Playing the Cloud confidence game part 2

Prudent decisions about the security of organisational data is enabling IT leaders to make the most of the public and private Cloud

Part two of Computerworld Australia's look at why Cloud security risks should be front of mind for IT executives planning a push into the Cloud.

See: Playing the Cloud confidence game part one

The new security

Cloud security risks should be front of mind for IT executives planning a push into the Cloud — but their prospects are hobbled by what seems to be a shocking lack of attention to security. One recent IDC survey found that 56 per cent of Asia-Pacific financial-services CIOs don't even know how many security threats their firms had faced in the previous 12 months; of those that did know, 37 per cent couldn't provide any details of the events. And if they faced a need to trim their IT security budgets, 18 per cent of respondents were prepared to leave some parts of their IT infrastructure unsecured.

Another survey found similar results among healthcare providers, which along with financial-services companies are curators of some of the most sensitive data going. These attitudes are disastrous in the face of growing Cloud adoption: if companies can't even monitor their own security infrastructure, how are they going to manage hybrid public-private environments that span more than one facility?

Based on CIOs' interest in Cloud computing — IBM recently found that 60 per cent of surveyed ANZ CIOs see the model as strategic and will implement it in the next five years, while Frost & Sullivan found 35 per cent of respondents had already adopted Cloud solutions and 36 per cent would increase their Cloud budgets for 2011 — the collective security exposure of Australian Cloud users is only going to get worse.

Not all organisations are ignorant of security risks, however: Westpac Banking Corporation, for one, has been building out its Cloud investment on the back of preliminary projects such as a testing-and-development Cloud approach that's cut the time to commission new testing environments from 14 days to just four hours.

"If I'm going to do a Cloud, I cannot just do a bit of Web service and a bit of database and worry about end service delivery while letting someone else do everything else," says Westpac head of engineering Michael Gindy. "Within the bank, we established the vision that we're going to be the service management integrator and be the team across a number of Cloud service providers – be it internal, external, outsourced, or insourced. We are the ones that are going to be held responsible for delivering an end-to-end business fabric."

This shift in approach, which has been tightly wrapped in the ever-present need for security, forced Gindy and his team to do some serious talking with business leaders to reassess their expectations around security, and how emerging Cloud models could meet those expectations.

"Orchestration and service management are key for success in this Cloud business, and we needed to rethink what the word 'secure' is and who delivers it," Gindey explains. "Traditionally we ran in a siloed mentality with infrastructure architects, operational guys and others. But the killer of most innovation is the security challenge, and for any of this stuff to happen you need to get those guys in a room and start challenging their thinking."

This led to some changes in language — talking about business-level agreements focused on higher-level availability of business functions, for example, rather than focusing on siloed metrics and conventional security protections.

"It's important to remember that security is an attribute," Gindey adds. "Gone are the days of thinking about putting systems within perimeters; we need to think about putting security into applications. You have to work with that, and your security team needs to work on the journey. The good news is that we have had good conversations with the security guys — and we passed with flying colours. Orchestration is the key."

So, too, is a robust security infrastructure — and, thankfully, a growing body of best-practice examples is elucidating the best ways to achieve crucial security goals. Industry body the Cloud Security Alliance, for one, is actively promoting Cloud-based security practices up to and beyond the ISO/IEC 27001 standard used by many as an auditable benchmark for IT security.

"Ultimately, by getting better security in the environment, we get better trust," says Brett Williams, a senior technology consultant with RSA Security who warns that the shift from silo-based systems and security is a minefield for the unprepared. "We're decoupling the operating system from the physical systems, which is fantastic from an IT perspective, but from a security perspective it opens up a whole can of worms. Our threat landscape is changing, and most of it is attacks by vulnerabilities no one has heard of before."

One advantage of virtualisation, Williams says, is that the hypervisor provides a single portal to the IT infrastructure; companies need to leverage off that architecture by having a centralised security model. Yet sheer bulk can mean even this isn't straightforward: vBlock, a modular architecture recently released by Cisco Systems, VMWare and RSA parent company EMC, can host over 5000 virtual machines — and each one needs to be secured.

"If something does happen, root-cause analysis is difficult," says Williams, who argues that this scalability alone demands investments in proactive asset-management and log-analysis tools that can correlate log events across virtual environments and raise appropriate alerts when anomalies are detected. "Who's going to go through those files manually and understand exactly what happened? The whole concept of the Cloud is IT self-service, and being able to bring things up dynamically and shut them down. From a security perspective, we need to know what they're doing."

EMC, for its part, is building on RSA's security credentials and a host of other acquisitions to build out such tools: its acquisition last year of Archer Technologies gave it a GRC (governance, risk and compliance) framework for risk management, while RSA's Cloud Trust Authority facilitates trusted relationships between Cloud providers.

Over the page: The security threshold

Page Break

The security threshold

In the end, judgments about Cloud providers' security boil down to one question: can you trust them?

This trust can be hard-earned and easily lost should something go horribly wrong — but as with all partnerships, early efforts to set and manage expectations can ease the transition. Customer comfort with the infrastructure story being sold will ultimately determine how involved that organisation gets with Cloud services. For government bodies, conservatism has naturally remained a guiding factor; current recommendations suggest Cloud models are acceptable choices for agencies 'where they represent value for money and adequate security'.

In practice, this translates into commodity services such as high-volume Web hosting, but has so far prevented most government organisations from delving too deep into Cloud services for now. "Cloud vendors live and breathe on the availability of their Cloud services, so my original assumption was that — given that their business model depends on this and reputation and brand — we should be able to look at them and have an expectation of high availability," says Glenn Archer, first assistant secretary within the Policy and Planning Division of the Commonwealth Department of Finance and Deregulation.

That department manages government Cloud policy, and has so far fallen short of encouraging use of Cloud services for areas storing sensitive data. This may be on the agenda in three to five years, says Archer, but for now sensitive data will be kept in internally-hosted private Clouds and public-Cloud usage will be limited to commodity technology such as publicly-available data and analysis; use of Web 2.0 tools like Gmail; and hosting capacity to support delivery of government websites.

Although it's verboten for now, key citizen-facing systems, applications, and business processes could be on tap within three to five years. This, despite the fact that the model "has been slightly sullied at the moment," Archer says, "but it's on the watch list. At the moment, there are enormous opportunities for us as a government to make use of the Cloud without going into problem areas like hosting citizen information in the public Cloud."

Prudent caution, then, will determine whether organisations feel comfortable enough committing to the Cloud — and what they're happy to commit. Yet for many other organisations, the decision is still one of relative security risks — and for them, the Cloud is still winning.