Security is one of the most commonly mentioned barriers preventing IT managers from taking advantage of cloud computing. So how should IT managers considering cloud services ensure they maintain security, and what are the key issues to protect data? This report looks at how to be confident about security in the cloud.
The cloud security market
Analyst Forrester says the concerns about security among potential cloud recruits will create a large cloud security market, worth around $1.5 billion a year by 2015. Cloud security will shift from being an inhibitor to an enabler of cloud services adoption, says Forrester.
Forrester believes the advent of secure cloud services will be a "disruptive force" in the security solutions market, challenging traditional security solution providers to revamp their architectures, partner ecosystems and service offerings, while creating an opportunity for emerging vendors, integrators and consultants to establish themselves.
Reducing the risks of moving to the cloud
When reducing the risks of moving data or applications over to the cloud firms can not usually rely on a "one size fits all" scenario. Not all risk scenarios are the same. For instance, some critical applications might be too important to move to a cloud service provider, or extensive security controls might be deemed as "over the top" for relatively low value data being moved to cloud-based storage platforms.
And with so many different cloud services to choose from, the security choices can be varied. Firms can choose cloud services such as software-as-a-service (SaaS), platform-as-a-service (PaaS), and infrastructure-as-a-service (IaaS), and then there are the types of cloud delivery mechanisms to be chosen: private cloud versus public cloud deployments, internal versus external hosting, and various hybrid solutions.
When it comes to cloud security, firms should take the approach they should nearly always take when it comes to considering security, and that's a risk-based position for selecting the right security options for their individual cloud service.
Identifying the risks
To decide on the security needed for cloud roll-outs, organisations must first identify the assets they are actually moving to the cloud, which can normally be put in either of two areas: data or applications/processes.
Firms should also take account of the fact that whole processes do not necessarily have to move into the cloud. For instance, companies can host an application and the data in their own data centre, while still migrating a chunk of its functionality into the cloud through a platform-as-a-service arrangement.
The next step is to evaluate the importance of the data or process to the organisation that is being moved. Essentially, when considering moving assets from the organisation to an outside cloud provider, firms should consider the same things they look at when considering an outsourcing contract.
For instance, what would the damage be if the data wrongly became publically available, would unauthorised cloud provider staff accessing the data/function cause problems, and what would be the effect of downtime to the process or unavailability of the data?
Cloud data flows must be mapped
In addition, firms may also need to map out a data flow relating to the cloud deployment service under consideration. They should consider the data flow between their organisation, the cloud service provider, and any customers, partners or other cloud connections. Such a data flow will show how data can move in and out of the cloud, illustrating the security requirements.
After going through this process organisations should be clearer about what they are moving into the cloud, their risk tolerance, and which type of cloud provision suits them. With this in front of them, they can then decide on the best security protocols and security systems to be put in place.
As well as security hardware and software options, these might include on-site inspections of cloud providers, data encryption schemes, audit and data retention policies, and reassurances sought from the cloud provider that their service can meet the security and industry compliance demands of the customer.
Cloud provider responsibilities
While cloud customers can do a lot to make sure their migration to the cloud is secure, the providers themselves can do much more to reassure users, says analyst Gartner.
"If cloud services are commoditised, providers themselves should come forward offer much stronger customer guarantees," says Gartner analyst Daryl Plummer. "However, service providers often do not offer great protection or vary greatly in the protection they do offer."
Gartner says cloud users should have the right to know what security processes the provider follows, and what the provider's business continuity plans are.
They must also retain ownership, use and control of their own data, with the provider having to specify what it can do with the consumer's data, as a lack of clarity can lead to costly legal battles.
Gartner says there must also be service-level agreements that address liabilities, covering areas like recovery times and forms of remediation when things go wrong.
Customers must also have rights to notification and choices about service provider changes that affect the consumer's business processes. Providers must give advanced notification of major upgrades or system changes, and grant the consumer some control over when changes happen.
Cloud users should also know the technical limitations or requirements of the service up front. And they should be told the legal requirements of jurisdictions in which the provider operates - if the cloud provider stores or transports the consumer's data in or through a foreign country, the consumer becomes subject to laws and regulations they may not know anything about.
After all these areas have been addressed cloud customers can rest easier about the security of their applications and data in the cloud.
For more information on HP cloud services, visit http://www.hp.com/uk/cloudinaday