Seeking Clarity in the Cloud’s Security Haze

Corporate execs and IT managers may soon get clearer answers to fuzzyquestions regarding how secure or insecure cloud computing really is.

In an effort to solve that lingering mystery, the non-profit OpenSecurity Foundation (OSF) late last month launched its cloutage.org website. The new website is aimed at empowering organizations byproviding cloud security knowledge and resources.

OSF officials hope that business and security users will be able toapply the independent data provided to better assesssecurity risks related to the cloud. The goal is to bring enhancedvisibility and transparency to cloud security.

A recent survey by LogLogic showed that companies in the financialindustry are slow to adopt cloud services out of worries aboutincreasing government security regulations that cloud providers maynot be able to handle.

“Our survey revealed that 60 percent of respondents had concerns aboutsecurity and transparency issues related to the cloud,” Dimitri McKay,security architect for LogLogic, told TechNewsWorld.

A Gray Area

Cloud technology right now is prompting many emotional concerns that only grow in the face of FUD (fear, uncertainty and doubt), noted Jake Kouns,chairman and CEO of the Open Security Foundation.

“I can’t say either way that the cloud is any more or less secure thantraditional network storage. Those who say otherwise don’t have allthe facts,” Kouns told TechNewsWorld.

In some respects the cloud is like a no-man’s land where no law andorder is in place. No one entity is in charge, he mused.

“Not all providers agree on security requirements and do it the sameway. There is no one standard,” he said.

No Argument There

Ultimately, it is up to cloud customers to know about cloud security.But that is a costly research task that cloud vendors are better ableto handle, suggested Michael Sutton, vice president of securityresearch for Zscaler.

“There is no straight answer to the cloud security question. The cloudcan be and should be more secure than it is,” Sutton toldTechNewsWorld.

The key lies in the hands of customers. It comes down to transparency. This isless available on the cloud, he added.

In July, cloud security firm Zscaler announced the availability of afully integrated email and Web security service that adds emailsecurity to its existing Web and cloud security portfolios.

Security Sore Spot

Data security on a network is different than securing the data storedon the cloud. It is harder to do, Sutton offered.

Having a security firm to handle it requires a company’s IT departmentto have a unique mindset about security, said Sutton.

“The same threats exist. The difference is in the controls used. Acompany using the cloud cannot risk having inferior security. Butthere are no guarantees,” he said.

Housing Hassle

It is easier to understand the unique nature of cloud security issueswhen you view them in the context of a housing environment. Thedifference between traditional network and cloud storage security ismuch like the differences in securing a single-family home and acondo.

For instance, the same controls that we use to lock down a singlehouse are not going to work as well in the condo environment, suggestedKouns. You can protect the perimeter with firewalls and intrusionprotection and anything else you want to do.

“But once you get inside, it’s kind of wide open. You have to applydifferently the same controls and security. There is a balance there.How to apply the security is what needs a review. Some groups andvendors have better controls than others,” said Kouns.

Multi-Tenant Shuffle

Perhaps the most complicating factor in figuring out how to betterlock down cloud storage is what security experts call the cloud’smulti-tenant environment. Essentially, more than one user inhabitsstorage space in the clouds.

So secure walls are needed within to keep “non-family” members out ofsomebody else’s apartment. Just like living in a hotel, that lock onthe front door now impacts every other tenant in there, explainedKouns.

This multi-tenant nature of the cloud results in the potential forshared data among all users of that cloud. The cloud needs adequatecontrols to block others from getting at that data, Sutton warned.

“It boils down to people having to change their perspective with cloudsecurity. Using the housing analogy, you want to protect your house soyou put locks on all the doors. But that basic premise changes withmulti-tenant cloud dwellers,” said Kouns.

Retrieving Regrets

Another big concern with cloud security is the availability of storeddata, added Manoj Apte, vice president of product management forZscaler. Backing up data and getting it back on line is sometimes animprecise science.

A related issue is specifying the data to retrieve. This process cantake up to 12 hours, he said.

“Not all providers manage storage and data retrieval the same way. Theperception and the reality of the cloud is not always the same,” Aptetold TechNewsWorld.

No Place Like Home

One of the most disconcerting aspects of managing cloud storage andsecurity is the residency factor. For instance, the exactly location where your data livesis often unknown.

“Most providers are world-based. So users are never sure where theirdata lives. That affects laws at the stored location rather than wherethe data’s owner is located,” McKay explained.

Related to this data residency concern are issues involved withmigrating your data to another cloud. The task is much morecomplicated than when burning data to disks and taking them elsewhere.

Cloud-hopping is another issue. How do you move your data? There areno standards on how clouds interact, noted Kouns.

Survey Says

LogLogic’s survey showed that, at least in the banking and financialindustries, the game plan is to keep systems up and running andcompliant with industry and government regulations. Few are exploringnew technologies or seeking competitivemarket advantages through major investments in new IT projects. Thatmeans that cloud strategies may be a bad fit right now.

Survey highlights conclude:

• More than 60 percent of respondents were concerned about moregovernment regulation;
• Some 34 percent said cloud computing is not yet strategic to their company;
• 24 percent faced daily attacks on their IT systems from outsiders;
• Sarbanes-Oxley (SOX) and Payment Card Industry Data SecurityStandards (PCI-DSS) are thetop two compliance challenges in financial services today.

“Regulatory compliance agencies need to see virtualization and cloudplatforms as more than a new toy,” said LogLogic’s McKay about theirsecurity issues.

Bringing Clout to the Cloud

OSF’s new Cloutage Project seeks to foster a solution to the cloudsecurity question. The Cloutage name comes from a play on two words,Cloud and Outage. He designed the Cloutage Project to get real data todetermine what is happening in the clouds.

Those terms combine to describe the two things the new websiteoffers. First is a destination for organizations to learn about cloudsecurity issues. Second is a complete list of any problems around theglobe among cloud service providers, said Kouns.

“I don’t know how the project is taking off, but I believe it willwork. We have a pretty good framework,” he said.

The Framework

The project will sift through data that supports five performanceareas associated with cloud computing.

So far the research has garnered over 100 incidents. Cloutage is trackingcloud vulnerability, cloud outages, and hacks/breaches in the cloud.

The last two categories involve data loss from retrieval failure ofdata stored in the cloud and what Kouns termed “cloud auto fail.” Thisoccurs when cloud vendors send updates that are not fully tested andkill customers’ computers.