Is Anyone In Control Of Cloud Security?

Philip Lieberman,

The government’s ‘G-Cloud’ could save the UK economy £3.2bn, but is it worth the security risk, asks Philip Lieberman

The Cloud Vendor’s Challenge: Accountability

Cloud computing has the potential to transform business technology, but it brings a spectrum of security issues that IT organisations should consider before trusting their sensitive data to the cloud.

These issues cause security experts and auditors to rethink many fundamental assumptions about Privileged Identity Management in terms of who is responsible for managing these powerful accounts, how they manage them, and who exactly is in control.

Historically, IT data centres have always been in secured physical locations. Now with cloud computing those locations are no longer maintained directly by the IT organisation. So the question comes down to this:

  • How do you get accountability for management of physical assets that are no longer under your physical control, and exactly what control mechanisms are in place?
  • Can you trust your cloud vendor to secure your most sensitive data? Moreover, if there’s a security breach in the cloud, who is to blame?
  • Is it the cloud vendor that disclaims all legal liability in its contract, or an enterprise that relinquishes control of its sensitive data in the first place?

When it comes to security, Cloud is dangerous

From the vendor’s standpoint, cloud computing promises to reduce customer headcount, make IT more efficient and deliver more consistent service levels. However, there’s a paradox that when it comes to security (and control over privileged identities in particular) cloud services are often among the least efficient.

Many cloud service providers’ processes – based on ad-hoc techniques like scripting of password changes – are slow, expensive and unreliable. And that’s dangerous.

Fortunately the industry is starting to move beyond paralysing discussions about the security and compliance problems that arise from cloud computing to address them head on.

One example of this is the Trusted Cloud Initiative, which was launched at RSA Security Conference 2010. The goal of the initiative is “to help cloud providers develop industry-recommended, secure and interoperable identity, access and compliance management configurations, and practices.”

However, only time will tell if it will help standardise cloud computing or turn out to be a technology certification of little use.

In addition, several major cloud vendors and ISPs have begun the difficult task of integrating security solutions that are capable of managing the large number of privileged identities that make up their infrastructure (hardware, VM hosts, VM Image OS, application stacks).

This has really broken the fundamental model of IT being in control of security and has started to blur the lines between vendor and customer when it comes to the management of security.