In most cases, applications in public clouds aren’t as secure as those inside the enterprise, even though providers’ security has improved recently, according to analysts. They advise businesses to do an in-depth evaluation of cloud providers’ security systems and practices and-- if a cloud-based application is chosen-- be prepared to bolster their own internal security.
Public cloud security today generally fails to provide an appropriate level of risk reduction and transparency, said Carl Brooks, analyst, infrastructure and cloud computing, Tier1 Research, a division of 451 Research. The good news, he said, is that groups like The Cloud Security Alliance are promoting open standards for cloud providers and providing evaluation guidelines, some certifications and other helpful information. Unfortunately, however, emerging standards still lack the technical rigor and consistency needed.
“There is no consistent framework that the industry has agreed upon which users of cloud can take and use and then they can compare and contrast the different security offerings,” said Chenxi Wang, a vice president with Cambridge, Mass.-based Forrester Research Inc. As a result, potential and existing cloud computing users must evaluate each provider’s security on a case-by-case basis, making provider comparisons difficult and time consuming. We asked three IT industry analysts -- Brooks, Wang and James Staten, an IT infrastructure analyst who also works for Forrester -- to explain the top considerations when assessing public cloud security. Here are the key pieces of advice they had to offer:
1. What level of security do you require for the data you plan on sharing through a cloud service? Know your needs, and be well-educated about how public clouds handle security, said Staten. Determine the exact level of security needed by the applications and data being moved to the public cloud. Make sure that the cloud vendor has the right features to meet security needs. Stipulate needs in service level agreements (SLAs) and continually enforce contracted security levels.
“Many companies don't know enough about how public clouds do security to know if they will be able to monitor, track and verify that the provider’s security meets their requirements,” Staten said. “In their own environment, they already know how to meet those things. It doesn't necessarily mean they do it well or that they do it consistently, but at least they know what they're doing.”
2. In each evaluation, consider what additional work you have to do to raise the security to your level, advised Staten. Frequently, the responsibility for application security is shared between the cloud customer and provider.
Generally, the business-side must develop security policies for how cloud services can and can't be used. Different skills and mindsets are needed to make the change from internal, behind-the-firewall security policies to network-centric policies, said Brooks.
Finer points include evaluating vendors’ encryption capabilities. Analysts have seen that customers frequently must encrypt data before uploading it to the cloud to ensure security.
On-premise security systems, policies and processes are always needed when public cloud is used, but figuring out what measures work best with cloud provider’s offering is challenging. “This is where organizations usually have a big learning curve,” Staten said.
3. Speaking of the fine print, determine if a cloud provider can conform to your enterprises’ identity and access management standards, so can they integrate into your access management, single-sign on architecture (SSO), etc., advised Wang. If the provider can’t do it, then you’ll be forced to manage it separately.
“[Exerting] the same level of ID and access control in the cloud that you’re used to in the traditional environment is going to be a very difficult undertaking within this new and more dynamic, more extended enterprise environment,” Wang said.
4. Are the cloud provider’s data protection practices inside their infrastructure adequate? For example, is your data going to be transferred in a secure channel up to the cloud? Examine data classification and protection policies and practices, advised Wang.
5. Look at the physical security and personnel side of the cloud provider’s business, said Wang. Physical security measures should include protections against fire, flood and attack, as well as co-location and disaster recovery planning. Also, ask about internal security policies. What kind of personnel management practices does the cloud provider have? Do they do adequate background checks of their personnel? Who would have access to my data, my application? Are the people and applications accessing my data adequately monitored, logged and analyzed?
6. Evaluate the cloud provider’s incident response, notification and restitution policies, Wang said. What are the guarantees on incident response? What happens if their infrastructure is hacked? What are the consequences of this and how will they deal with it? Will they notify me? What kind of data will they give me? And what kind of recourse will I have if my data and application is hacked?
7. Know the legal implications of something going wrong in the cloud, Wang said. If your data is lost because it is stolen or an application crashes, know who takes the liability. “Often cloud providers don’t want to take any liability,” said Wang. In a contract, as much as you can, you have to stipulate the conditions in which the cloud provider will be found liable.
8. What happens to your data at the end of contracts? Make sure your SLA provides detailed descriptions of how data will be delivered when the relationship is severed, said Brooks. Will it be sent back in a way that is useful? Will you be able to package it and use it internally or use it in some other cloud service? If not, vendor lock-in is a danger.
9. Securing mobile applications is a new area for most cloud providers, so do a careful review of mobile support services available compared to your needs now, advised all three analysts. Also, look at the vendor’s road map for mobile support. What evidence proves that the provider can keep up with rapid mobile device and application change?
More resources on public cloud security
“Some cloud service providers have a fairly solid mobile front end,” said Wang. The majority of them are increasing mobile support and extending the security controls from the cloud to mobile this year. “Mobile is where cloud services providers are spending their development time right now.”
10. Is the cloud provider involved in any security standards and certification groups or initiatives? What certifications does the provider hold? Active participation is a positive sign, said Brooks. At the same time, don’t consider a certification the be-all and end-all in security. In the absence of globally-accepted cloud security standards, most certifications are not all encompassing.
“Make sure the vendor knows that certifications and standards are important to you,” said Brooks. That’s the way to get standards created and ultimately ease some of the enterprise’s evaluation and comparison burden.