Daniel Flax, CIO at New York-based investment banking and financial services firm Cowen and Co., relies on cloud computing to automate his company's sales activities. While he's satisfied with cloud technology's potential to lower upfront costs, decrease downtime and support additional services, he admits that he has had to work hard to get a handle on the emerging technology's security weaknesses. "Security is one of the things we've had to come to grips with," he says.
Evan Jones, owner and IT chief of interactive production company Stitch Media, located in Toronto and Halifax, Nova Scotia, is also concerned about cloud security. "It's a scary concept when you just hand all of your important company data over to a third party," he says.
Like a growing number of IT managers, both Flax and Jones are beginning to realize that cloud computing doesn't offer companies a free ride when it comes to security. A Gartner Inc. report released last year identified concerns about risks in several areas, such as data privacy and integrity and compliance management, that should give pause to anyone thinking about rushing into cloud computing.
"Enterprises, particularly those in regulated industries, need to weigh both the business benefits and risks of cloud computing services," warns Jay Heiser, a Gartner analyst .
One of cloud computing's biggest risks arises from its very nature: It allows data to be sent and stored just about anywhere -- even divided among locations around the world. While data dispersion helps give cloud computing a cost and performance edge, the downside is that business information can land in storage systems in locales where privacy laws are loose or even nonexistent.
Flax, who is using Salesforce.com Inc. 's Force.com platform to automate Cowen's global sales systems, says the best way to ensure that data steers clear of risky destinations is to work with a cloud vendor that is a public company and is therefore required by law to disclose how it manages information.
Salesforce.com is publicly traded, and "as a result, we have a sense of comfort that there are strict processes and guidelines around the management of their data centers," Flax says. "We know our data is in the U.S., and we have a report on the very data centers that we're talking about."
Agora Games, a company in Troy, N.Y., that builds Web communities for video game players, currently has no say on the matter of where its cloud computing provider, Terremark Worldwide Inc. , hosts its data and applications. But that will be changing in the near future, says Brian Corrigan, Agora's chief technology officer.
Terremark will soon give Agora "the option to choose where virtual machines actually run," he says. "Right now, the only choice is the Miami facility, but Terremark is adding other locations, so [it will be] an issue we can manage however we want."
Track and Trace
Cloud computing's dispersed nature also makes it challenging to track unauthorized activity, even when careful logging procedures are used. Virtually all cloud computing providers use encryption, such as Secure Sockets Layer technology, to safeguard data in transit. But Heiser notes that it's also important to ensure that stored data is encrypted. "If data is stored in a shared environment, which is what usually happens, you can assume that unencrypted data may be read by unauthorized parties," he says.
Mike Mullin, IT director of Indian Harvest Specialtifoods, a Bemidji, Minn.-based company that distributes rice, grains and legumes to restaurants worldwide, says he relies on provider NetSuite Inc. to ensure that the data he sends into the cloud is fully protected. "With SSL, I'm pretty confident that our data is secure," he says. "If it isn't, then I think a lot of people will have problems and that the [cloud] industry as a whole will have a problem."
Mullin notes that cloud adopters also need to closely assess their own infrastructures and security practices, particularly access controls. "Your side of the infrastructure is just as vulnerable, if not more vulnerable, than the provider's side," he says.
Jones, who is using Amazon.com Inc. 's S3 cloud platform to share files with employees and contractors worldwide, agrees that access control is vital. "We have found that the system works best for us when we assign different levels," he says. Documents at the highest level of sensitivity simply aren't sent into the cloud; they're stored locally. "There are some documents that we're just not ready to go all the way with, but I'd say that 95% are not at that level," Jones says.
Corrigan says that comprehensive cloud security requires a holistic approach. "For supersecure data, start with how it's stored and then deal with how it's transmitted," he advises. "Manage access through some sort of two-factor authentication scheme. If you're really concerned, you can host your own [authentication] server in-house -- this guarantees that you're in control."
A Matter of Compliance
Because it places business data into the hands of an outside provider, cloud computing makes regulatory compliance inherently riskier and more complex than it is when systems are maintained in-house. Loss of direct oversight means that the client company must verify that the service provider is working to ensure that data security and integrity are ironclad. Heiser notes that any cloud provider should be willing to submit to external audits and security certifications to ensure the quality of specific controls. "A reluctance to cooperate is a warning sign," he says.
Working in the tightly regulated financial services industry, Cowen's Flax relies on SAS 70 audits to ensure that his cloud provider meets government and industry requirements. "There are standards in place for what a SAS 70 for a data center should be," he says. The SAS 70 audit, developed by the American Institute of Certified Public Accountants, covers data transmission and storage technologies and practices, including network operations, data safeguards and physical security elements.
"We read these audits very carefully because, as with an audit of somebody's financial books, just because the audit is complete doesn't mean they passed with flying colors," Flax says.
The fact that IT executives and managers are increasingly recognizing and controlling cloud computing vulnerabilities is a sign that adopters are beginning to view the emerging technology realistically rather than through rose-colored glasses. "It shows an increasing level of maturity," Heiser says.
Since cloud computing security weaknesses can now be reliably anticipated and addressed, Flax believes that security concerns alone shouldn't dissuade an enterprise from moving into the cloud. "Anytime you look at a new platform, you should do a thorough analysis before putting data on it," he says. "In this case, we did the analysis, and we were comfortable with it."
Mullin, who views cloud computing as a logical progression from software as a service and other hosted offerings, agrees. "Hosted applications have been around for a long time," he observes. "The security aspects are well understood, and I'm comfortable with that."
Corrigan says that he, too, is comfortable with the current state of cloud security. "I wouldn't say I lose any more sleep over our cloud provider than I do over our collocated physical servers," he explains.
Edwards is a freelance writer in Gilbert, Ariz. You can contact him at firstname.lastname@example.org .
This story, "Cutting Through the Fog of Cloud Security" was originally published by Computerworld.