Mastering cloud security: A Q&A with industry specialist Assuria

We grill Terry Pudwell, co-founder of cloud security provider Assuria, about the biggest challenges that come with deploying the cloud, and how businesses can stay free of associated dangers.

Security is often cited as one of the key factors preventing organisations from moving more data to the cloud. What are the biggest threats that exist when using the technology?

Public cloud companies tend to provide physical and logical security up to the hypervisor level only, but from the operating system level and above, this remains the responsibility of the user organisation and because there have been few solutions available that can operate in the public cloud, security has been significantly compromised compared with users own data centres.

Why has it taken enterprises so long to come to terms with cloud security?

My feeling is that the take-up of public cloud services so far has mostly been by mid-sized companies, for whom security monitoring was not very high on the agenda (until quite recently) so a lack of security wasn’t too much of a problem. Many major enterprises have been dipping a toe in the water with non-sensitive applications and for these, the assumption was that sophisticated security monitoring of the kind they are used to in their own data centres wasn’t available, so they’ve been using the cloud for applications where security wasn’t a requirement.

What are the key obstacles organisations need to overcome if they are to use the cloud securely?

They need to be able to get the same level of security monitoring and configuration/compliance audit in the cloud as they expect on their on-premise systems. This is the Assuria proposition – it’s what we’re able to provide today.

With such an array of applications available and a general lack of established standards across the cloud industry, does fragmentation pose security problems for the enterprise?

I’m not sure it’s the fragmentation that poses the security problems, it’s more to do with the lack of enterprise security monitoring solutions that can operate in the same way in the public cloud, private cloud and on-premise data centre that poses the biggest security problems. By and large, cloud providers are beginning to expose operational and security data but traditional security tools just can’t access those data because of the way they’re designed.

What advantages can a business gain from using public cloud services?

Well, obviously it’s on-demand IT resources when you need them and to the level that you need them, plus there’s a lot less need for experienced systems and networking specialists. It’s a bit like one of these car sharing schemes where you only use the car when you need it and where all of the insurance, servicing and other facets of running a car are taken care of, as opposed to owning and running your own car. As with car sharing, it’s not for everyone, but it works for enough people to make it an increasingly attractive option.

How do you see the cloud trend evolving over the next five years?

Personally, I feel that the public cloud market will (1) consolidate down to a small number of dominant generalist providers over the next few years (we’re seeing a bit of this now with cases such as IBM’s acquisition of SoftLayer), (2) specific function public cloud service providers such as Box.com etc. will do well and, (3) the hybrid private cloud market will outgrow all of the others.

I also think that enterprises will still want to be able to monitor security and compliance independently of the cloud provider for all the same reasons they want independent monitoring of their own data centres. Assuria has strong security monitoring offerings in all these cloud environment as well as in traditional on-premise environments, which we think is a prerequisite for success.