Security Challenges in the Cloud

While security is usually the #1 concern for any new IT solution, the additional "externalized" aspects of the cloud exacerbate this concern. Gartner elaborates...cloud-computing environments have IT risks in common with any externally provided service. There are also some unique attributes that require risk assessment in areas such as data integrity, recovery and privacy, and an evaluation of legal issues in areas such as e-discovery, regulatory compliance and auditing. (Gartner, Assessing the Security Risks of Cloud Computing, Jay Heiser, Mark Nicolett, 3 June 2008). In fact, it is often because of the risks associated with the externalized aspects of cloud computing that many enterprises are looking at mixed models such as hybrid clouds.

Cloud computing changes some of the basic expectations and relationships that influence how we assess security and perceive risk. In the cloud, it’s difficult to physically locate where data is stored. Security processes, once visible, are now hidden behind layers of abstraction. Even the most basic tasks, such as applying patches and configuring firewalls, may become the responsibility of the cloud operator, not the end user. While the intent of security remains the same - to ensure the confidentiality, integrity, and availability of information - cloud computing shifts control over data and operations. This forces us think about security in terms of the cloud provider, the custodian of our information, and how they ultimately implement, deploy, and manage security on our behalf.

The most significant difference between cloud security and traditional infrastructure security stems from the sharing of infrastructure on a massive scale. Users spanning different corporations and trust levels often interact with the same set of compute resources. Layer the dynamic and transient aspects on top of that, the desire to continually load balance and optimize for performance, energy, availability, and other SLA-level goals that customers pay attention to, and the problem becomes further complicated, creating more opportunities for misconfiguration and malicious conduct. This calls for highly automated end-to-end security with a heavier emphasis on strong isolation, integrity and resiliency.

At a high level, IBM categorizes cloud security concerns as follows: data exposure and compromise; reliability of service; reduced ability to demonstrate compliance with regulations, standards and SLA’s; and the ability to manage the security environment.

Data Exposure and Compromise:
Many organizations are uncomfortable with the idea that their information is located on systems that they do not control. Data location is hard to pinpoint in the cloud, but can be contractually specified in certain situations.

For reasons of costs and efficiency, it is common practice for organizations to share data resources across borders. Organizations are legally, ethically, and morally bound to protect sensitive data and keep personal information private no matter where it is resident in the chain of custody. The challenge arises when industry regulations and best practices apply to the primary organization, but not to its vendors or business partners. Affected organizations must be assured that they level of security over the data is maintained in a 3rd party environment equivalent to that which is in place in-house. Very often, this can only be accomplished through contract management.

Customers are mostly concerned about the data security and the reliability of cloud computing in practice. Gartner elaborates: "Review the regulatory requirements and risk associated with your applications and content. Hosted providers cannot ensure absolute security, so enterprises should consider carefully before using them for information that must remain confidential, such as intellectual property or data that is material to the enterprise's financial health. Likewise, content needed for compliance may be difficult to find if content in the cloud deployment proliferates." (Gartner, Get Ready for Content in the Cloud, Toby Bell, 12 December 2008)

Migrating workloads to a shared network and compute infrastructure increases the potential for accidental disclosures to outsiders or other tenants as well as unauthorized exposure to the growing list of privileged users that any outsourcing arrangement creates. Authentication and access technologies become increasingly important.
Data segregation also becomes key in a cloud environment, where data can be stored in a shared fashion. Encryption of data at rest and over the wire, both internal and external to the network, is a critical component.

Reliability of Service:
As Gartner points out, "reliability is one of the core advantages inherent in the cloud-computing model. By its very nature, it is highly scalable, capable of meeting wide variations in processing requirements and insulating users from site problems." (Gartner, Assessing the Security Risks of Cloud Computing, Jay Heiser, Mark Nicolett, 3 June 2008).

However, high availability can still be a concern as many cloud-based offerings do not offer Service Level Agreements. IT departments will worry about a loss of service for mission critical applications should outages occur without strong availability guarantees. And disaster recovery is a significant question that must be answered by the cloud provider. As Gartner points out, "Any (cloud) offering that does not replicate the data and application infrastructure across multiple sites is vulnerable to a total failure. Even if an offerer refuses to tell you exactly where it will store your data, it should be able to tell you what would happen to your data and service if one of its sites succumbs to a disaster." (Gartner, Assessing the Security Risks of Cloud Computing, Jay Heiser, Mark Nicolett, 3 June 2008)

Reduced Ability to Demonstrate Compliance:
Complying with SOX, HIPAA and other regulations may prohibit the use of clouds for some applications. Comprehensive auditing capabilities are essential. Since public clouds are mostly by definition a "black box" to the subscriber, it is hard for the potential subscribers to prove that that these legal requirements are fulfilled. A private or hybrid cloud, on the other hand, can be configured to meet those requirements. In some cases one has to consider geographical requirements – it might not be allowed that specific data leaves specific geographies. For example, EU privacy laws limit cross-border data flows.

When multi-nationals deal with numerous geographies, they face multiple data privacy requirements, but might lack standards or guidelines. For example, In the US, data security is the predominant focus -- securing the environment through a series of uniform policies and controls. In Europe the focus on data privacy tends to specify outcomes, leaving the organization free to implement their choice of suitable controls in order to specified objectives.

In order to best deal with both ends of the spectrum, many multi-nationals will err on the side of caution, and take the strictest regime to which they are subject, and apply that to all industries and geos involved in the chain of custody. While this approach is optimal from a legal perspective, it can be overkill in terms of cost and efficiency. In these cases, following global standards, such as the ISO 27000 series or CobiT, are a practical way to manage data protection. Using standards provides structure in areas where there are no regulations to speak of, but can be adapted for the interpretation of requirements in heavily regulated industries or geographies, in order to meet multiple requirements through a single deployment of controls at the enterprise level.

Ability to Manage the Security Environment:
Providers must supply easy, visual controls to manage and monitor firewall and security settings for applications and runtime environments in the cloud. It’s clear that cloud computing users must establish a service-level agreement (SLA) with their providers. Indeed, Gartner’s strategic planning assumption is that, by 2013, "cloud quality and service-level guarantees will be decision criteria for 90% of cloud service use in IT organizations." (Gartner, How to Identify Cloud Computing, Daryl C. Plummer, 24 June 2008)

Source: IBM
Home Prev Next

Dynamic Infrastructure is published by IBM. Editorial supplied by IBM is independent of Gartner analysis. All Gartner research is © 2009 by Gartner, Inc. and/or its Affiliates. All rights reserved. All Gartner materials are used with Gartner's permission and in no way does the use or publication of Gartner research indicate Gartner's endorsement of IBM's products and/or strategies. Reproduction and distribution of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The reader assumes sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice.