Is the cloud secure? Is it a security risk? The answer to both questions appears to be “yes,” “no,” and even “maybe,” depending upon who you ask.
These questions are top-of-mind for many businesses. In fact, a recent Autotask survey of 1,300 IT service providers across North America, Europe and around the world found expansion of cloud services is the biggest factor driving demand for IT services.
But the same survey also found tighter security remains top of mind. According to the survey, 54% of IT companies said security was the top concern among their clients, followed by support for the cloud at 52%, mobile-device management at 46% and data management at 45%.
And concerns about security may be ramped up in the wake of the Heartbleed security hole in OpenSSL discovered last week. “Implementing OpenSSL on a web server should have provided encrypted communications over the Internet, but instead, could be abused to leak user passwords, private keys and session tokens,” according to a recent ZDNet article. The flaw impacted components of on-premise systems, private clouds and public cloud providers, the article stated.
Fortunately, while lessons will be learned from the Heartbleed vulnerability, such bugs are not common.
Strong opinions remain on both sides of the cloud-security question. Commonwealth Bank of Australia CIO Michael Harte said security, regulatory and financial concerns were “excuses” for avoiding the cloud that businesses need to get over, according to a 2012 ZDNet article. Yet another 2013 ZDNet article quoted Australia’s Department of Foreign Affairs and Trade CIO Tuan Dao as saying there is a good deal of “hype” surrounding the cloud, but that some data security and privacy concerns have yet to be addressed.
There are a number of explanations for the range in views on the question of cloud security, the most obvious being the answer is not as simple as “yes” or “no.” For example, much can depend on the cloud provider.
“The first thing we’re talking to clients about is that not all clouds are equal,” Intelligent Business Research Services Security Analyst James Turner told ZDNet.
“Assessing cloud security starts with the basics of due diligence, including ensuring a cloud provider is financially viable and collecting the alphabet soup of audits and certifications—SSAE 16 (SOC 1), SAS 70 type II, ISO 27001,” according to an article on NU’s PC360. It also discussed taking a “deeper dive into a provider’s security.”
“We have come up with our own question set for cloud vendors based on our own experience, partnership with our internal audit department and parent organization [Tokio Marine Holdings Japan], plus research from advisory firms who really know who the best providers are,” Andrew Peel, senior vice president and CIO, Philadelphia Insurance Cos., said in the article.
Peel said his company uses a cloud-based solution from AirWatch to enhance security around mobile-device management. “Our security team worked with our IT infrastructure staff and the business side to develop a whole set of questions around data to protect, access controls, monitoring, reporting and other components to be sure we were compliant. We then worked with legal to be sure we had the right non-disclosure agreements and data protection in place, and collected their SSAE 16 and other documentation to be sure their housekeeping was in order,” he said.
John Howie, COO, Cloud Security Alliance, said in the PC360 article that the major providers tend to do well with security measures. “A lot of the uncertainty has been removed from the security picture with cloud. All the major cloud providers are rock solid today,” he said.
Indeed, the irony for some companies considering the cloud but worried about security is that a cloud provider may in fact employ more comprehensive security measures than the company itself.
“Think about the resources cloud providers throw at physical security and the investments they make in safeguarding their environments—data centers whose locations are kept secret, armed guards and multiple layers of security, multiple certifications that have passed different levels of compliance audits. Cloud providers go through a lot more scrutiny than a carrier’s own data center,” said Chad Hersh, managing director in Novarica’s insurance practice, in the PC360 article,
Generally, as businesses become more familiar and comfortable with cloud services, security concerns tend to ease, as shown in a survey of 1,068 companies conducted earlier this year by RightScale Inc.
The RightScale survey shows nearly one-third of executives and professionals who have not yet implemented cloud identify security as their top concern, but the number falls to 13% among “seasoned, heavy users of cloud services,” according to a recent story in Forbes. For those seasoned companies, compliance, cost and performance were among their larger concerns, according to the article.
Cloud Security Alliance’s Howie, however, cautioned in the PC360 article that companies should avoid complacency as they become more comfortable. “You can shift responsibility to the cloud provider, but you cannot shift accountability,” he said. “If something goes wrong, you are going to need to explain to regulators and your policyholders what happened.”
And, of course, even proper due diligence does not guarantee invulnerability. The catch is that, in this case, signs that a service provider supports good security practices turned out to be a major vulnerability. How does a buyer assess that?