No pointing fingers for cloud security

Powered by SC Magazine
 

Analysis: Understanding who needs to do what can sometimes be tricky.

Over the last two decades, the now-famous 1993 New Yorker cartoon showing two canines in front of a PC with one saying to the other, “On the internet, nobody knows you are a dog” has become a staple of presentations on internet identity and privacy.

Part of the reason for the cartoon's longevity is that it crystallizes in a single strip the security and trust issues associated with interacting across the web.

The irony is that the current growth and interest in cloud computing has made this cartoon as relevant today as it was in 1993. As organizations assess deploying new cloud services, security is generally acknowledged as the most significant inhibitor to broader cloud adoption.

But while there is widespread consensus among cloud providers and organizations that security is a key requirement for the cloud, the question of who is ultimately responsible for security remains unanswered.

The central debate on cloud security is whether the cloud providers or the end-user organization is responsible for security. Based on survey data from the Ponemon Institute, the two sides have surprisingly divergent views on security.

Data shows that, 69 percent of cloud providers believe security is primarily the responsibility of the cloud user; whereas only 35 percent of cloud users believe security is their responsibility. The survey results were not completely binary, as some participants did agree that security should be a shared responsibility between end-users and cloud providers, but these were clearly in the minority.

So who is ultimately responsible for cloud security – the end users or the cloud provider?

The short answer is that it really needs to be both. Part of the reason for this is that while people refer to the cloud as a nebulous monolithic thing, the cloud is comprised of many components (network transfers, firewalls, databases, web browsers, data centers, etc.) and that each of these individual components possesses security vulnerabilities that must be properly secured. 

And since some components may reside at the cloud provider's data center or in the end-user's premises, each one has a responsibility to secure them. Expecting the security requirements for all cloud components to be handled by one entity is not a sound strategy.

Providers

When it comes to the vendors, one can look back at the emergence of internet commerce in the mid-1990s with companies like eBay and Amazon for guidance.

Some may recall that in its initial iteration, Amazon actually staffed and hosted a call center for end-users to call and place their orders over the phone because of concerns over security.

Over time, as Amazon built its reputation and trust, the phone centers went away, but in the initial phases, the call centers were an important tool to help consumers overcome their fears of buying online. 

Likewise, eBay introduced its very simple but effective reputation based scoring for buyers and sellers – a great example of security and trust being shared by the provider and the end-user.

Assuming an organization has agreed to deploy some cloud services, what are the issues they need to be thinking about when looking at security in the cloud? Based on the above discussion, finding a cloud provider who agrees that security is a shared responsibility is an obvious important criterion, but what else? 

Two words come to mind: vigilance and commitment.

Many cloud providers will throw about the various certifications (ISO, SAS-70, FIPS) as proof of their strong security. And while certifications are an important component, they only tell part of the story, which brings us back to vigilance and commitment.

The online world is an increasingly dangerous place with highly sophisticated hackers, and unfortunately, the attackers can often find ways around your certifications. And while no one is immune from a cyberattack, organizations that demonstrate a real commitment and vigilance against cyberattacks are going to be best prepared to repel them.

End-user organizations should really evaluate a cloud provider's vigilance and commitment. This is tricky because it is a qualitative measurement, but should involve, at a minimum, questions about their underlying security architecture.

What kind of physical security do they have in the data center? What is their policy on deploying new security patches to the operating system and applications? Do they encrypt data, and if so, how are the keys managed and stored? What about disaster recovery? 

This is obviously not a complete list, but provides some guidelines. By posing these questions to a cloud provider, one can hopefully sense their commitment and vigilance to security and thus determine whether they are a viable partner or not.

Users

Another consideration is that end-users should not idly stand by and expect cloud providers to automatically adopt strong security.

End-users need to start requiring strong security from providers by explicitly stating it in requests for proposal (RFPs). By doing this, providers will respond to these requirements and start enhancing security.

Economics and market forces can be a powerful motivator, and consistent security requirements can definitely influence the market.

Since the market will not react instantaneously to these security requirements, organizations will still need to maintain internal vigilance over their cloud environments in the interim.

This means implementing appropriate security controls and auditing as well, as seeking comprehensive aggressive service-level agreements (SLAs) from their cloud provider.

These SLAs need to cover not just the usual characteristics such as availability, disaster recovery and performance, but also security aspects such as answers to many of the questions listed in the previous section.

The net result is that the end-user will still be seen as responsible for any data leakage in the court of public opinion, so the end-users must do everything they can to protect data.

These security issues should not hold back organizations from deploying cloud services, but it is a strong reminder to work with providers who understand the security issues and demonstrate a commitment to data protection.

This article originally appeared at scmagazineus.com

Copyright © SC Magazine, US edition


No pointing fingers for cloud security
 
 
 
Top Stories
Frugality as a service: the Amazon story
Behind the scenes, Amazon Web Services is one lean machine.
 
Negotiating with the cloud email megavendors
[Blog post] Lessons from Woolworths’ mammoth migration.
 
Qld govt to move up to 149k staff onto Office 365
Australia's largest deployment, outside of the universities.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...

Latest VideosSee all videos »

The great data centre opportunity on Australia's doorstep
The great data centre opportunity on Australia's doorstep
Scott Noteboom, CEO of LitBit speaking at The Australian Data Centre Strategy Summit 2014 in the Gold Coast, Queensland, Australia. http://bit.ly/1qpxVfV Scott Noteboom is a data centre engineer who led builds for Apple and Yahoo in the earliest days of the cloud, and who now eyes Asia as the next big opportunity. Read more: http://www.itnews.com.au/News/372482,how-do-we-serve-three-billion-new-internet-users.aspx#ixzz2yNLmMG5C
Interview: Karl Maftoum, CIO, ACMA
Interview: Karl Maftoum, CIO, ACMA
To COTS or not to COTS? iTnews asks Karl Maftoum, CIO of the ACMA, at the CIO Strategy Summit.
Susan Sly: What is the Role of the CIO?
Susan Sly: What is the Role of the CIO?
AEMO chief information officer Susan Sly calls for more collaboration among Australia's technology leaders at the CIO Strategy Summit.
Meet the 2014 Finance CIO of the Year
Meet the 2014 Finance CIO of the Year
Credit Union Australia's David Gee awarded Finance CIO of the Year at the iTnews Benchmark Awards.
Meet the 2014 Retail CIO of the Year
Meet the 2014 Retail CIO of the Year
Damon Rees named Retail CIO of the Year at the iTnews Benchmark Awards for his work at Woolworths.
Robyn Elliott named the 2014 Utilities CIO of the Year
Robyn Elliott named the 2014 Utilities CIO of the Year
Acting Foxtel CIO David Marks accepts an iTnews Benchmark Award on behalf of Robyn Elliott.
Meet the 2014 Industrial CIO of the Year
Meet the 2014 Industrial CIO of the Year
Sanjay Mehta named Industrial CIO of the Year at the iTnews Benchmark Awards for his work at ConocoPhillips.
Meet the 2014 Healthcare CIO of the Year
Meet the 2014 Healthcare CIO of the Year
Greg Wells named Healthcare CIO of the Year at the iTnews Benchmark Awards for his work at NSW Health.
Meet the 2014 Education CIO of the Year
Meet the 2014 Education CIO of the Year
William Confalonieri named Healthcare CIO of the Year at the iTnews Benchmark Awards for his work at Deakin University.
Meet the 2014 Government CIO of the Year
Meet the 2014 Government CIO of the Year
David Johnson named Government CIO of the Year at the iTnews Benchmark Awards for his work at the Queensland Police Service.
Q and A: Coalition Broadband Policy
Q and A: Coalition Broadband Policy
Malcolm Turnbull and Tony Abbott discuss the Coalition's broadband policy with the press.
AFP scalps hacker 'leader' inside Australia's IT ranks.
AFP scalps hacker 'leader' inside Australia's IT ranks.
The Australian Federal Police have arrested a Sydney-based IT security professional for hacking a government website.
NBN Petition Delivered To Turnbull's Office
NBN Petition Delivered To Turnbull's Office
UTS CIO: IT teams of the future
UTS CIO: IT teams of the future
UTS CIO Chrissy Burns talks data.
New UTS Building: the IT within
New UTS Building: the IT within
The IT behind tomorrow's universities.
iTnews' NBN Panel
iTnews' NBN Panel
Is your enterprise NBN-ready?
Introducing iTnews Labs
Introducing iTnews Labs
See a timelapse of the iTnews labs being unboxed, set up and switched on! iTnews will produce independent testing of the latest enterprise software to hit the market after installing a purpose-built test lab in Sydney. Watch the installation of two DL380p servers, two HP StoreVirtual 4330 storage arrays and two HP ProCurve 2920 switches.
The True Cost of BYOD
The True Cost of BYOD
iTnews' Brett Winterford gives attendees of the first 'Touch Tomorrow' event in Brisbane a brief look at his research into enterprise mobility. What are the use cases and how can they be quantified? What price should you expect to pay for securing mobile access to corporate applications? What's coming around the corner?
Ghost clouds
Ghost clouds
ACMA chair Chris Chapman says there is uncertainty over whether certain classes of cloud service providers are caught by regulations.
Was the Snowden leak inevitable?
Was the Snowden leak inevitable?
Privacy experts David Vaile (UNSW Cyberspace Law and Policy Centre) and Craig Scroggie (CEO, NextDC) claim they were not surprised by the Snowden leaks about the NSA's PRISM program.
Latest Comments
Polls
Which bank is most likely to suffer an RBS-style meltdown?





   |   View results
ANZ
  21%
 
Bankwest
  9%
 
CommBank
  11%
 
National Australia Bank
  17%
 
Suncorp
  24%
 
Westpac
  19%
TOTAL VOTES: 1461

Vote