/ciol/media/agency_attachments/c0E28gS06GM3VmrXNw5G.png)
Follow UsIF you thought ‘security’ was just a concern in a CIO’s checklist funnel before he nods ‘Aye’ for a cloud infrastructure, well there’s more to it. ‘Security’ is billowing up seriously enough to now stand as a deterrent in cloud adoption.
And there’s so much that falls in the graveyard of question-marks.
Some common questions
- What is the exact status of encryption and other security standards today?
- Does multi-tenancy make it more attractive and profitable for a hacker to target cloud infrastructures with an attack?
- How strong are areas like access and authentication barriers or security breach options and SLAs to make sure CIOs rest assured about security issues?
- What angle does security take from the dimension of control and compliance?
- How do you know you can trust strangers to control your data and applications on the cloud and how can you give access to sensitive information?
Not surprisingly, Research firm Gartner has outlined many factors as top security concerns in cloud computing. Among them stand - user access, regulatory compliance, data location specifics, level-based encryption, breach-related recovery measures, investigative support and long-term viability of the agreement between the provider and the user.
So, how valid are these doubts?
Some answers
“Security becomes a problem because of the factor of multi-tenancy that is quintessential in a cloud. Customers are co-located and isolated on the same piece of infrastructure in these environments. Concerns on security are fair but in terms of technology over the last decade or so, a lot has changed. And all these changes in technology side, will help address many customer concerns.” Sen opines.
Security is definitely an interesting challenge in context of clouds, admits Niranjan Maka, Senior Director of RSA Engineering is head of RSA's security research efforts.
Virtualization has built in some fantastic ways of isolation, but the fact that it’s not a physical machine poses some interesting challenges, he says.
But not everyone agrees, not completely.
Ask Amit Nath Country Manager India & SAARC Trend Micro and he outlines misconceptions around clouds from a security point of view.
“At times, IT managers are paranoid on this aspect. Just not moving stuff on cloud is not an answer. How would you control data going out via USBs, CDs or employees? If you are resisting a new technology just on account of security, check again? Companies working in this space have a business model at stake here, and so, there’s no real risk on security, as I see it,” he says.
Only perceived or paranoid doubts, because companies that are building huge-scale infrastructures around clouds, with years of expertise behind, would sure be updated about the threats that this technology might entail, he adds.
Hacker’s Buffet?
Putting all eggs in one basket is a big balk-factor nevertheless.
Doesn't this technology make the system more vulnerable to hackers as all they have to do is render one cloud vulnerable, and Lo! They have the golden goose.
Well nothing is hundred per cent fool proof, admits Nath from Trend Micro. No matter how hard one ensures, there is no doubt big money involved here.
Yet, vendors seem to be confident enough. As Nath adds, “I don’t know how much of that concern can practically materialize, but we are definitely ahead of the game. We are 24/7 hooked on to keep tabs on what these malware people are up to.”
And even though attractive, it would be a hacker’s nightmare, if NetApp’s Sen’s confidence is anything to go by.
“Here you don’t have access to the network. If there are 50 different virtual networks in a cloud set-up, a hacker has to crack in 50 different doors, and each of a different domain.”
And even if he succeeds in getting a foot inside the network security fence, he stands staring at encrypted data, and that level of encryption falls in the league of what defence users apply. So in short, clouds are not really sitting ducks, as many would believe.
In the view of RSA’s Maka, that’s all the more reason that security is not just a question of authentication. “Single entry-crack-in is a threat that still applies in case of banks. So vulnerability varies on a case to case basis. There are many aspects to be ensured here. Information security in terms of data leakage protection, and visibility issues have to be taken care of.”
Encryption issues
Being robust on encryption, does make a lot of difference to cloud’s security as Sen has already underscored.
There are standard data encryption methods which take care of encryption at various levels, for data at rest, and for data in storage. The 256-bit encryption level is good enough and only a limited set of people can decrypt data inside this.
But then there are other loopholes not that talked about, Sen illustrates.
“What happens to security issues when there is an offsite tape movement due to disaster recovery requirements? How easy is to bribe a courier-fellow?” he asks.
Security concerns on encryption etc were prevalent for clouds ten years back, Sen points out.
“Today technology has advanced enough to be past that barrier. Key management technology is another option to take care of security across the lifecycle of data.”
Physical loss of data doesn’t necessarily mean leakage of information, thanks to the level of sophistication and robustness of encryption that one can opt for today.” Sen says in an upbeat tone.
As Maka from RSA Security sees it, encryption is also about data at rest. And products have to be chosen according to the fact that encryption operates at different places.
When you are looking at a table of information, you can not encrypt everything, he explains. “It’s expensive and so one should be able to take a call on what one’s users are trying to do. It’s a choice between having a fence built all around your house or opting to keep all the valuables in a locker.”
The question, as he highlights well, is what exactly one is trying to protect.
And depending on what is critical or sensitive enough, it would be decided.
“Classify data well. Whether it’s a standard block, a column or a data base, has to be noted well. All this comes under the gamut of information protection.” Maka advises.
Standards & SLAs
Have standards and Service Level Agreements (SLAs) evolved enough to answer security questions on clouds?
Standardization is an issue, more so as each provider of cloud computing services has its own formats and standards. This makes it tough to hop from one cloud to another, if you are dissatisfied or compromised.
Not enough, says Amit Nath Country Manager India & SAARC Trend Micro, candidly. “A lot of work stays that need to be done here. From a security point of view, work on standards is on. As to SLAs, uptime based accountability, or spam-based arrangements can be workable options. Different companies would have different SLAs.
RSA's Maka agrees that legally binding a vendor is always a possibility. But at the end of the day, a few trusted vendors with a standard language that everyone speaks would be better, be it on storage, ASP, services or application vendors. “A lot of standards are evolving now.”
Security rules
There was a time when security was built-in and not a add-on, be it any yesteryear technology or mainframes etc.
“With cloud security, which is still in early stages, but delivers flexibility and elasticity and with people experimenting with private clouds etc, the landscape of security will only expand further.” Feels Maka from RSA.
No doubt, the worldwide security software market revenue totalled $13.5 billion in 2008, an increase of 18.6 per cent from 2007 revenue of $11.3 billion, according to Gartner, Inc. and Ruggero Contu, principal research analyst at Gartner has said. “A double-digit growth in a challenging economic climate shows that security remains a key priority for CIOs and IT security leaders.”
Cloud computing is evolving as a viable alternative and this encompasses both business and technology rationale.
It might take four to five years to take off but with companies trying to use IAAS, AAAS, SAAS, there is a lot of action lying ahead on cloud adoption, in the view of Nath.
Globally, data security and privacy, along with the need to protect IT infrastructure from the ever increasing sophisticated and targeted attacks, are among the key drivers fuelling the growth of IT security software spending. So security is clearly still a front-burner candidate. And even if it’s a chink, security for clouds may turn into a kink, if the right patches are not served.
More on solutions, in the next article.
You are right, answers Surajit Sen, Director – Channels, Marketing & Alliances, NetApp India. Security concerns exist around clouds and they need to be tackled properly.