Cloud Security: 'Past Performance is Not an Indication of the Future'
A recent article in Computer World outlined several security and legal concerns that pertain to the current state of cloud computing and SaaS offerings of public service providers. The major concerns discussed included:
- Authentication for cloud services is usually password-based. Organizations that typically require 2-factor authentication for their enterprise applications will have to accept weaker authentication.
- Auditing of actions and events occuring within the cloud service provider’s infrastructure is difficult because the service providers do not offer such visibility into their infrastructure to their customers.
- Government authorities may have rights to serve a warrant and seize the information from the service provider without the permission of the customers of the service provider.
- Customers of cloud services may not have any visibility or control over the hiring practices of their cloud service providers, leading to concerns related to abuse of privilege.
These concerns do reflect the reality of early cloud computing and SaaS offerings, and organizations should consider these factors carefully before using cloud services for enterprise applications. But, to assume that these issues are unavoidable with the use of cloud services would be a mistake. All concerns outlined above can be addressed to ensure that organizations do not have to make a choice between the security and privacy of their information and the cost savings and flexibility made possible by cloud computing.
As the use of the cloud for enterprise applications becomes more prevalent, service providers can and will provide more sophisticated security architecture and models to meet the expectations of their customers. Examples include:
- Offering 2-factor authentication as an option for access to cloud services
- Risk-based authentication to cloud services to ensure that strength of authentication is commensurate with the associated risk
- Comprehensive logging in the cloud infrastructure, coupled with web-based reporting capability exposed to the tenants of the cloud
- Encryption of data before it is sent to the cloud service provider to address concerns related to loss of confidentiality
- Key managers, identity federation servers and certificate authorities offered as trusted third party security services in the cloud to ensure separation of duties between the service provider and the security provider
These services are not revolutionary. They are well-established enterprise security technologies extended and optimized to secure the cloud. Security investment and sophistication has always been pegged to the risk associated with the IT infrastructure being secured. So far, cloud computing and SaaS has predominnantly been used for consumer or non-production use. As the use of cloud computing extends to enterprise applications and production environments, enterprise-grade security will be offered widely by major cloud service providers. The security industry will rise to provide ‘Trust-as-a-Service’ or cloud-based security services to check and balance the privilege that cloud service providers can exert over their customer’s information. Lack of adequate security capabilities in cloud services thus far is not an indication of where the industry is going. Cloud services are poised to enjoy a steep growth curve; we should expect cloud security to also rapidly grow in sophistication.
Organizations should not resist taking advantage of the tremendous business and operational advantages of cloud services, but rather look for service providers who offer enterprise-grade security with their cloud services.
