Is the Cloud Secure?
Cloud computing has grown by leaps and bounds in recent years. Every day brings news of some acquisition, some investment, some innovation in this space. What started as a mere snowball has gradually acquired the proportions of an avalanche with all the big boys of the Information Technology putting in big dollars in cloud computing.
From Microsoft to Google to late-entrant Oracle, everyone has their fingers in the cloud computing pie. However, concerns still remain, chiefly regarding security. Several companies have put off moving to the cloud simply because of security concerns. Otherwise, cloud computing with its pay-per-use and get-when-you-demand model seems to be a win-win situation.
Security is a major bugbear today, and not only in the physical world. Enhanced security concerns may lead to stringent, and often unwelcome, TSA checks at airports, but it also affects the adoption of new technologies like cloud computing. Especially if that technology is based on the World Wide Web, where literally, anyone with a modem and Internet connection can log in. The recent Wiki Leaks controversy hasn’t helped matters as regards acceptability of cloud computing.
Many opponents of cloud computing say that the technology’s presence on the Web makes it open to attackers worldwide. What they fail to realize is that isolated data centers, as was the norm before the advent of cloud computing, aren’t immune to hackers either. In fact, the modular nature of cloud computing may actually limit damage due to such attacks over the Internet.
With isolated data centers, it’s the old “all eggs in one basket” scenario, and we all know how that ends if the basket falls. On the other hand, with cloud computing, you are actually placing your eggs in different baskets. Even if one or more of those baskets fall, you have others to fall back on. Therefore, it is clear that being on the Web is not necessarily a disadvantage for cloud computing.
Secure Cloud Data
Of course, if your isolated data center is isolated in the true sense of the word, that is, not connected to the World Wide Web, you are safe from online attacks. But are you truly safe? Think again. How about a disgruntled employee who slips in with a USB drive, downloads confidential information and then passes it along to your competitors? Remember, confidential diplomatic messages released by Wiki Leaks were not obtained from an unknown hacker, but a US Army soldier Bradley Manning who simply walked in and downloaded the data onto his music CDs.
Does this mean that company’s security fears about cloud computing are unfounded? Not really. But instead of suspecting the technology, perhaps they should be looking more closely at the providers. Here’s why.
In spite of all the literature of “being on the cloud,” cloud computing is based out of data centers, quite similar to the ones that support companies’ internal resources. Granted there are multiple data centers at work here, but at the end of the day, they are still data centers. And like all data centers, they are susceptible to security issue like data theft, natural disasters, etc. While the redundancy of multiple data centers does restrict problems due to natural disasters like fire, data theft cannot be ruled out. And this is where the trustworthiness of Service Providers comes in.
“Can I trust my cloud computing service provider?” – this is the question a company should be asking itself, rather than, “Can I trust cloud computing?” If the company feels that its own data centers are more adept at safeguarding data than its service provider, then its security concerns regarding cloud computing is justified.
This means that a company has to be very careful in choosing its cloud computing service provider. However, a vetting process is natural when selecting a vendor or provider of any service, and thus, cloud computing is no different. Granted, the vetting process may be more stringent than when choosing a beverage supplier, but essentially, the procedure is the same.
A service provider can remain in business as long as it can keep its reputation intact. Therefore, any provider which has been deficient in safeguarding its customers’ data will fall by the wayside by natural selection. Even a cloud computing pioneer like Amazon has faced flak for removing Wiki Leaks’ data from its servers citing breach of contract, as I had mentioned in an earlier article. Therefore, for a company it is important that the contract fine print is closely examined before it signs on the dotted line.
At the end of the day, while I would not go so far as to say cloud computing is completely secure, I believe that it’s secure enough for most companies. I am not playing with words here, but merely stating the fact that no IT system is completely secure, not even the internal data center with multiple firewalls, restricted access and housed in a fire-resistant, earthquake-proof building.
Of course, with the technology undergoing improvements by the day, waiting for a few months may not be wrong. At the same time that has to be weighed against possible benefits that the company will lose out on by moving to the cloud. In other words, cloud computing should not be considered untouchable simply because of security concerns, but all arguments weighed before a final decision is taken.
Remember, if you truly want a system that is 100% secure, perhaps you should look at getting a personal computer that remains at one place in your home, is not connected to the Internet, does not accept external media like floppies, disks and flash drives, and to which only you have the password. But then again, that wouldn’t help you, or your company, do much work, would it? Cloud computing is here to stay, and in all probability, is going to revolutionize how we do business.
By Sourya Biswas
Principal Security Consultant at NCC Group
13+ years of experience in Client Engagement, Business Development, Project Management and Management Consulting in the Information Security & Risk Management and IT Strategy domains.
250+ articles on Cloud Computing, technical editor of a reputed textbook.
MBA (double major in Consulting & Business Leadership) on full scholarship from Notre Dame, Bachelor’s engineering degree in Information Technology from a top 10 engineering institute in India.
Professional certifications include the CISSP, CISM, PMP, PSM and several ITIL Intermediates.