service provider. Rackspace's Otto likens it to a time when "individuals felt more comfortable putting their money under the pillow than handing it over to a bank."

Gartner's Nicolett predicts that companies in industries such as healthcare and pharmaceuticals, which tend to handle a lot of personal information, will be slow to adopt cloud computing. Yet even there, companies are breaking the mold. Eli Lilly is an early adopter of Amazon Web Services LLC 's cloud services for pharma research. IBM Corp. (NYSE: IBM) offers on-demand, high-performance computing aimed at industries such as aerospace, automotive, and life sciences.

Some share the view of Aon Consulting's Patel, who keeps records related to its client work and employees on site, not in the cloud. "We are not yet convinced that the service providers' procedures for dealing with items, such as disposing of outdated customer information, are as robust as they need to be," Patel says.

Vendors acknowledge the fear. "A lack of trust about cloud service security is evident in some large companies," says Otto. Paul Simmonds, an IT pro who's a member of the Jericho Forum , a group led by IT security professionals that's working on cloud security standards, says it will be two to three years before cloud services are "robust enough" that large companies will consider using them on a widespread basis.

They're already on their way. Over one quarter of companies are using or planning to use cloud services, and another quarter are considering them, according to the InformationWeek Analytics survey:

That means IT and business leaders are gaining experience with cloud models and learning where the real security risks lie. Cloud vendors, meanwhile, are developing best practices and standards for security and interoperability. Security fears are the biggest drag on cloud computing today, but the benefits look big enough to outweigh the concerns.

There's general agreement that standards are needed for cloud computing " so much agreement, in fact, that at least eight different groups have stepped up and are trying to fill the void.

As the range of groups involved suggests, the work has just begun, including on standards related to security. "It will be about two years before a comprehensive set of standards for cloud computing will be available," predicts Qualys's Puhlmann.

One challenge is that companies just don't have a long-enough history with cloud computing to create firm standards, or they work with only one or two cloud vendors so it's difficult to generalize from their experiences. "A lot of work still has to be done before the industry understands where the security holes will come from with cloud computing," says Paul Simmonds of the Jericho Forum.

AREAS OF EMPHASIS
Jericho Forum and Cloud Security Alliance cite 14 areas that need standards:

In May, the Jericho Forum said it would work with the vendor-led Cloud Security Alliance , to promote best security practices for the cloud. Jericho Forum members include AstraZeneca, Boeing, BP, Eli Lilly, and KLM, as well as IT vendors such as IBM, Qualys, Hewlett-Packard Co. (NYSE: HPQ), Motorola Inc. (NYSE: MOT), and Symantec Corp. (Nasdaq: SYMC).

The two groups are driving development of standards in a wide range of areas including audit, applications, cryptography, governance, network security, risk management, storage, and virtualization.

There are at least six other groups working on cloud computing standards: the Open Cloud Manifesto, the Cloud Computing Interoperability Forum, CloudCamp, the Cloud Computing Use Cases Group, the Distributed Management Task Force, and the Object Management Group.

At the Jericho Forum and Cloud Security Alliance, step one is identifying the differences between on-premises security and cloud security, and examining what existing standards mesh with cloud operations.

Eventually, they expect to drive standards that let companies securely integrate different vendors' cloud computing services and be assured that their information is safe in the cloud. Says Puhlmann, "If we find existing standards that work for cloud security, we will use them."