Plan ahead for your security needs in the cloud
A variety of tools can help identify security considerations for agencies looking to move to the cloud
Who is responsible for security in the cloud? It depends on whom you’re asking, according to Ponemon Institute's Security of Cloud Computing Providers Study.
The April 2011 report found that 69 percent of the 127 cloud providers surveyed said that cloud users are the ones responsible for security. A mere 16 percent said security should be a shared responsibility. With data like that, it’s no wonder that CIOs and IT executives wonder if their data and applications are safe in the cloud. The good news is cloud computing really is safer than most people think as long as the right controls are put into place. Most security problems are because of a lack of education, experts say.
“I don’t think the market as a whole does a good job at communicating the fact that there are standards and policies in place that help secure the cloud,” said Dennis Hurst, founding member of the Cloud Security Alliance (CSA), a nonprofit organization dedicated to cloud security. “Security really depends on the cloud provider and the nature of the business you’re going to conduct in the cloud. In reality, there are cloud services out there that are far safer [to use] than someone’s own IT infrastructure.”
Geoff Weber, a principal at KPMG’s federal practice, agreed. “There are plenty of examples of data and security breaches within state and federal enterprises that are not operating in the cloud,” he said.
Go by the book
Before assessing a single provider, IT executives should decide exactly what requirements their organizations have when it comes to security, compliance and governance. Everything from how a cloud provider handles disaster recovery to application security and segmentation on a shared server should be discussed. Ownership of data should also be part of any security discussion. Organizations should own their data and have an easy way to pull it out of the cloud if they decide to swap vendors. Another big concern, Weber said, relates to data privacy and multitenancy. “You need to know what happens if there’s a breach,” he said.
The safest cloud implementations – public or private – use industry standards and matrices that are designed to thwart potential problems and create secure connections. Firewalls, public key infrastructure, virtual private networks and multifactor authentication should be in force from a technology standpoint, and there should be soft controls in place so employees and users have the appropriate access and rights.
In addition, because the choice of vendor can mean the difference between success and failure, it’s important to use the right assessment tools to make sure you’re choosing the right cloud provider. For example, in December 2010, the Cloud Security Alliance released Revision 1.1 of the Cloud Controls Matrix (CCM) Security Controls Matrix, as part of the CSA's governance, risk assessment and compliance goals. The CCM security matrix is “specifically designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider,” according to CSA. IT executives can use the matrix as part of an overall assessment strategy, Hurst said.
Another good source is the National Institute of Standards and Technology, which has a cloud computing working group in its Computing Security Division. NIST’s role in cloud computing, according to the organization, is to promote the “effective and secure use of the technology within government and industry by providing technical guidance and promoting standards.”
The organization released in February a set of guidelines for managing cloud security and privacy issues. The guidelines contained tips and strategies for those working in the cloud or moving toward it. There’s also a NIST Cloud Computing Collaboration website with links to NIST Cloud Computing working groups and events, reference architecture and taxonomy, business use cases, and a standards road map. The Federal Risk and Authorization Management Program is another tool in the arsenal to help organizations assess and authorize cloud computing services and products.
It’s this type of collaboration and effort, that’s going to help dispel the myth that cloud computing is something that’s too dangerous for organizations that have high security requirements, Hurst said.
“There’s a common belief that cloud computing is somehow inherently insecure,” Hurst said. “However, if people will make themselves aware of the standards and working groups and methodology that’s out there for them to use, they can leverage the business value of the cloud today as opposed to waiting until they perceive it to be more secure. Successful – and secure -- cloud computing implementations are attainable today.”