Secure the pearly gates, not the cloud

Cloud computing is fast becoming one of the most widely adopted IT trends of recent years. Lured by the offer of flexible, low-cost and easily scalable IT, many businesses are relying more and more heavily on cloud-based applications, storage and security. However, as highlighted by Gartner and many others, big questions remain over the security of cloud computing. Clearswift’s Peter Croft* explains how the big security questions should be answered.

Security of the cloud is not necessarily as hugely complex as some would have you imagine. Let’s not forget that, in essence, cloud computing is a rebirth of the Managed Services (for IT infrastructure) and Application Service Provision concepts, and the issues regarding data security remain, to some extent at least, very similar, albeit with some key differences.

One of the main differences is that older-style managed services generally tended to be long-term arrangements (often five years or more) and necessarily involved complex contractual details (often including the transferring of staff). This usually led to a very close operational relationship between client and provider. With cloud computing, one of the key differences is the operational separation between client and provider. With most cloud services today, the client has very little influence on the operational practices of the provider. The basic business model has moved far away from nurturing long term partnerships, focussing instead on ease of initiation (and termination!) of relationships. Couple this with the increased number of potential providers with whom an organisation may have a relationship at any one time and the increased level of data sharing inherent in many cloud services, one can see that trust becomes a major consideration.

One of the resultant issues from a security perspective is the greater transfer of data, and the ensuing trust issues that result from allowing a third party to store and manage this data. With precursors to cloud computing, such as managed services, data tended to remain relatively close to its original owner. As data storage and email outsourcing become two of the most popular modern cloud-based services, security fears over the transfer of data, and later, over who has access to this data, remain significant concerns.

Perhaps what has made the cloud security debate rage quite so fiercely is the fact that potential issues or breaches could be potentially catastrophic - to the extent where they transcend business departments to become a major business issue. Against a backdrop of heightened public awareness of data loss, privacy issues, ID theft etc, this is understandable.

In many ways, securing the cloud itself may be an almost impossible task due to the numbers of providers involved and the level of sharing that is inherent with many cloud-based services. Some have suggested a standardised security kite mark system for cloud providers could be the answer, but the commercial considerations and logistics involved in this render it a long term possibility at best. The fact is that by the time data has reached the cloud, it’s normally too late. The potential for data getting into the wrong hands starts from the moment it leaves an organisation, and it’s therefore at this boundary point between the organisation and its external environment that security has to be the key priority for those looking to use cloud-based services.

For those that think encryption is the answer, think again. First, many cloud-based services don’t support encryption of data because they are explicitly focussed on sharing. Second, lax procedures, modern technology and a malicious intent can always create the circumstances to siphon data while unencrypted. Given the somewhat distant relationship between most cloud service providers and their clients this could remain undetected for a very long time.

There will always be data that is so sensitive that it simply cannot be allowed to leave your business, and that is why the key priority for improving security of cloud computing lies in the routes between your business and the cloud, not the cloud itself.

As with tangible security risks to homes and business premises, it’s the access points that are always the weak point. Therefore it’s vital to ensure the ‘windows’ and ‘doors’ of cloud computing are made as secure as possible. Addressing the security of your company’s specific cloud entry and exit points is the best - and simplest - way to get a grip on the potential issues involved to enable businesses to take advantage of all that the cloud has to offer.

Take for example, a cloud-based data storage service. This type of service will be perfectly suitable for storing the vast majority of data coming out of an organisation, but there will always be exceptions where the possible implications of anyone else having responsibility for highly sensitive data is not appropriate.

In the case of highly sensitive material, the best course of action in most instances is to prevent it from leaving the originating organisation in the first place. (It is classic psychology that sensitive or confidential material is considered less so the further away it gets from the original creator.) What is therefore needed is highly sophisticated automated checking of outbound data to ensure that data that shouldn’t leave the organisation does indeed remain there.

For data entering an organisation, consider the analogy of food: the more processed it is before you receive it, the more likely it is to suffer harm. This is potentially true of cloud-based email services controlling data coming into your business.

Many believe that cloud-based email is the only way to attain the best levels of efficiency and cost reduction. Indeed, although cloud-based email offerings can be compelling, it isn’t the only way of doing things. In fact, when you consider the often quite significant issues regarding trust of a third party cloud provider, cloud-based email can lose its shine. Allowing a third party to have unfettered access to all your incoming mail has major security implications, and requires complete trust and reliance on the organisation providing the service.

Advances in appliance-based technology now mean that non-cloud based email security applications are as effective at reducing spam and malware with similar efficiencies to cloud-based services, but without the risk of handing all email data to a third party.

What’s absolutely clear is that many businesses have not yet adequately resolved the security risks regarding cloud computing, perhaps due to lack of understanding as to how best to tackle the problem.

Collaboration and openness (both key cloud computing premises) are great attributes for many types of technology, and security nowadays must shift to focus on enablement rather than prevention. But at the same time, we have all become very - perhaps too - comfortable with collaboration, sharing and cloud-based applications in our personal lives and this is one of the biggest threats for many businesses. Collaboration and sharing is one thing when it’s just you and your home PC and you are taking individual responsibility for the potential consequences of your actions. The same is not true for a company IT system where this way of working and engaging with customers and suppliers, though often commercially advantageous, carries far greater risks and therefore needs a level of corporate governance.

Companies must be able to have complete confidence in their use of cloud computing, and while it’s easy to assume that a third party may be a safer pair of hands, the reality is that there are no guarantees. The only way to ensure your data is not compromised by the cloud is to control what is going to and from it in the first place, and make sure your gateways to the cloud are watertight.

* Peter Croft is the Managing Director, Asia Pacific, Clearswift. Croft has over 12 years’ experience in senior executive positions, including returning ailing business units to profitability, acquisitions and divestments, new business development and channel management. Prior to joining Clearswift, Croft was President and Executive General Manager of Tenix Datagate, a wholly owned subsidiary of the Tenix Group, Asia Pacific’s largest defence and technology contractor. He established Datagate to commercialise IP jointly developed by Tenix and the DSTO, aimed at providing secure data flow between physically isolated network segments.