It appears that the greatest hindrance for organizations to move their applications and data into the cloud is concern about security and availability. While it is arguable whether or not security and privacy risks and system failure rates and durations are greater overall for cloud-based services, the perception is that they are. However, it is not clear whether the statistics, if available, would bear out such a view. When a major cloud systems service provider is breached or has an outage, it is front page news, whereas such events occurring in the thousands or millions every day to businesses, government agencies, and other organizations are seldom known or reported. How many times have you checked out at a store or a bank or other facility, only to discover that their computers are down? How many times have payment card companies reissued your credit or debit cards without explanation? Most private sector security and availability events are purposely never publicized for concerns about damage to reputation and loss of customers and business. But you know that they are happening. If the real statistics were to be obtained (which is an impossible task), it is likely that one would discover that most cloud computing services are more secure, reliable, and resilient than internal IT systems.
Nevertheless, decisions regarding confidentiality, integrity and availability are frequently made based on perception rather than reality. Consequently, infosec professionals must respond to the perceptions. This means that security and resiliency, together with dependability, need to be held to a higher standard for cloud services as compared to other means of delivering IT services, like it or not.
As I wrote in my book, Outsourcing Information Security (Artech House, 2004), a major benefit of having third parties perform a company’s IT and infosec functions is in the form of the service providers’ greater experience as a result of being able to hire and retain accomplished subject-matter experts covering a broader scope across clients. However, it is important to keep some level of expertise in-house to oversee these third parties and to be available in the event that it is decided to insource the services or transfer them to another provider.
What about security and privacy? Here, it is important for customer organizations to take control whether directly through internal staff or indirectly via trusted third-party managed security services providers (MSSPs). And it is also necessary to develop tools and approaches that will enable organizations to jump the many hurdles of cloud services security that are being presented to them.
An article, in the February 2013 issue of Communications of the ACM, by Ari Juels and Alina Oprea of the RSA Labs in Cambridge, Massachusetts, with the title “New Approaches to Security and Availability for Cloud Data,” (pages 64- 73), describes the problem well and suggests a solution. A key insight or the article is as follows:
“Creating incentives for [public] cloud adoption requires thinking beyond data encryption, which alone rarely provides confidentiality on [sic] data processed in the cloud or protects against tampering, corruption or loss of availability.”
The authors suggest real-time auditing by tenants or third parties to provide “security visibility” and “strong assurance of correct … operation.” The solution, which they advocate, involves a “small trusted gateway within the enterprise.” Two important factors, which they emphasize, are “data freshness”, along with “date integrity” (i.e., assurance against data tampering).
The mechanisms suggested by Juels and Oprea are well worth considering. They can really apply to both internal and external facilities and should be considered for both. However, I did not see much attention paid in the article to actual tamper-proofing. This is an area that also has great potential in resolving issues relating to the perception of security in the cloud as well as for internal systems.