Cloud Security: Risks vs. Reality
 used with permission by IBM ForwardView

The mobility of smart phones, netbooks, tablet PCs and other portable devices has fundamentally changed the when, where and how of our computing lives. And with cloud services, the source for data and applications used by these devices can be anywhere, too. The flexibility of cloud to scale bandwidth up or down at will, and its affordability as a pay-as-you-go service, have resulted in an interconnected, intelligent approach to smarter computing.

The benefits of cloud computing are well-recognized. In fact, cloud computing ranks among the most popular new IT initiatives, with 66 percent of midsize companies implementing cloud strategies, according to IBM’s study, “Inside the Midmarket: A 2011 Perspective.” Yet the excitement about leveraging cloud’s economies of scale to lower total IT costs and improve agility is often tempered by concern that this external delivery of services could compromise security.

Perceived risk versus actual risk

Cloud may seem new, but the fact is companies have been outsourcing services and technology for years. Providers already deliver hosted technology offerings that are located offsite with client access via the Internet. This is a common scenario for services such as remote storage or hosted email and other software as a service (SaaS) solutions. And just because companies may give up some control to the provider when they move to a cloud-based environment (just as they give up some control in any outsourced arrangement), it doesn’t mean they have to compromise on security.

Companies still weighing the advantages of cloud with the perceived security risk should begin by asking the right questions and examining the right considerations to help build a “trust and verify” relationship with the cloud provider that will support success.

Although there are additional variations, let’s consider the three main types of cloud service and deployment models: software as a service (SaaS), platform as a service (PaaS) and infrastructure as a service (IaaS).

Each version has its own level of control for the provider and the company purchasing services, but all cloud services can help companies increase agility and boost efficiency by removing the burden of managing all of their own IT. This frees up organizations to do more with less and stay focused on their core competencies.

  • Software as a service (SaaS) puts most of the responsibility for security management with the cloud provider and is commonly used for services such as customer relationship management and accounting. This popular option is considered low-risk because it primarily deals only with software and not hardware or storage. With SaaS, companies are able to control who has access to these cloud services and how the applications are configured. The complexity of software installation, maintenance, upgrades and patches, meanwhile, is automated and handled by the provider.
  • Platform as a service (PaaS) is similar to SaaS but often includes further application-specific software to help businesses create customized services. For example, a company using PaaS could develop its own custom cloud software to perform some specialized task, whereas SaaS offerings generally are provided as-is. Most PaaS offerings are multi-tenant, meaning that some of the services may be shared with other companies. This means it is critical for companies who use PaaS to have a well-defined trust relationship with the provider on security issues such as access, source code distribution, navigation history, and application usage
  • With infrastructure as a service (IaaS), companies get a unified, scalable cloud package that offers tighter control over many aspects of a traditional IT infrastructure than they do with SaaS or PaaS. Companies using IaaS pay on a per-use basis to access services and applications, and can also tap the operating system that supports virtual images, networking and storage environments for additional control. Often, IaaS is offered as a private cloud, giving companies complete internal control over access and security.

Questions to ask to ensure cloud security

Regardless of which flavor of cloud a company chooses, it’s important to remember that the same factors apply to ensuring security whether it is cloud-based or within a traditional IT infrastructure. The key difference in the cloud model is that it includes external elements, and those elements will be managed by the cloud service provider. This means companies need to understand the environment beyond their own data center and consider how it impacts the organization from a security standpoint.

To help ensure security and peace of mind, and to craft the most effective working relationship with the cloud provider, the client company should always identify and prioritize cloud-specific security risks beforehand. Often, companies will find they have the same amount of control, if not more, with a cloud service.

For identity and access management issues, companies need to control passwords, support privileged users and enable role-based access to these cloud services. With data protection, a key concern is knowing whether or not a company’s hosted data is secure, especially if data from rival companies is also being stored on the provider’s cloud service. Companies should also be asking how the cloud provider is deploying antivirus software on all supported systems that could be exposed to virus or spyware attacks, and ensuring that selected programs can identify and protect against malicious software or processes.

From an auditing and monitoring perspective, companies need to determine how the cloud provider is testing and assuring the infrastructure. The legal, regulatory and privacy requirements include making sure the company and the provider understand the rules of engagement by determining who is responsible for governance and meeting any regulatory restraints.

Reaping the benefits of cloud

On a smarter planet—the when, where and how of living and working is more instrumented, data-driven and interconnected than ever before-cloud computing can be a powerful way for companies to be more agile, effective and efficient.

Organizations interested in reaping the benefits of cloud can best begin by understanding the security ramifications of a cloud deployment to their business, keeping in mind they can start small by deploying cloud in low-risk workload areas like email services. This easing-in process gives organizations valuable time to become familiar with cloud on a scale that’s simpler to grasp and doesn’t put them at increased security risk. And as familiarity of cloud and trust in the provider grows over time, companies can expand their use of cloud computing into other areas of business. By following this gradual path, companies can learn to wield the power of cloud in a way that’s safe and secure.