In-Depth

A Secure Leap into the Cloud

Companies looking to reduce costs through cloud computing will have to make some tough decisions about security.

• By Naomi Grossman
• 05/01/2009

Cloud computing is essentially using the Internet for a host of functions-from enterprise applications to storage-and the cloud construction can be implemented either internally, externally or through a combination of both methods. There is perhaps no greater indication of the staying power of cloud computing than Microsoft's Azure, the company's cloud development platform and operating system that services developers can use to build apps for the cloud. Azure goes head-to-head with Amazon's EC2 -- the product to beat -- and Google's AppEngine.

There are lots of other flavors in the cloud offerings among the major players: Salesforce.com Inc. has made its name with its Software as a Service (SaaS) offerings; IBM Corp. came out with LotusLive, on online version of its Lotus programs; and VMware Inc., the virtualization king, is investing heavily in cloud computing. And let's not forget Microsoft's other forays into cloud computing with its Internet versions of Exchange, Windows Live and Office Online.

The argument for the cloud in its various permutations is becoming more and more compelling as companies look for ways to reduce costs and get easy access to expertise. But there's no getting around the fact that a leap into the cloud changes a company's relationship to its information, both across and outside of the enterprise.

The question, then, is obvious: Is it possible to manage those risks and still gain value from the ever-expanding set of cloud-computing features?

The answer from the experts is a qualified yes.

Sizing up Security
"Enterprises need to understand exactly how much security they need, how much security the cloud can provide and how much security they can add," says James Staten, a principal analyst at Forrester Research Inc.

For instance, a company in the financial services industry needs to protect customer data and be in compliance with federal regulations, but cloud-computing services won't ensure compliance; rather, the company will need to add security applications on its own. Staten notes that such a user might enhance Amazon's EC2 with encryption agents and monitors. The company would also think about enhanced protection from unauthorized access.

"A public Web site that's made available to customers with a log-in usually has an encryption model and a security engine," Staten adds. "If you don't have these layers of security when you go into the cloud, you'll need to replace them or have a degraded security model, such as offering less access." In the financial services industry, this might mean allowing customers to see their balances but not allowing them to do trades.

"People will ask: 'Can you be, for example, HIPAA compliant with the cloud?' If you do nothing, then no. Clouds don't provide a compliant environment," Staten says. "You need to deliver services and applications in a secure environment."

The Azure platform provides circumstances in which enterprises will have to consider this. "We use a variety of security technologies and procedures to help protect personal information hosted on the Azure Services Platform from unauthorized access, use or disclosure," says John Chirapurath, director of marketing, identity and security for Microsoft. But, Chirapurath adds, "Microsoft provides a computing infrastructure on which developers can build applications. It's the responsibility of the developer to ensure that their applications, content and services comply with applicable laws."

Staten notes, though, that enhancing the security of a cloud service typically does not significantly increase costs.

Darren Platt is CTO and vice president of engineering at Symplified Inc., which provides enterprises with Web-access management. Platt contends that the cost savings of cloud computing are so significant -- he notes that SaaS savings for a company can translate to costs that are as much as 10 times lower -- that there's a lot of financial room for additional overhead requirements. Not surprisingly, he also insists that such additional requirements are necessary.

"For a security officer in any enterprise, it's difficult," Platt says. "But now that applications are Web-facing and employees can access them at home, the vulnerability is even greater."

Fortifying Defenses
Dan Chu, VP of emerging products and markets at VMware, notes that the classic scenario of booting a disgruntled employee off a company's systems now extends across the organization. Similarly, an audit trail needs to be able to trace a path throughout internal and external applications, and a policy administrator should have a consistent set of security policies on all applications being used.

Platt acknowledges that the larger services providers like Salesforce.com are starting to provide stronger authentication, but he maintains that enterprises need the efficiency of authentication at one location.

IBM's LotusLive, which is currently in beta, has a set of security policy offerings that are understood by the user and make sense in the business workflow, says Douglas Wilson, director of development and architecture for Lotus' cloud services group. "We tried to match security policies with operations," Wilson says. For instance, companies can choose not to share files, or to only share files within the company, or to share with selected individuals outside the company. Auditing records are preserved to keep track of accessed data. "In virtually every business collaboration, there is trust that businesses behave according to policy, and then there are control points to see if they're adhering to the policies," says Wilson.

Sharing Space
Chenxi Wang, a principal security analyst at Forrester, agrees that adding security applications is an option for enterprises that want to safely jump into the cloud. But she adds that it's important for companies to check out a vendor carefully and understand how it manages its architecture. "A multi-tenant architecture of one server with multiple companies using it is like timeshare resources," Wang says. "Your company's data lives on the same infrastructure as other companies' data."

A company can usually pay a higher fee to request a segregated infrastructure. It's less cost-effective, notes Wang, but the company is still getting an expert to manage the infrastructure, and there are staff cost savings that are realized. "In some scenarios, it's worth it to have a dedicated infrastructure sitting in the cloud," Wang says. "But when the applications aren't worth much, you might as well use the multi-tenant architecture."

Wang adds that a vendor can have a secure multi-tenant architecture if the vendor does it right and knows how to secure data. "Look at what a vendor offers as a security guarantee and decide if it's good enough for you," she says. But for companies uncomfortable with outsourcing their data, a dedicated infrastructure or a decision not to outsource confidential data might make sense.

A generous service-level agreement (SLA) in terms of security is another way for companies to protect themselves. According to Wang, not every company gets into the details of the SLA, but things like looking for guarantees against virus outbreaks, 95 percent availability and the level of communication between a company's infrastructure and the vendor's are fine points worth considering. Furthermore, additional applications on top of SSL encryption indicate a higher level of security.

Location, Location
While cloud computing involves outsourcing of data, one of its trickiest aspects in terms of security is often the inability to conduct a physical site inspection of where your company's data will be stored. As John Pescatore, vice president of Internet security for Gartner Inc., points out, the financial appeal of cloud computing generally means its data centers will be in the cheapest places: "Inevitably," he says, "out of the country."

Pescatore says Google Inc. ran into problems with this issue because some companies want their data stored in the United States, but Google stores its data in centers placed all over the world. (Currently, Russia and China are the most inexpensive places in which to operate data centers). The federal government, for instance, can't use cloud-computing services if privacy-related data is stored overseas.

According to Pescatore, a client who was able to perform a site survey on a data center in India found that the servers were stored in an open office with no physical security around them. The office also happened to be the one space in the building that was air-conditioned, which meant that numerous people were constantly in and out of the area. Similarly, last year, undersea communications cables in the Middle East were damaged, compromising Internet access for companies in the region.

Google is now building capabilities to allow its cloud-based computing data to be stored in specified locations. "Companies may need to dictate where their data is stored," says Pescatore. But, he adds, "this will increase costs of cloud computing. Storing data in a more secure location is more expensive."

But Pescatore notes that it will still work out to be more cost-effective even with these requirements-requirements that he believes most businesses will ultimately demand.

A growing interest in private cloud technologies is also being spurred by these concerns, with Amazon.com Inc. and Google leading the way. "I can build my own cloud for my own use," says Pescatore.

According to VMware's Chu, a large number of the company's customers are now deploying internal clouds. "We're seeing more and more of an internal cloud approach," he says. Many VMware customers consider an external cloud solution but worry about compliance and management, which leads them to develop an internal cloud, adds Chu.

Public cloud services rely on the Internet to connect to the data center, a feature that's also not always reliable. Pescatore notes that Salesforce.com had a denial-of-service attack recently, which limited access to information. "For certain enterprises, like airline services, it's not just about protecting data but also about reliability," he adds.

Both security and reliability come into play with vendors that use another cloud behind their service. "[The vendor] might outsource to a third party, and a company needs to look at what their security policy is," Forrester's Wang says.

Pescatore agrees. "Processing elements and storage elements can be anywhere in the world," he says. "It's more complex, so it's more vulnerable."

A Complicated Problem
The complexity promises to increase as companies look to the cloud for more and more of their computing needs. Chirapurath says that Microsoft's response to this need is Azure's platform and its security features: "Specifically, as organizations transition to a true S+S [Software plus Services, Microsoft's version of SaaS] environment, having a single open identity model that seamlessly connects on-premises and cloud is critical to minimize the business disruptions for customers, and enables user choice in the use of their identities," he explains. "Microsoft's identity model is based on a shared industry vision and architecture that's built on standards for open interoperability. The model is comprised of a collection of modular components that customers can use together to enable user access to applications for enterprise, federation and Web scenarios -- both on-premises and cloud and using identities from a number of sources. The key tenets of this strategy are open interoperability based on industry standards, choice of components including both Microsoft and third-party offerings, and ease of use and adoption for developers and their customers," Chirapurath adds.

Chu says that for VMware, the future of cloud computing lies with companies that have both internal and external clouds and want connectivity between the two. VMware, he notes, is in the process of developing integration to manage both internal and external clouds.

"We see in the future companies will have hybrid environments for their most critical, core applications, and they'll leverage external clouds for testing specific projects," Chu notes. "They'll need connectivity and interoperability."

They will, but as IBM's Wilson notes, the security business is a cocktail of different technologies, and companies will have to decide how cloud computing will suit their specific needs. "There's risk inherent everywhere," adds Wilson. "But there's always a risk-benefit tradeoff."