Computing in the Clouds, Part II: It’s About Security

By Kennedy Maize

Pages: 1 2

Cloudy Security

The security questions are clear. Enterprise data in a cloud computing environment rests in cyberspace—in the World Wide Web—not in a secure server somewhere on Earth, under possibly (or delusionally) compete control of the business enterprise that uses it. In the conventional server model, data are accessible only to the owners of the hardware and others to whom they choose to provide access. That’s it, except of course, to the clever hackers who can defeat the enterprises’ firewalls, malware detectors, anti-virus software, and other, not always effective security software suites.

The recent dustup between China and Google demonstrates the problems with the effectiveness of company enterprise security systems. If China can hack multiple proprietary systems, including Google, is any data safe?

In the cloud, data are out there circulating in cyberspace (on unknown and unknowable servers). Presumably, those erstwhile enterprise hackers are circling the data cloud like cyber wolves concentrating a herd of fat data caribou, looking to attack the weak points for a tasty meal. Yum-oh, to quote a favorite food network host.

How can a firm ensure that the only folks who can read and manipulate the floating data are those with approved access? Is this an insurmountable obstacle? When the data floats in the cloud, who knows who owns it and can access it? That’s the cloud security conundrum.

Cloud Computing Security

Cloud computing security is the focus of the lead article in the January/February issue of Technology Review, the fine magazine published by the Massachusetts Institute of Technology. The article by the magazine’s chief correspondent, David Talbot—“Security in the Ether”—notes, “When thousands of different clients use the same hardware at large scale, which is the key to the efficiency that cloud computing provides, any breakdowns or hacks could prove devastating to many.”

The Technology Review article observes that the security issues with cloud computing are multiple and subtle. “Not only could stored data be stolen by hackers or lost to breakdowns,” says the article, “but a cloud provider might mishandle data—or be forced to give it up in response to a subpoena.”

The MIT article concludes with an observation by the National Institute of Standards and Technology’s computing guru Peter Mell: “If we are clever about deploying cloud computing with a clear-eyed notion of what the risk models are, maybe we can actually save the economy through technology.”

Now that’s a prediction that reaches for the sun, moon, and stars. Let’s hope that the reach does not exceed the grab.

Is security a cloud show-stopper? Probably not, since the U.S. government and its military agencies are early adopters of cloud computing strategies and have begun to address the security issues in a big way. Among others, IBM is directly addressing the security issue, calling it “The Grand Challenge.” The industry has developed an approach—a “hybrid environment”—that uses the cloud, but with security tools such as identity controls and encryption. “A hybrid cloud environment allows users whether they be employees in your organization, whether they’re warfighters, to have some confidence in the physical security controls and processes,” said Chris Kemp, the chief information officer at NASA’s Ames Research Center, in a recent report.

A year-old information industry group, the Cloud Security Alliance,last December issued its second guidance policy report on cloud cybersecurity, “Guidance for Critical Areas of Focus in Cloud Computing.” The white paper outlines crucial areas of security concerns and advises both customers and providers on 13 key issues of security. These range from areas such as disaster recovery to managing identities to network governance.

At the same time, Sun Microsystems, a leader in open-source software, rolled out several cloud computing security tools. Sun also published a new white paper, “Building Customer Trust in Cloud Computing with Transparent Security.” The paper provides an overview of cloud computing security and the ways in which intelligent disclosure of security design, practices and procedures can improve customer confidence while protecting critical security features and data.

“Sun’s technologies, best practices and work with leading industry organizations like the Cloud Security Alliance help provide our customers and partners with a framework for securing data in cloud environments,” said Lew Tucker, Sun’s chief technology officer for cloud computing.

Up in the Air About Clouds?

Is the cloud here to stay? Bob Evans, Information Week columnist, recently opined, “Cloud computing takes the top spot for focus and achievement in 2010 because in spite of all the questions and concerns still floating around it, the cloud offers CIOs [chief information officers] huge potential. … I’ve seen a dramatic surge in not only CIO interest in the cloud’s capabilities and potential deployments, but also in IT-vendor emphasis on providing cloud-based solutions that are real, tangible, practical, and trustworthy. This is the big leap that successful CIOs must make in the coming year because no other architectural or platform approach will yield as much gain in lowering the cost of internal IT operations and liberating precious IT budget dollars to be deployed toward customer-centric growth opportunities. If by mid-year you have not developed and begun to execute upon an ambitious and enterprise-wide cloud strategy, then by year-end the odds are good you’ll no longer be a CIO.”

—Kennedy Maize is executive editor of MANAGING POWER magazine.

Pages: 1 2