Banking Review

Get off my cloud

It seems that while some CIOs might be intrigued by the concept
of public cloud computing, most are not on cloud nine about it…

BY VINCE LEE

Cloud computing is no longer a ‘pie in the sky’ idea. More enterprises in mature markets such as Australia are bringing cloud computing down to earth to enjoy a cost saving and flexible IT infrastructure, but when I ask CIOs what is keeping them from deploying public cloud services more readily, the answer is predictable and mostly universal: security.

This is not a unique concern amongst CIOs. In fact, a study conducted by Gartner indicates that three out of the top five barriers for cloud adoption are related to data security. This is easily understood, as having sensitive data and critical applications that reside not only outside the country, but also in data centres that are beyond the CIO’s control and management, could escalate to numerous problems _ security breaches, data loss, and data leakage. The list goes on.

At the same time, the benefits of public cloud service are also numerous. The flexible cost structure, low upfront investment cost and short deployment period are just a few of them. But these benefits cannot be recognised without enterprises trusting the cloud service providers to put certain business data or processes in the cloud.

Achieving security in a private cloud environment is about striking a balance between trust and control. Building trust with public cloud services providers and maintaining certain control of security policies will allow enterprises to enjoy the full benefit in public cloud service with peace of mind.

To get there, it’s not solely the CIO’s responsibility. More public cloud services providers also need to actively engaging with their customers to bring security control and management back to the enterprise. At SafeNet, we believe this will happen through three stages of development of trust and technology investment. In Australia, the public cloud services market is still relatively in its infancy, thus trust levels between enterprises and providers will grow over time once the approach has been proven.

Currently, most enterprises are still at initial stages of deployment. They are likely to put only non-sensitive data that does not involve personally identifiable information in the cloud, meaning that good security practices and service level agreements (SLAs) are the focus at this stage.

It’s all about partnership
Similar to choosing an outsourcing partner, enterprises should look into building partnerships as well as contract details. SLAs should provide not only availability levels, but also clear language on how data is being handled and encrypted. To minimise the risk associated with the new versions of an application, the contract can also request prior notice and approval before pushing out upgrades and new versions, to avoid clashes with other applications and potential data loss.

Enterprises can also request to visit the data centres and understand the security settings before subscribing. In the event of a security breach, the contract should also clearly indicate who is responsible for specific aspects of the investigation. These are good practices for enterprises to gain trust and, in the long term, build relationship with their public cloud providers.

Though on a technical level, the enterprise’s IT department’s ability to maintain control over what happens within public cloud services offerings will be limited, there is still a lot CIOs can do. At the users’ access level, multi-factor authentication can be introduced. Through working with the public cloud service providers, enterprises can introduce additional control over users’ access to the cloud-based resources and administrator’s authorisation to make configuration changes.

At the data level, enterprises can also encrypt data before placing it in the cloud. Enterprises can also secure and control the end point devices before allowing them to connect to the cloud.

As stronger relationships are built, we believe enterprises will demonstrate more trust in, and require less control over, security in the cloud. In this second stage of trust-level transition, enterprises will protect data in the cloud by slowly migrating their own security mechanisms to the cloud. More public cloud service vendors will offer access to virtual security appliances that allow enterprises to manage encryption requirements and security policy in the cloud, while retaining full control over the security ownership.

Such access is likely to be offered as a value-added service on top of the cloud vendors’ standard offerings. In fact, some SaaS vendors are already offering similar enhanced security services. These security offerings will be critical for providers to expand their addressable market and differentiate themselves from other providers.

When the public cloud services market matures, the trust level is expected to reach its apex. Enterprises will specify security policies and have confidence in the cloud providers’ infrastructure to execute them. Here the enterprise, as the information owner, will still hold control over setting the security policies, owning the core key materials, credentials, identities and other elements.

At the same time, public cloud providers will have sophisticated security infrastructure in place to meet the client’s security objectives, including robust encryption, secure key management, granular access controls and more. Thus enterprises have the final say in how security is handled. Though it may take some time for this to happen, both enterprises and providers should be moving in this direction.

Vince Lee is the regional sales manager for Australia and New Zealand with information security firm SafeNet.