FEATURE: Making the cloud safe

Thu Jul 22 2010, 09:02 AM

Despite the promise of cloud computing, many big firms say it is too risky. The industry has an uphill struggle to convince users the cloud is safe.

Computing is becoming a utility service, akin to something like electricity. Users will plug into a provider's network to get all their IT services, just as today they plug into the socket to power their devices. Companies won't need their own IT managers, servers and firewalls. They will be able to subscribe to metered cloud computing packages and only pay for the services they use.

Google is leading the charge in cloud computing with its Google Apps suite and already has several high-profile clients such as Rentokil and Los Angeles council. Amazon is also a significant cloud player and recently made a gesture of faith by migrating its own IT department to its Amazon Web Services product, a move described by IT director Jen Boden as "drinking our own champagne". Microsoft is becoming involved too and is planning to offer its Azure cloud-based software via data centres owned by Fujitsu, Dell and HP.

However, IT chiefs and industry watchers agree there is one thing holding back the wider roll-out of cloud computing services: security. Companies are concerned that vital company operations could be compromised if cloud services fail or go offline. They also worry about the safety of their crowd-stored data.

The risks

Companies are right to be wary of the cloud; many firms providing cloud services have failed. Bookmark storage service Ma.gnolia went offline after its databases crashed in January 2009, losing all bookmarks. Online storage service MediaMax (also called The Linkup) went out of business after a system error deleted active customer data. T-Mobile Sidekick users recently got a scare after Microsoft subsidiary Danger lost user data due to a server failure. Microsoft later claimed it had recovered "most, if not all" the information.

As well as technical failures, companies worry about ‘data leakage'. If their data is hosted on the same servers as data belonging to a competitor, what's to stop the two mingling? Cloud storage sites are also tempting targets for hackers. Storing a company's entire data in one place is akin to putting all one's eggs in one basket, and leaves clients vulnerable in the case of an attack.

Because of the various risks, many companies opt for a private cloud. This means their provider gives them their own database with its own levels of security, which is hosted and backed-up in known locations. Private clouds are a safer option, which is why they are favoured by clients such as financial institutions. According to a poll by Gartner analyst Tom Bittman, 75% of data centre managers will spend more on private clouds than public cloud computing until at least 2012.

However, private clouds are not completely safe. Customers still need to know their provider has a strategy for dealing with technical failures and data loss. They need to know there are controls are in place - including screening for staff - to ensure their data is protected. They also need to know that sign-in methods are secure: passwords and reset mechanisms are a particularly weak link.

Private clouds are also more expensive than buying services from a cloud computing provider. Because clients have their own databases, providers cannot realise all the economies of scale that can make cloud computing cost effective. Private clouds may not be suitable for small companies and startups, although for many big firms handling sensitive data they are likely to remain the norm in the short-term future.

Faced with the risks involved in cloud computing, many are calling for industry-wide action to establish good practices. These standards could be important for reassuring IT managers at client firms and for encouraging a much faster rate of adoption in the industry. However, there are obstacles to overcome.

Cloud computing standards

"Cloud providers don't want to implement security best practices if a) they aren't going to see that as cost effective and b) if they aren't going to be common across the industry," explains Jim Reavis of the Cloud Security Alliance. His comments neatly frame the problem he is working with. No one cloud provider wants to go it alone because they don't want to do a "one-off implementation they're going to have to change in future".

"Everyone believes you don't get 100% security ... you're going to have glitches," states Reavis. However, standards are important as they could allow clients to move their operations to the cloud in full compliance with auditors and regulators. This offers crucial protection in the event of a disaster or legal dispute.

There are already rules governing how companies can use certain data. In the US, the industry-created PCI Security Standards Council sets standards for payment security, while European Union directives govern how certain private data is handled in Europe. The Cloud Security Alliance is currently seeking to create "intellectual property tools" that will allow companies to make a defensible case that moving to the cloud can meet with regulatory approval.

Though he admits that the move to utility computing is something that will take 20 years, Reavis is confident the industry is making progress. "In the course of the next year you're going to see a lot of successful compliance stories that have been enabled by our work and others," he claims.

Governments also have a role to play, explains Craig Balding of cloudsecurity.org. This includes developing guidance to inform auditors and clients, such as the cloud computing risk assessment from ENISA. It also involves creating testbeds for R&D and educating citizens about online security. Consumers need to understand the risks involved and make educated choices when it comes to cloud computing, and this will in turn prompt the industry to create better standards.

Though Balding is optimistic about the prospects of cloud computing, he warns that the fast pace of change makes regulating the industry difficult. Creating common standards "presupposes a certain level of industry wide maturity that probably doesn't exist today," he says. "The situation is understandably very fluid as the pace of technical innovation changes what is possible."

Growth and uncertainty

For individual users, the trend towards cloud computing seems unstoppable. Thanks to the rise of blogging and social networking, most internet users feel comfortable sharing some or most of their personal data online. Users increasingly employ online computing services such as Gmail or Google Docs and are likely to do so more in future. Google is confident this trend will continue and is building an operating system, Chrome OS, specifically to run on lightweight portable devices that connect to online networks for all their computing needs.

For enterprise customers, the future is less certain. There is definitely a trend towards cloud computing, as Google's big deals with Rentokil and others prove. However, many more potential customers still feel it is too soon to make the leap. Unlike individual consumers, big corporations must carry out detailed risk assessments before making the change and it is a telling indication of the lack of industry standards that so few are choosing to embrace the cloud.

Private clouds are likely to be more common for big clients in the short term, though some firms may treat private clouds as a stepping stone to full public cloud services. In any case, standards could dramatically accelerate adoption. The only problem is that the push for standards is a collective action problem and may need government intervention to kick start it. This will depend on the whim of regulators and the ability of lawmakers and industry groups to achieve cross-border agreements.

However, the business case for cloud computing is no longer in doubt. It can save resources that would otherwise be spent on IT staff and in-house servers, increase worker mobility and slash set-up costs for new offices. The "last check in the check box", as Reavis puts it, is security, but he is confident about winning regulators and clients over. Once they accept his arguments "you're going to see very aggressive cloud adoption that is going to make the current options look like a trickle."