Cloud security: Is it raining in the cloud?

Chuck Miller looks at the ins and outs of security in the cloud.

Ask 10 people what cloud computing is, and you will get 10 different answers. But ask those same people about security in the cloud, and they will all agree on one thing: it is critical.

What is cloud computing? To some, cloud computing once involved people sitting at terminals hooked to a mainframe in the basement. Even today, some observers claim that cloud computing is just a buzzword for some form of utility computing. But in its broadest definition, cloud computing generally means software and systems that distribute programmatic elements to multiple computers - typically off premise. Users are charged for computer power and storage as needed.

"Essentially the cloud is the promise that the internet has been holding for many years, where you can draw services dynamically out of another environment," says Peter Evans, director, security strategy and technology integration at IBM. "From an enterprise point of view, it changes the way you think about the business."

In another definition, Gartner defines cloud computing as "a style of computing where massively scalable IT-related capabilities are provided as a service across the internet to multiple external customers."

Cloud computing, as least as a concept, is being driven largely by economics. It is generally less costly to run applications, add capacity and increase storage in the cloud, rather than investing in new hardware and software, and bringing on additional staff and beefing up networking.

"Cloud computing will happen because it has too much of an economic incentive and developer support - applications can be quickly added and developers can have a single place to maintain source code," says Vatsal Sonecha, VP, business development & product management at TriCipher.

Overall, incentives include application-deployment speed, lower costs and fast prototyping. These are strong drivers. So much so that Gartner predicts that by 2012, 80 percent of Fortune 1000 companies will pay for some cloud computing service, and 30 percent of them will pay for a cloud computing infrastructure.

That is not to say that entire data centers will be moving to the cloud, at least in the largest companies. But for certain solutions, the cost benefits are hard to ignore.

"The driver is economics - companies can spend less capital," says John Maddison, VP of core technology solutions at Trend Micro. "Cloud-based applications are becoming more appealing, even though there is reluctance in some quarters because the enterprise feels it loses control."

That loss of control, and consequent security risk, is one of the major arguments that many IT professionals use to avoid making a move to cloud computing in a big way.

Security issues
The security issues with cloud computing do not vary tremendously from those facing users in any other computing environment. The classic problem can be epitomised by the acronym CIA, representing: confidentiality of data, integrity of data, and availability of data.

Once data is out on the cloud, only people who are authenticated and authorised should be able to see the company data, ensuring confidentiality.

"Information must have confidentiality," says J.G. Chirapurath, director of marketing, identity & security at Microsoft. "For every piece of information that I deem confidential or sensitive in some way, I need to know where it's stored, who's been looking at it, under what conditions they have been manipulating it, and be provided with an audit trail, so that if something happens, I can track its cause."