Is Anyone In Control Of Cloud Security?

The End User’s Challenge: Transparency

In my opinion, the cloud is a really good, compelling idea. It can reduce the cost of IT dramatically. Given that cloud computing is available, the idea of building new data centres these days seems like a last-century way of doing things.

On the other hand, for enterprises, the ability to see and touch your own systems in your secured data center does give confidence that you have some measure control of your destiny.

But most large corporations don’t have enough IT people or security talent to manage the IT resources they have, and so are turning to outsourcing.

Cloud computing is essentially the next generation of outsourcing, so that we’re not only reducing man power, but we’re getting rid of our hard assets entirely by moving them over to data centres anywhere on the planet that are going to manage this more cheaply than we ever could. And the idea of outsourcing security and liability is extraordinary compelling.

Enterprises should ask the right questions of their cloud providers before taking the leap into cloud and blindly assuming that their data is safe there. Every point of compliance that you’re asked to meet an IT organisation and every question you’ve been asked by an auditor should apply to your cloud vendor – and needs to be asked of them.

And because today’s cloud vendors offer literally no transparency and little information, don’t be surprised if you don’t like the answers you get. Most cloud vendors would say that for security purposes, it’s on a “need to know” basis, and you don’t need to know. Others state that they’re SAS 70 compliant, but that’s really just a self-certification.

Think again

Here are some questions you must consider asking:

• What kind of security does the cloud service provider have in place to protect your privileged accounts and most sensitive data?
• Do they have a Privileged Identity Management technology in place?
• How do they control privileged accounts used in cloud infrastructure to manage sensitive systems and data?
• How do they manage cloud stacks at the physical layer and application stack layers?
• What is your access to audit records?

Whatever regulatory standards your organisation must meet, so too must your cloud vendor. So if you think that by venturing into the cloud you’re saving yourself regulatory headaches, think again.

Security is the greatest barrier towards adoption of the cloud, and it’s no great surprise that cloud security – managing, verifying and trusting it – was a major theme at this year’s RSA Conference.

Unfortunately, improvements in cloud security won’t be seen as a priority until a major breach has a significant enough impact on one or more cloud service vendors and customers. That needs to change.

When it comes to cloud security, it is the end-user’s duty to understand what processes and methodologies the cloud vendor is using to protect the customer’s most sensitive assets. We don’t want the Government’s ‘G Cloud’ to be compromised – that would be a public humiliation that would have Cloud doubters in their own little Heaven.

Philip Lieberman is the founder and president of Lieberman Software, and has more than 30 years of experience in the software industry. He has published numerous books and articles on computer science, has taught at UCLA, and has authored many computer science courses for Learning Tree International.