Cloud security: Is it raining in the cloud?

Integrity means that data is changed only in response to authorised transactions. For example, in any given period of time, if no authorised transactions have occurred, the data should not have changed. In the cloud, the data may be controlled by someone else, so the tracking may be trickier. The problem can be obviated through encryption, but that opens a whole other can of worms - including management of keys without involving the cloud vendor.

Availability is just that: The system is there when you need it. An outage can wreck your whole day. The best solution here is strong contractual arrangements that the data is there when you require it.

"Ideally, availability should be better than that provided by yourself," according to Jeff Kalwerisky, chief security evangelist at Alpha Software.

Current conditions
Cloud computing vendors work hard at providing security. "There is a reasonable amount of security in the cloud these days," says Trend Micro's Maddison. "The biggest challenge an enterprise would face is if the application requires sensitive data to be stored, how secure is the provider?"

Like many trends, people start doing cloud computing before they think it through. And some solutions can be complex. If you use the cloud across a wide number of providers, the complexity can grow considerably - there are no standards yet with security on the cloud.

In terms of confidentiality, Microsoft's Chirapurath says, "In software and services [one component of the cloud], the challenges have to be solved at the nexus of identity and security. Security keeps the bad guys out, and identity lets the good guys in."

In other words, hackers look for credentials. When an enterprise suffers a loss of identity, what they have is a security threat.

"All security revolves around identity," adds Chirapurath. "Enterprises need a bridge around the identity they have built into the infrastructure and the cloud. There must be an on-premises story that is complementary to a cloud story."

Issues of compliance
Another issue is compliance. Absolute certainty is required for compliance, but you can't find absolute certainty in a cloud, almost by definition.

"The cloud by it nature, is opaque," says IBM's Evans. "The services could be coming from any source. The compliance regulations may have to be revised to recognise the new world. In most, you can outsource your data, but you cannot outsource your responsibility."

The cloud is an enabler. In many cases, it can be seamless with existing environments. In the end, the nirvana for end-users would be that if they log on to an email interface, and the email backend happens to be in the cloud, there will be no other logon necessary for the cloud.

The cloud transition is under way, albeit slowly, but it may be a major part of new business arenas. Its security questions are not necessarily unique, but obviously must be addressed as vigorously as security problems anywhere. The question then becomes whether any major security issues, unanticipated, bring down hope for a breakthrough in the cloud.