The market for cloud, or Internet, computing, in which software and information is available on demand, has surged in recent years. Market research firm IDC expects businesses worldwide to spend $57.4 billion by the end of this year - double that of only a few years previously. Does this signal a brave, new world of 'cloud without borders' and is this necessarily the right way to go? How safe is your information in the cloud and who really has control over it?
Cloud computing presents a major opportunity for the security industry. Unfortunately, whether that opportunity is for success or failure is, as of yet, unwritten.
The opportunity of cloud computing is the centralization and normalization of data management and infrastructure. Instead of relying on every company building out secure development practices and strong operation security processes, there is now opportunity to centralize that responsibility on a few cloud providers.
Alongside this centralization, we also have a shift in technology, such as heavily multi-tenanted environments, adoption of virtualization and software defined networking. All of these changes give us an opportunity to inject security controls in a uniform way as these services are created in the cloud. It’s an opportunity to start with security built-in from the ground up; and surely that is a much better proposition than security as an afterthought.
Everything from data encryption to access control could be improved as we make this transition. Some cloud providers take this very seriously and have been very forward thinking about how to provide secure cloud services. However, as we look to the cloud to help us address some of the problems of the past, new problems arise. How does one take advantage of these new features and capabilities, and how does one ensure they are not exposing themselves in new and unfamiliar ways?
Amazon AWS is a great example of a provider who has been forward thinking when it comes to security. It has a very rich feature set to automate your environment, but has also introduced a large set of new security features. These new features mean that users need to educate themselves on how to securely use them.
A great example that happened this summer was a slew of AWS servers running Elasticsearch, a data storage technology, which was compromised by malware. The problem was that users did not understand that this technology should never have been made available on the internet in the first place and thus it was subjected to hackers. This was not an example of the cloud being insecure; it is an example of how new AWS users are not understanding how to restrict access to their running services using the new features AWS provides.
Yet, we hear about these kinds of stories time and again; one could almost be forgiven for thinking these incidents point to cloud being less secure than other environments. But this would be irresponsible because, like so many other areas of security, it is simply a case of user education.
Yes, the cloud presents huge business benefits, but no one should enter blindly into the relationship without a clear picture of each side’s responsibilities. Therefore, the chance of failure comes in equal measure for both the consumer and the cloud provider. We cannot afford to be ignorant customers in this market; we must hold providers up to high standards as far as their operational controls and practices. Certainly this is possible, but it is also critical for users to look to their providers for assurance that they are doing their part to secure their data.
So, there is not only a technology case for the opportunities that the cloud presents when it comes to security, but also one of education, consultancy and regulation- making sure that providers are accountable and have a certain duty of care to let customers know that they also have their own responsibilities when it comes to the security of their data and applications running in the cloud.
There are impressive efforts by organizations such as the Cloud Security Alliance that are making headway on this, but we need to keep these issues at the forefront of the conversation as we move to the cloud to ensure we do not let security take a back seat.