How To Know What To Safely Send To The Cloud

Online services have come under increasing attack -- how can enterprises ensure that their cloud service is secure and available?
The dark side of the cloud's silver lining has become apparent during the past few months. With the Amazon outage, the breach of marketing service provider Epsilon, and the attack on Sony's PlayStation Network, companies have significant fodder for concerns over the security of the cloud.

Cloud providers need to find answers to allay these concerns. These services can be as secure as keeping data in the traditional enterprise network is, but the services are not there quite yet, says Chris Whitener, chief security strategist for Hewlett-Packard. "When we talk to customers, the first impediment to adopting cloud is worries over security," he says.

Companies need to realize that cloud providers tend to have infrastructure that mirrors the DNA of the source of their computing power, Whitener says. For example, Amazon's cloud services are based on its experiences providing an available retail experience. A cloud based on a bank's excess capacity, meanwhile, might have more security built into it.

Information security teams should spend their time formulating policies that incorporate the provider's strengths and weaknesses that come from its specific DNA, Whitener says. If companies figure out what business risks they have by putting their data in the cloud and then create policies on how to handle that risk, they will be much better prepared, Whitener says.

"Look for vendors that can accommodate those policies and route your more secure requests to those facilities that have security and have logging and have reporting and have encryption and all the DNA that you would have in your enterprise," Whitener says. "There are clouds like that."

Too often companies do not consider the consequences of losing their data to theft or access to the data because of problems with availability. There is not enough due diligence done, says Josh Corman, research director of The 451 Group.

"It's like if you had a date tonight, would you let a random stranger watch your kids?" he says. "No. There is a whole bunch of questions you would ask."

The top question is, what data should be put in the cloud? To answer that, a company should be more concerned about the impact of the data on its business, says Andrew Hillier, chief technology officer with data center analytics firm CiRBA.

"Modeling whether your data is low-impact, medium-impact, or high-impact on your business answers the question of whether you move it to the cloud," Hillier says.

One shortcoming of current cloud offerings is that customers don't have much negotiation room or ability to modify the security of high-level services, says Jay Heiser, research vice president for Gartner. Larger companies tend to have more negotiating power, but they also are less likely to put the corporate jewels into a cloud service.

"If an organization doesn't know how secure they are, then it's likely that they can buy something that's more secure than what they've got," Heiser says. "Global financial service firms are in a better position to know how secure their infrastructure is than to know how secure their SaaS vendor is. A small mom-and-pop shop is not."

A final consideration: If online attackers are targeting clouds because they aggregate so many attractive targets, then putting your data in the same basket might actually put it at higher risk, Heiser says.

"It is a huge single point of failure," Heiser says. "Any individual company has to look at it as what's the risk to my organization, but attacks, such as the Epsilon thing, suggest that there is a higher systemic risk to putting a huge, huge basket of golden eggs out on the Internet."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Editors' Choice
Kelly Jackson Higgins 2, Editor-in-Chief, Dark Reading