Poll after poll shows that security remains a major concern for enterprises moving to the cloud. Despite all that concern, companies appear to be increasingly adopting infrastructure as a service without paying much attention to IaaS security.
According to analysts at TechNavio, the global IaaS market is expected to grow at a compound annual rate of about 45% between 2012 and 2016. In May, the Ponemon Institute and CA Technologies released a survey that indicated many organizations have not been practicing due diligence when it comes to selecting cloud providers. The survey, which fielded responses from 748 IT professionals, found that only 49% of organizations evaluated security before deploying IaaS in 2012.
Security experts cited a number of security issues to consider and security best practices to follow when signing a contract with an IaaS provider.
"The security requirements for using Infrastructure as-a-Service are essentially the same as they would be for using your own data center," Dave Cullinane, chairman of the Cloud Security Alliance board, told Network Computing.
"You should evaluate (classify) the data you will be processing in that environment," he says. "How sensitive is it? Does it have value as intellectual property? Will you be processing transactions? Is it subject to regulations such as the Payment Card Industry Data Security Standard? Are there privacy restrictions that apply--for example, HIPAA or Safe Harbor?"
After considering the data, organizations should define the security controls that are appropriate to protect that information and assure that the cloud service provider they are using has those controls and that they are effective, says Cullinane. This includes both logical and physical access controls, he adds. In addition, organizations should consider what rights they have under their contract with the cloud service provider, and whether they have the right to audit.
"If you have compliance requirements--for example, PCI-DSS--who is responsible for annual testing and recertification?" he says. "Who is responsible for business continuity planning, and what are your options? What do you need to include in contract language specific to security and BCP? What language do you want to have in your service level agreements with the CSP?"
Steve Weis, CTO of security startup PrivateCore, says enterprises often use encryption when moving data or storing data in IaaS environments, but data is in the clear when being processed.
"Enterprises should look to protect their sensitive data wherever it might be--in motion, at rest or in use," he says. "To maintain the optimal security posture, the enterprise should also hold the encryption keys. If there is a lawful or unlawful external attempt to access information in the cloud, the enterprise holding the encryption key would be aware of it."
[Find out how to avoid cost overruns with IaaS services in "5 Ways To Avoid Costly Cloud Surprises."]
Organizations pursuing IaaS should understand they will be responsible for most of the security decisions for their implementation, says Scott Hazdra, principal security consultant at security and risk management consulting firm Neohapsis. Still, the cloud provider will be responsible for areas such as network infrastructure and hypervisor security, as well as overall cloud availability, encryption and key management of data on its storage systems.
"As a customer, you should review all the available documentation provided for these areas and ask questions when you can't find enough detail," says Hazdra, who is a with the firm.
"If the cloud provider's answers to some questions are uncertain or evasive, it's likely they don't have strong controls in that particular area," he adds. "This alone may not prevent you from choosing their service, but it will indicate to you that you that there are additional risks."