July 14, 2010, 4:09 PM — Virtualization and cloud computing haven't eroded the online security of most companies, analysts say. But they may be contributing to situations in which IT-service customers leave themselves vulnerable to attack because they assume their cloud provider is taking care of security.
"Security and cloud hosting are two separate things, but the cost of entry is so low, and often so simple, that customers may not do as much due diligence as they should to find out who's responsible for security," says Ezra Gottheil, an analyst who covers server issues for Technology Business Research.
Placement of responsibility for security in cloud computing arrangements is so ill-defined that Gartner felt it was necessary to list access to information about how a cloud service works and a service level agreement spelling out customer expectations and requirements in a report released this week.
In March, research from the Cloud Security Alliance listed customer ignorance of security practices--and service providers' refusal to give information to relieve it--among the seven top security risks in cloud computing. According to the Cloud Security Alliance's research, cloud projects and the risks they entail may be "complicated by the fact that cloud deployments are driven by anticipated benefits, [and] by groups who may lose track of the security ramifications."
The nature of the cloud computing business means many customers or potential customers have no idea how exposed they really are when they put a website or other corporate application on someone else's hardware, says Josh Corman, analyst for The 451 Group.
Chris Drake, CEO of FireHost, a cloud services provider that hosts and secures customers' applications, agrees that most cloud and website hosting customers assume their provider is responsible for keeping their site safe even though that's not always the case.
How One Cloud Computing Customer Got Burned
One of FireHost's recently acquired customers, LawLeaf, a web-based financial services company that finds loans for people trying to finance the cost of lawsuits they're filing, left its previous web hosting vendor, BlueHost, after an attack that almost put LawLeaf out of business.