Despite a rapidly rising number of organisations using cloud computing in some form, many are still afraid of it and others have concerns about expanding their cloud use. This HP whitepaper outlines what these concerns are and gives some hints as to how the perceived threats can be mitigated against.
Many organisations fear the cloud, as it can bypass IT departments and information security officers into the bargain. Maybe this isn't surprising when one considers the case of a convicted former employee of a US cloud service provider this year.
The Tucson, Arizona staff member was employed by a cloud provider based in Virginia - not named by the Federal Bureau of Investigation - which prosecuted the case. The staff member was given almost three years in prison for "intentionally causing damage to a protected computer" and, following his release, is subject to a further three-year supervision order.
According to court documents, the former cloud employee worked as a systems administrator for the company. After resigning, he continued to enter the networks of the cloud provider for "the purpose of damaging its servers, its reputation and its business."
Over a period of about six months, he "encouraged cloud customers to leave" and "secretly logged into a company server to issue a shutdown command to a key data server." As a result, he shut down customer networks, making key information – including that of hospitals responsible for surgery and other urgent patient care – unavailable for at least several hours, according to court documents. He is said to have caused hundreds of thousands of dollars worth of damage as a result.
A key question from this case is perhaps this: who is responsible for cloud security? Is it the cloud user or the cloud provider? However, there is confusion over this issue. The Ponemon Institute, a data security research specialist, recently questioned 4,000 business and IT managers around the world about their attitudes to cloud data security.
Who's responsible for cloud security?
While the large majority of respondents said their organisation was already transferring sensitive data into the cloud, Ponemon sought to find out who they thought was responsible for the data security - themselves or the cloud provider?
It was found that 64 per cent of organisations believed their cloud provider had primary responsibility for protecting that data. However, nearly two-thirds of respondents said that they did not know what cloud providers were actually doing in order to protect the data entrusted to them.
Perhaps not surprisingly, the survey - which was commissioned by technology and defence group Thales - found that 39 per cent believed cloud adoption had decreased their company's security. Such sentiment further illustrates why many organisations are still afraid of the big bad cloud. There are also fears about high profile cloud outages amongst some of the major cloud players over the last year too, affecting the likes of Amazon, Google and Microsoft.
The Microsoft Azure data storage facility went down globally after a Microsoft employee failed to renew a security certificate. After a 12-hour outage, Microsoft was forced to offer compensation to affected users, in line with their service level agreements. The company also saw another outage affecting its SkyDrive storage service, and the Outlook and SQL offerings in the Azure cloud separately went down too. In addition, Hotmail and Messenger saw significant crashes.
Other recent cloud problems saw Google's Drive cloud storage service go down along with its Gmail service. Amazon's cloud went down too, with that service having seen three major outages in two years. These failures mean organisations considering the cloud or looking to expand limited rollouts will be fearful about data accessibility and overall service issues.
Are cloud service providers up to the mark?
The Cloud Security Alliance (CSA), a cloud industry group which is backed by most of the major cloud service providers - including the likes of Google, HP, Verizon and Microsoft - acknowledges the threats posed by cloud computing.
It published its Notorious Nine cloud threats after undertaking reseach among its own members and other experts. The Notorious Nine included data breaches, data losses, account hijacking, insecure APIs (application programming interfaces), denial of service attacks, malicious insiders (like our friend in Tucson, Arizona), abuse of cloud services, insufficient due diligence, and shared technology issues.
To help address these threats, The CSA promotes its Security, Trust and Assurance Registry (STAR), which is a free and publicly accessible registry that documents the security controls provided by various cloud computing offerings. CSA STAR is open to all cloud providers and allows them to submit self assessment reports that document compliance to CSA published best practices. The searchable registry allows potential cloud customers to review the security practices of providers, "accelerating their due diligence and leading to higher quality procurement experiences," according to the CSA.
Google and Microsoft, for instance, use the registry to show what security systems they have in place to support their Google Apps and Office 365 cloud-based productivity apps. Although STAR does not prevent the occasional outage, users of cloud services should require STAR reports as part of their procurement process, maintains the organisation.
Contracts and service level agreements
However, even if buyers of commercial cloud services can get more information from potential cloud service providers on security, they are still finding that contract provisions covering security are inadequate, according to Gartner. The research firm says contracts often have "ambiguous terms" regarding the maintenance of data confidentiality, data integrity and recovery after a data loss incident.
This leads to dissatisfaction among cloud service users. Gartner said that through to 2015, 80 per cent of corporate IT procurement professionals will remain dissatisfied with SaaS contract language, for instance, and protections that relate to security. "We continue to see frustration among cloud service users over the form and degree of transparency they are able to obtain from prospective and current service providers," says Gartner analyst Alexa Bona.
Minimum security terms
At a minimum, says Gartner, cloud service users need to ensure that contracts allow for an annual security audit and certification by a third party, with "an option to terminate the agreement in the event of a security breach if the provider fails on any material measure."
Read more: The HP cloud security offering
When it comes to cloud security, firms should adopt the approach they should nearly always take when it comes to considering security; a risk-based position to selecting the right security options for their individual cloud service.