Cloud Computing has already fundamentally changed the way consumers and small businesses use the Internet.  However, as with any new technology model there are going to be some hurdles to overcome before universal acceptance.  According to a 2010 Kelton Research survey of 537 IT and business executives, security concerns were the top reasons cited for not adopting cloud technology.  Two recent survey articles on cloud security offer some insights on the differences of opinion about cloud security within the cloud technology community.  While the two articles cover much of the same materials, Blumenthal’s Is Security Lost in the Clouds?, takes a considerably more pessimistic view of the ability of existing technology to address the problem than Bisong, A., & Rahman, S. M.in their Overview of the Security Concerns in Enterprise Cloud Computing.

Bisong and  Rahman suggest that if the cloud implementation properly follows IT industry best practices, securing the cloud is primarily a technical problem that can be easily addressed.  Their overall message is that cloud security is nothing to worry about and the existing technology and services are more than adequate for the task of protecting enterprise data in the cloud.  They spend relatively little time discussing how to quantify the many complexities of the legal, operational, business and technical risks of a cloud computing implementation.  They barely mention the problem of cloud ownership and who is responsible for maintaining the integrity and privacy of data in the cloud, concerns I have discussed extensively in the past. While there have been improvements in cloud security –the work of the Cloud Security Alliance is particularly noteworthy– there is still plenty of room for more innovation.  There must be a fundamental shift of thinking about cloud security before IT executive fears can be permanently assuaged

On the other end of the spectrum, Blumenthal is clearly more paranoid.  She postulates some additional threats unique to the cloud environment, such as clouds as hacker fronts she terms “hacking as a service” and clouds as havens for illegal activities.  She digs into not only the technical security issues, but she addresses the potential business risks by discussing the cloud strategy tradeoffs of giving up autonomy in return for lower costs and elasticity.  While she agrees that there are great advantages to moving enterprise applications to the cloud, she cautions the reader to note that once all the proper safe guards are implemented, the “apparent economic advantages of the public cloud” might well be eroded.  She advises the enterprise that is considering moving their IT applications into the cloud to fully analyze the risks and move carefully.

Figure 1: Diagram of Cloud Security Risks

In conclusion, network security people generally tend to be a paranoid group and both articles clearly spell out the many dangers inherent in moving the enterprise to public cloud architectures.  However, in comparing the two articles it is clear that Blumenthal is far more knowledgeable about not only the technical issues but the overall complexities of delivering secure enterprise cloud services that meet the business requirements for risk mitigation.  I would trust her conclusions that the inherent insecurity of cloud services has not been properly addressed by the community or the vendors yet.

About the Author

Beth Cohen, Cloud Technology Partners, Inc.  Moving companies’ IT services into the cloud the right way, the first time!

The assumption is that if data is compromised or one’s identity stolen it is somehow the victim’s fault.  The picture is painted that we are responsible for managing our own security.  To a certain extent that is true and we should, as responsible citizens, practice basic network security hygiene.  Yet, we are constantly barraged with advice telling us to install data protection software, invent complex passwords, change them often and monitor our financial activities.  Is it really our fault when the system lets us down and our money is stolen, our identity compromised or our computers are hacked?

I would argue that the reality is far different.  We as consumers do not have much control over the security of our data or how secure our computer’s operating systems are.  Even if we pay for everything in cash, if we have a bank account, we are open to fraud.  One of my students recently pointed out that the Internet can be thought of as a giant recording device.  Everything that is ever posted to the net is still out there to be found and possibly used for nefarious purposes. Once our money enters the global financial system we have little or no say over who touches the information and what they do with it.

The average computer user should not be required to be a sophisticated network security professional to use the Internet services.  Consumer protection laws were originally put in place back in the early/mid 20th century because we came to realize that if we purchased something that wasn’t what we thought it was, it was not because we weren’t smart shoppers, it was because the buyer/seller relationship was too skewed towards the sellers and not enough power was in the hands of the buyers to make informed decisions.

It is time that we come to the understanding that the Internet is entering a similar phase in its market maturity.  Companies need to regain or maintain consumer trust.  As good corporate citizens, it is our responsibility to make sure to implement proper security measures to protect customers’ data.  The recent spate of laws in Massachusetts, the European Union and other places that are designed put the responsibility for the protection of personally identifiable data on the companies that are holding it is a step in the right direction.

About the Author

Beth Cohen, Luth Computer Specialists, Inc.

Somehow I am getting a sense of déjà vu on cloud security.  Don’t get me wrong folks, but the cow is already out of the barn.  After all, more than 69% of all consumer Internet users have used at least one cloud service in the past year and that doesn’t include the nearly 100% of all consumers who are using web mail services such as Gmail, Yahoo and others of their ilk.

On the other hand, businesses and enterprises are not rushing to jump on the cloud computing band wagon in the same kinds of numbers.  So what is holding companies back from taking the very real advantages that cloud offers?  We can argue that business requires a higher level of security and validation than the average consumer, but the simple answer is really a large dose of inertia, fear and doubt.  That is, all the usual reasons that businesses use as excuses to wait for the consumer products and service to prove their worth before committing precious corporate IT resources.

In a survey conducted by IDC in August 2008 and June 2009, concerns about security topped the list of challenges for 88.5% of the respondents, followed closely by performance (88.1%) and availability (84.8%).   Clearly security is a major impediment to a cloud architecture implementation for many organizations.  It will need to be properly addressed before cloud architectures will be fully embraced by the business community.

Cloud security issues can be divided into three major categories, business, regulatory and technical.  Business issues generally can be quantified as risks to the business in whatever form.  Major business concerns for the enterprise include:

• Legal issues related to the control and protection of intellectual property and sensitive business information
• The difficulty of establishing end to end business data validation
• Regulatory issues related to data ownership and proper handling procedures
• A perception of increased potential for data and business loss
• Risk of reduced data or systems availability
• Proper integration of the mix of secured data residing both in the cloud and on the internal corporate networks

The major global regulatory issues that influence technical and business decisions around cloud computing architectures include:

• Rising consumer data protection laws around the world
• PCI Compliance and the need to ensure end to end data protection
• Banking regulations

It is clear that many of the business and regulatory issues can be addressed with properly secured cloud architectures, applications, networks and systems, but cloud and network security is quite complex.  It encompasses such diverse disciples such as networking, application development, database architectures and designs, hardware architectures, and systems design.  Many standard network security best practices developed for the enterprise are inadequate to handle the new cloud architectures.  However, by taking a network services approach to the architecture of cloud services, there are many advanced methods that can be used to address cloud security issues and allay most if not all of the business owners concerns.

About the Author

Beth Cohen, Luth Computer Specialists, Inc.

While it would be impossible in this forum to go into all the possible strategies that you could employ for application recovery, it will describe the areas that you should consider when developing a recovery solution for your company.

Before thinking about any technology, disaster recovery is really more about business risk management.  As such it is important to start by meeting with the business owners of each application to identify the recovery requirements such recovery time objective (RTO), recovery point objective (RPO), end user workload, and whatever other applications or services are required by the application. In short, understand the main parameters of your recovery solution from the business perspective first. Keep in mind that the business owners may not be familiar with the technological underpinnings of the application, so involve the application support staff to ensure a full understanding of the recovery requirements so that the managers can make reasonable decisions based on what is achievable with the current technology and architectures.

From here, design your recovery solution while considering the following:

• Server power – How much processing power will be needed by the recovered application at the DR site? Will the DR site support production only or will development activities also be occurring there?
• Replication – How much data has to be available at the DR site, how fresh will it need to be, and how will it get to the DR site?
• Network – How much network capacity will be needed to support data replication and end user access to capacity and what protocols should the network support?
• End user access – How will the users of the application access it while running at the recovery site?
• Application installation and code management – How do you ensure that the latest version of the application is available at the DR site?
• Application recovery process – What will be the step by step process for recovering the application? Who will execute the recovery process?
• Change control – How do you ensure that changes to the production version of the application are reflected in the DR environment?
• Testing - How will you test the resources at the DR site and the recovery process?

In designing your recovery solution, think of it as an on-going resource that must be managed with the same attention as your production environment. That’s because it might someday be your production environment.

John McWilliams, JH McWilliams & Associates, Business Continuity Consultants

Massachusetts recently passed a new privacy protection law that is strictest in the nation to date.  If you are not in Massachusetts you might not think it applies to your business, but if your organization has any employees or customers in Massachusetts then you are affected by Massachusetts Privacy Law 201 CMR 17.00 — Standards For The Protection Of Personal Information Of Residents Of The Commonwealth.  In a nutshell, the law states that you need to place safeguards on any personal information (PI) that your company touches, either in electronic or paper form.  You will need to be in compliance with the law by 2010, so to get you started, here is a quick tutorial.

First determine if you have any personal information (PI) that needs protection.  PI is defined as a combination of a person’s first and last name connected to any one of the following pieces of information: driver’s license number, credit card number or Social Security number. Specifically, you should examine: the number of records, the people and processes that access it, how it is transmitted and where it is stored.  Ideally, you want to minimize the amount of information to what is needed to perform your business processes.   In addition, you want to keep it for as short a time as possible, and reduce the number of people and processes that access to the data.  Following these best practices will reduce your liability and exposure under the law.

Here are some recommended steps to meet the legal requirements:

• Policy – Write a high level policy that indicates your company intends to comply with the spirit and letter of the law, completely.
• Exposure – Give your business leaders and executives a crash course on the ramifications of the law in terms of business risk. A couple of hours should be enough to cover the basics.
• Communication – Inform the company staff that the law is coming and request their help in meeting the compliance obligations.
• Data classification – Create a classification scheme for all the likely PI types of information: Public, Company Private, Company Protected, etc.
• Discovery – Use a search engine on suspected harbors of PI to find out where the PI resides in your data structures. Survey employees to identify PI in the workplace.
• Need to know – Review job descriptions and note if a position requires PI access. Technical security policies can then be adjusted using role based security tools, such as Active Directory groups.
• Lifecycle – Look at your business processes to understand the lifecycle of PI in your enterprise.
• Administration – Assign a senior person to be responsible for compliance and have them assign business line or location deputies for enforcement. Make sure they have the proper authority.
• Technical -Encryption options should be considered, but a policy that prohibits PI from being stored on a vulnerable laptop is a much easier solution.
• Physical – Data centers, network closets and front doors need to be properly secured. This recommendation is just common sense even if you have no PI.
• Training - Everybody, yes everybody, in the company should receive training, reminders and yearly refreshers on what information you are responsible for protecting and why.

Hopefully these recommendations will smooth your path towards compliance and reduce risk.  Whatever you do, don’t just ignore Massachusetts Privacy Law 201 CMR 17.00; your business does not need the additional headaches.  So what are you waiting for?

David Goldstein, managing partner, and Sean Megley, a consultant at Knowledge Management Associates created this entry.