Cloud Security: No Guarantees

The decision to shift storage and compute resources to the cloud is about more than the bottom line, and it's almost never a slam dunk, but it can pay big dividends, according to a new InformationWeek report, Fundamentals: Cloud vs. In-House IT: Spend Smart in 2012. According to eBay, if it could increase its data center utilization rate while using cloud services to handle spikes, a cloud provider could charge as much as four times the internal computation unit rate and eBay would still save money.

However, when adopting a cloud service--whether it's software as a service or platform as a service--enterprise IT organizations frequently make the assumption that the provider's security will be an improvement over the security of their own on-premise systems. Verifying that this is true, however, is tricky, and, in the end, there are no guarantees.

Vendors are able to provide their track record of outages and resolution times to potential and existing customers, and many outages make it into the headlines, but service providers have other ways to prove how solid their security is. Trust and verification comes, in part, through a personal relationship between the customer and the provider, says Carl Brooks, analyst of infrastructure and cloud computing at Tier1 Research. "It's a truism that Amazon and Google would have you believe that their security is better than what you can do, and to some extent that's true because they have a lot more to lose and a lot more to protect on their cloud infrastructures than a single organization would," he says.

Track records mostly provide only a perception of security being provided by cloud providers, he adds. Outages like the one Amazon experienced in April 2011 called the reliability and security of Amazon Web Services into question, but Brooks notes that Amazon's uptime is generally better than what enterprise IT organizations are typically able to provide (99.95% uptime versus 85% uptime).

The biggest providers, such as Amazon and Google, have teams dedicated to security, whereas an individual organization may have only one dedicated security professional. Demonstrable proof of security comes in the track record, but also in security audit certificates, Brooks says. The previous industry standard was a SAS 70 Type 2 audit, which is conducted by a security auditor and details the security controls in place and whether they are operating effectively. The new industry standard for security auditing is SSAE 16, replacing SAS 70 for reporting security controls of an organization.

Auditing services are on the rise in the cloud realm, says Zeus Kerravala, principal analyst at ZK Research, and it's likely to be a growing trend. "All cloud providers will tout their own strengths [obviously], so independent services used to measure them would be beneficial to buyers. Also, I think we'll see more use of virtual security appliances that enterprises can self-deploy into cloud environments," he says.According to Jeff Kaplan, managing director of THINKstrategies, there are three key ways that cloud providers are trying to address customer security concerns.

First, they get certified with independent security audits with SAS 70, SSAE 16, Payment Card Industry (PCI) and others, all of which demonstrate that they've sought to meet industry standard security practices. Depending on the nature of the service being provided, they also put their money where their mouth is with SLAs. (For instance, Amazon's SLA promises 99.95% service uptime.) Finally, vendors document the specific technologies they're using to ensure security and take measures to record problems and response times, which they then provide to potential customers for scrutiny to ensure they meet minimum requirements.

Amazon is providing additional control and automated metrics of its systems and infrastructure with its Virtual Private Cloud (VPC) service, which works as a fenced-off reservation and is built to appear as part of a customer's own infrastructure, explains Brooks. VPC provides segregated systems, automated OS patching and automated security controls (including deep packet inspection on the fly) that it can demonstrate to customers. Vendors like Amazon, Datapipe and Freedom OSS are moving one step beyond by providing rudimentary security controls to customers.

"Outages are going to happen to everybody, and the plain fact is almost every service provider is going to do it better than enterprise IT because it's their job," Brooks says.

Learn more about The Rent vs. Buy Decision by subscribing to Network Computing Pro Reports (free, registration required).