“Too much hand-wringing over security will kill innovation.” – CIO, Software Company
In Part I of ”Do You Need a Cloud Strategy?” I described three inter-related steps that you will need to think through to develop a business-focused enterprise cloud strategy and in Part II, I discussed how to plan and implement your cloud computing strategy and roadmap through the lens of Enterprise Architecture (EA) and Service-Oriented-Architecture (SOA). Now, in this blog post, I will discuss how you should think about the “Sacred Cow” issues such as security, privacy, and governance as you lay out your cloud strategy.
Our research study, “Leaders in the Cloud,” found a broad range of attitudes about security, privacy, and governance. Every respondent we talked to viewed these issues through the lenses of their business goals and rewards, perceived or real risks, and the level of risk tolerance, value, and sensitivity of their information assets and data, as well as regulatory concerns. Like any new technology, cloud computing creates new risks and new opportunities. The topics of security, privacy and governance are major concerns for nearly every company, and our survey clearly shows that these concerns are the top barriers to adoption.
In fact, many large enterprises and government organizations are loath to move any of their sensitive data or mission-critical applications to the public cloud, and these are also the reasons why they are actively pursuing the usage of private clouds. (Note that these reasons were less of a barrier for SMB companies, where we found that the cost savings tipped the balance toward faster adoption.)
Security concerns vary greatly depending on the company—and especially by company size. Our survey of IT executives found large enterprises were more concerned about data privacy, security, and governance issues than smaller companies (see figure below). Most of the small and midsize (SMB) IT leaders were emphatic that a cloud vendor’s security processes were superior to any that their company could provide. Small company cost structures are such that they cannot afford to build secure infrastructures that match those of leading cloud vendors in-house.
In this post, I will focus on the impact and challenges of these issues on the business and on the large and small market segments. For more technical details on how to approach cloud computing security and privacy, we strongly recommend that you download a copy of Security Guidance for Critical Areas of Focus in Cloud Computing by the Cloud Security Alliance, a nonprofit organization formed to promote best practices in cloud computing security assurance. Their recommendations about top threats to cloud computing will help you make educated risk management decisions as you develop your cloud computing strategy.
All of our interviewees remain vigilant about security—either in-house or with a vendor. One CIO said, “We have been using SaaS applications for more than nine years, and we haven’t had a security breach so far. At the end of the day, we are very vigilant about security, including strong passwords and frequent password updates, and we audit usage patterns of our users to monitor for any untoward behavior.”
How Important and Useful Is Vendor Certification to Customers?
Many large enterprises look for vendors who are SAS 70-certified. These certifications are really a check mark in their process without which they will not do business with you. Almost all cloud vendors worth their salt are getting certified to standards such as SAS 70, Type I, or Type II. However, for many SMB companies, official certifications are not required. Instead, a thorough check of capabilities was part of the vendor evaluation process in order to determine the “comfort level” with each one. “We don’t require our vendors to be SAS 70-compliant, but I have a security guy who is familiar with cloud operations who performs the due diligence when we look at vendors. SAS 70 is a positive thing because it gives you some level of comfort. But by itself, it is not the ‘be-all, end-all.’ If a vendor doesn’t have it, it’s not a deal killer,” said one SMB CIO.
Said one software company executive: “A few of our larger customers have asked for SAS 70, either Type I or Type II. That’s an expensive process, and we have not completed it and we have not seen a material impact on our revenues because we don’t have it.”
My view is that eventually every cloud vendor needs to be certified in order for customers to gain confidence and for the adoption of cloud technology to really take off. Think about the comparison with people depositing their money and valuables in a bank. Today, people don’t worry about putting their money in a bank because it is safer there and they are confident they will get it back because the government stands behind the banks with safeguards such FDIC insurance and other protections.
In the heat of today’s highly competitive and evolving market, cloud vendors could fail. What would happen to a customer’s data in that case? Would the data be returned or would it be lost forever? Perhaps this could be the real barrier to cloud adoption until the market stabilizes.
Even if a vendor is certified, I think the most important question to ask is: does the certification meet your specific security requirements?
“You should really ask for a security review,” says Scott Matsumoto, Principal Consultant at Cigital, Inc., a leading software security and quality consulting firm, “especially if you are a big company dealing with a smaller company and the risk to you is greater than the risk to them in case of a security breach.” On the other hand, if you are a Small and Medium sized business (SMB), your risk is much lower if you are dealing with a well-established large cloud vendor such as SalesForce, Amazon, or Microsoft, who is betting their business on their cloud services.
“I firmly believe that my data is safer in [the cloud vendor's] hands than it is in mine,” explained one SMB CIO. The resources and technical skills needed to secure a system today are significant. “You see [one PaaS vendor] investing $100 million dollars a year in security and in development and infrastructure. I can’t begin to compete with that.” These executives believe that cloud vendors have much at stake and have specialized skills to make the cloud as secure as an on-premise system. Said one CIO: “When I look at [the cloud] as a business, I say, ‘Wow! Now I’ve got somebody else that can manage the business application for me, and that somebody else is responsible to make sure that the business application works because now not only our business but their business depends on it.’”
Comparatively, large enterprises and government organizations with valuable assets and sensitive information invest a lot more resources in sophisticated internal security mechanisms. However, those security systems come at a very high cost. Cloud vendors, on the other hand, can combine their economies of scale with the scrutiny they get from multiple customers to provide better security at lower costs. Some of the well-established and larger cloud vendors have built very strong security controls, while several large company CIOs remain extremely cautious about what types of applications and data can really move into the cloud.
Despite all of the improvement in cloud security over the past several years, for customers it always boils down to an offering-by-offering question. Customers always do a thorough assessment of their own or hire third party experts to help them in the process. “These days everyone in your IT department is stretched too thin and do not have the time or the expertise to really look at cloud security as deeply as they should,” says Matsumoto. “With third party expert security assessment, you will get a better security view of what this cloud technology platform is like and you will have a basis from which your internal security staff can work in terms of implementing the security mechanisms to meet your needs.”
The Need for Compliance and Laws to Catch-Up to the Cloud World
Compliance standards such as PCI and HIPAA haven’t evolved beyond physical hardware and assume that you can see and touch these assets in your own data centers. The current language or interpretation of language deals with looking at physical assets in a traditional environment. How does that translate to the virtual assets in the cloud world? The whole point of the cloud is that these virtualized (or abstracted) assets are dynamic and mobile and you cannot put a finger on where there are physically located at any time. So we need to get to a point of logical audit requirements rather than get down to the point of identifying a specific physical server or a disk drive. Matsumoto points to the folks over at cloudaudit.com who are doing some good work in this area.
If you sign up with a cloud provider to store and protect your data, you technically may get a level of privacy that you are comfortable with. However, you still need a legal framework to protect your private data on the cloud and any other Internet service, so that law enforcement does not have the authority to use those third parties to enter your private space. Today, these legal frameworks are still evolving and regulations in general are anachronistic. And the more that cloud services become international and pervasive, the fact that your data can live anywhere in the world (subject to different laws and regulations as it crosses national boundaries) is going to one big, knotty problem that will take several years to resolve.
Many enterprises want the security of knowing that their data is “nearby.” In Europe and some other regions, furthermore, it is law that companies must keep their data in the region—often even in the same country. Companies operating in Europe must work with vendors under safe-harbor agreements, so that they can be assured that their data is stored in trusted countries.
Some cloud vendors are addressing this with cloud solutions that give customers of location and hosting flexibility: “Flexibility of deployment and control of where your data and application reside is where we differ from other vendors,” said one cloud vendor executive. “You can have the software hosted in your own datacenter, or hosted by a third-party or by a partner. We provide full flexibility as to where you deploy.”
Quotable Quotes on Cloud Computing Security I have spent countless hours in conversations with leading-edge enterprise CIOs and vendors who have shared in confidence a variety of perspectives on their cloud experience. Here is a selection of the choicest unedited quotes from these leaders on security in the cloud computing market. The individuals and company names are confidential.
On security challenges associated with integration:
“People think that the cloud introduces new kinds of vulnerabilities, but the potential for standardizing system designs around fewer and fewer variations in the implementations helps us focus on securing those. Most of the security problems we have today aren’t vulnerabilities we have in particular product but in the way the products are put together. The biggest security holes are flaws in design and configuration. So moving towards standardization in security can help us plug some of those holes. The same thing applies for standardization in security controls such as authorization and authentication; we don’t have to worry about badly implemented security controls.” – CTO, government agency
On the need for certifications:
“Security capabilities around single sign on and identity management services are beginning to appear. Some of those can be solved by the customer. But when it gets down to infrastructure side, I have critical data sitting on my servers, and I need to know what the vendor is doing in terms of disk drives and making sure my data is not being mishandled. I want to see certifications like SAS 70. But I think it will be some time before vendors focus on that because it involves additional cost and I don’t know if customers are ready to switch their thinking and start sending critical data to the external cloud anyway. The momentum from vendors is just not there to provide the level of service that customers would feel comfortable with their sensitive data.” – CIO, media company
On security vulnerabilities in the public cloud:
“You have to be so careful of vulnerabilities in the external cloud. If anybody penetrates the external cloud, they are going to come straight in. They’ll bypass all the traditional things we put in as defenses—external DMZ, internal DMZ, firewalls in between those pieces, monitoring, alarming, segregation— it all goes out the window. If you extend your corporate network and you don’t quite have control of the end site and you are compromised there, the attack vector comes right back into the heart of the organization.” – CIO, Fortune 500 financial services company
On opportunities for security vendors:
“Security devices (IPS, IDS, and Unified Threat devices) are extremely expensive. There is a big opportunity for vendors providing those security services in a cloud with time-bound SLAs and performance.” – Security director, government agency
Parts of this article are based on discussions with Scott Matsumoto, Principal Consultant at Cigital, Inc. Thanks to him for talking with us and sharing valuable insights on security in the cloud.
Kamesh Pemmaraju heads cloud research at Sand Hill Group and he helps companies—enterprises and technology vendors—accelerate their transition to the cloud. Follow him on twitter @kpemmaraju.