For many CIO’s today, the perceived barriers to Cloud computing remain security, regulation and compliance. Organizations seek reassurance on several points: accessing the Cloud will not compromise their security; their sensitive data and intellectual property will be protected; they can retrieve their data if they want to change Cloud provider, or their provider winds up operations; and they can maintain their customer service standards and competitive performance.
CIO’s 2011 Global Cloud Computing Adoption survey reveals that 56% of the IT and business leaders say managing access to data in the cloud is a top challenge. With the amount of data being generated, the number of identities and devices accessing the cloud, and the ever-changing infrastructure, these leaders recognize that today, they may not have the needed controls and lack ?real-time visibility. They can’t manage what they can’t see and they can’t secure what they can’t manage. Many organizations have siloed environments that are complex and difficult to manage. In such organizations, the dynamic nature of cloud environments, where data and applications move about at a moment’s notice only add to the complexities. However, for organizations with siloed environments, starting with a foundation of virtualization before moving on to the cloud will provide greater visibility than legacy approaches.
A look at the three deployment models and security
The three deployment models of cloud computing – software as a service (SaaS), platform as a service (PaaS) and infrastructure as a service (IaaS) have their own level of controls for the cloud provider and the organization purchasing the cloud service.
Software as a service (SaaS)
This model puts most of the responsibility for security management with the cloud provider and is commonly used for services such as customer relationship management and accounting. SaaS is considered low-risk because it primarily deals only with software and not hardware or storage. With SaaS, companies are able to control who has access to these cloud services and how the applications are configured. The cloud provider is responsible for software installation, maintenance, upgrades and patches in this case.
Platform as a service (PaaS)
This is similar to SaaS but often includes further application-specific software to help businesses create customized services. For example, a company using PaaS could develop its own custom cloud software to perform some specialized task. Most PaaS offerings are multi-tenant which implies that some of the services may be shared with other organizations. This means it is critical for companies who use PaaS to have a well-defined trust relationship with the provider on security issues such as access, source code distribution, navigation history and application usage.
Infrastructure as a service (IaaS)
In this companies get a unified, scalable cloud package that offers tighter control over many aspects of a traditional IT infrastructure than they do with SaaS or PaaS. Companies using IaaS pay on a per-use basis to access services and applications, and can also tap the operating system that supports virtual images, networking and storage environments for additional control. Often, IaaS is offered as a private cloud, giving companies complete internal control over access and security.
Demystifying Cloud security myths
Myth 1 – The Cloud is inherently insecure
The cloud environment can be absolutely secure—in fact, it can be even more secure than a datacenter. Infact, a cloud can be more secure than your internal IT infrastructure. A key advantage to third-party cloud solutions is that a cloud vendor’s core competency is to keep its network up and deliver the highest level of security. In fact, most cloud service providers have clear SLAs around this.
In order to run a cloud solution securely, cloud vendors can apply for becoming PCI DSS compliant, SAS 70 certified and more. Undergoing these rigorous compliance and security routes can provide organizations with the assurance that cloud security is top of mind for their vendor and appropriately addressed. The economies of scale involved in cloud computing also extend to vendor expertise in areas like application security, IT governance and system administration.
This makes the case for an enterprise hybrid cloud model very compelling, where the same common security standard can be delivered across both public and private environments without compromising enterprise-class requirements or cost.
Myth 2 – The Cloud is a new concept altogether, therefore Cloud security is a new challenge
There’s a misconception that cloud is a new technology and, therefore, cloud security is a brand new challenge that has not been addressed. True that the cloud represents a brand new target for attack that hackers love to go after, but the vulnerabilities and security holes are the same ones that exist in traditional infrastructure.
Infact, today’s cloud security issues are much the same as any other outsourcing model that organizations have been using for years. What companies need to remember is that when you talk about the cloud, you’re still talking about data, applications and operating systems in a datacenter, running the cloud solution. In fact, virtualization of IT infrastructure can make the cloud more secure than the physical environment and an investment in virtual security can provide the needed control and visibility for cloud.
Myth 3 – Compliance means Security
Many enterprises believe that being compliant ensures that their systems are secure and invulnerable to attacks. In actual fact, compliance does not ensure security, but only attests to the state of security at a specific moment in time. Compliance standards are reliant on human adherence to policies and procedures and not on automation. This can lead to errors and misjudgment. In the long run, equating security to compliance— and vice-versa—can put the business at risk.
Myth 4 – All Clouds are created equal
While the cloud can absolutely be as secure as or even more secure than an on -premise solution, all clouds are NOT created equal. There are huge variances in security practices and capability, and you must establish clear criteria to make sure any solution addresses your requirements and compliance mandates.
Changing realities
While security emerges as a major concern among the adversaries of cloud computing, the key to understanding security in cloud computing is to realize that the technology is not new, or untested. It represents the logical progression to outsourcing of commodity services to many of the same trusted IT providers we have already been using for years.
Having said that, cloud security is part of the inevitable progression of IT. It must be embraced by organizations to stay competitive. Companies who approach cloud computing in a mature manner need not be afraid about entering the cloud because of security concerns. Dealing with security in the cloud is no more difficult than addressing it internally. And there are steps you can take that can make cloud security just as effective-or even more so-as your internal IT.
About the Author: Gopan Joshi is Product Manager: Cloud Computing Services, Netmagic Solutions Pvt. Ltd. and has expertise in managing products and services in various market scenarios and life cycle stages. His experiences ranges from introducing cutting edge innovations in existing products, existing markets to new technology, new markets.