With great cloud comes great responsibility

Cloud computing is often treated as something of a black box: you put data into it, some magic goes on, and processed data comes out. But even though someone else is taking care of the heavy lifting, securing your data as it goes into the cloud is still your responsibility. So says Vince Lee*, Regional Manager, Australia & New Zealand, SafeNet.

There’s a good reason why everyone is talking about cloud computing. With infrastructure-as-a-service, for example, whatever computing power and storage capacity you might need is immediately available on tap. Combine this with virtualisation technology and organisations gain unprecedented flexibility to deploy virtual servers whenever and wherever they are needed.

Or at least that’s the promise of cloud computing. The reality is that along with enormous benefits to organisations come enormous risks. Cloud computing infrastructures introduce an array of new security concerns, with a host of recent high-profile data security breaches underscoring how serious these concerns can be.

Organisations should never just assume their data is safe when they expose it to a publicly available service. When you get a private line from a telco, is it really ‘private’? The fact is that it uses shared infrastructure and it is up to you to secure it. The same is true when you put data in the cloud. It is still your responsibility to secure it.

Before you get too worried about how insecure cloud-based services might be, however, you need to understand the value of your data and perform a risk assessment. And to some extent, that risk will depend on the nature of your existing infrastructure and your ability to manage and control it.

For a small business, it may be that the risk profile of a cloud service is actually better. Up to a certain level, the people providing the service may do a much better job than you could. Better service availability levels are actually one of the drivers behind the popularity of cloud-based software-as-a-service applications, although there are still concerns about security levels.

The situation is generally reversed, though, for organisations with intellectual property or other data worth significant amounts or a high-value customer base and brand. There are also strict compliance requirements which financial, healthcare and government organisations are currently reluctant to, or simply cannot, put in the hands of third-party providers.

For these organisations, strong encryption and authentication technologies can allow them to host information in the cloud while retaining effective security controls. By encrypting storage volumes, for example, data can be isolated and secured - even in shared, multi-tenant cloud environments, regardless of whether they are onshore or offshore.

Both encryption and access control can be managed via a secure appliance acting as a trust anchor that still sits physically within the organisation. That way, only encrypted data is put in the cloud. Users still have to come back to the organisation to verify their identities and get the key to unlock it. Even if cloud-based data was stolen, it would be useless without the key.

Right now, these sorts of strong security solutions are mostly used to protect financial data, medical records and state secrets. With cloud computing, however, the number and type of organisations exposing their most valuable assets to additional risks is far greater.

Will you need strong encryption and authentication before moving to the cloud? While you’re thinking about it, remember that it can be very difficult for organisations to overcome the reputational damage associated with a data breach. That is why security remains the number one barrier to cloud computing adoption and why organisations need to get it right.

*Vince Lee is the ANZ Regional Manager for SafeNet, a provider of information security solutions. The company helps protect the assets of more than 25,000 customers, including online transactions, communications, data and software licensing. Lee has more than 12 years’ experience in the IT security industry, including six years with cryptographic pioneer Eracom Technologies, acquired by SafeNet in 2005.