While hosted cloud computing may be all the rage for reducing cost of ownership and management, IT managers say hosted storage services present dramatic security challenges and legal implications that need to be considered.
Arthur Lessard, chief information security officer at toy manufacturer Mattel Inc., in El Segundo, Calif., said during a presentation at Storage Networking World on Wednesday that cloud computing is appealing, even if many end users don't know what the word "cloud" means. For example, many confuse cloud computing with pure server and storage virtualization or simply backing up data to a remote site.
True cloud services should be characterized by grid-architected hosts with central management, applications that can be ported seamlessly from system to system, capacity that is easily provisioned and significant data redundancy, he said.
"We're talking software as a service," Lessard said.
When storage is hosted offsite in a virtualized server and disk array environment, cloud computing presents real limitations around authentication, and auditing - especially auditing of logging. The lack of auditing capabilities may affect the ability to record user logins, administrative actions and data writes, Lessard said.
"What I can't find out is who has been reading the data files, and ... depending on what business you're in, that might be important," he said.
There is also not usually any indication of login anomalies, such as repetitive attempts to log into your site under an incorrect name and password. That information is kept by the vendor and is usually part of a contract negotiation process. With respect to authentication, or who sets up the accounts and what control you have over accounts and how they're provisioned, most vendors offer self-registration into your applications, "and that can have holes," Lessard said.
"Most authentication in a cloud environment is done through user name and password only, so if I had a nifty two-factor authentication set up or biometrics, it's no longer offered," he said.
Most service provider also have restrictions against penetration testing of the cloud by their customers.
"To be honest, I can't blame the vendor because by doing penetration testing against their environment for your applications, it could impact someone else's applications," he said. "Remember, it's a cloud, and you don't have a lot of control over where my stuff is running or where it sits."
Hackers can also exploit security holds associated with hardware and software cloning in virtual server environments. Most operating systems have unique or personalized components when they're installed on hardware, and the OSes rely on the hardware to generate random numbers for public and private encryption key pairs and user IDs, even when they're being cloned onto new systems.
When operating systems are cloned in virtual environments, where new servers and software are stamped out to meet user demand, service providers may use pseudo-random number generators, which will pass back values that look random and for the most part are spread out over a range, but they aren't random and can be predictable, Lessard said.
At the last Black Hat hackers convention, there was an attack proposed that would exploit resources in the cloud based on pseudo-random number generation.
"If you have multiple systems, and they're all cloned and you have some idea of when a particular instance was cloned and created, you can start making some pretty good guesses about the pseudo-random number generator in that operating system, and that means you can start making some pretty good guesses about public and private key pairs that got generated when an operating system got cloned."
One of the stickier legal ramifications of storing data with a cloud service provider falls under the government's right to search and seize that information during the course of a criminal investigation.
According to Lessard, the U.S. government has also asserted that it has a right to serve a warrant to a third party service provider in order to see your data on their systems and not notify that provider's customers that it has served the warrant prior to the search.
Because one company's data may be kept on the same disk as another's by a service provider, a criminal investigation could expose your data to authorities or simply limit your ability to access data through that cloud service provider, Lessard added.
"Essentially, you're losing your right to answer warrants served by the government," he said. "To use a technical term, cloud computing is probably going to give your legal department the heebie jeebies."
Other IT managers also had security concerns about cloud services, some of whom overcame them after becoming SaaS customers and others who weren't convinced the security around such services is sufficiently mature.
Gordon Peterson, director of information technology for the city of Carlsbad, Calif., recently began using Microsoft's Live Mesh cloud computing service to host collaborative applications, such as Exchange, Office Communicator and Live Meeting in order to spend less time on maintaining back office systems and more time on technology innovation.
Peterson, who has a staff of 25, said he definitely had security concerns, mainly around Microsoft employees who would be able to see internal e-mail traffic.
"We do have justice system traffic, after all," he said. "But I think what helped was realizing somebody else can probably do security better than I can."
Peterson said his main concern was Microsoft's hiring and firing procedures and whether employee background checks were thorough. A trip to Microsoft's hosting facilities helped alleviate those concerns.
"Their procedures are very similar to ours," he said. "They told me that if they mess up, the online community is unforgiving."
Norton Healthcare Inc., a private, nonprofit hospital system based in Louisville, Ky., is in the middle of rolling out virtualized servers, desktops and storage to serve four acute care hospitals and other health care facilities in Kentucky and southern Indiana.
Brian Comp, associate vice president of technology at Norton Healthcare, said cloud computing, with its ease of use is definitely in the hospital's future, just not the near future. Comp said over the next five years, as cloud computing providers and the technology mature, it will become more reliable and secure, allowing him to put non-clinical systems on a distributed architecture.
"I wouldn't say I'm uneasy about security in the cloud, but I do have reservations about it. It's about having data offsite. I just want certain assurances. Nobody wants to be on the front page of a newspaper because of security problems," he said. "But I do think cloud vendors will work that out over time."