Cloud Computing Could Pose Serious Security Issues

cloud-computing-oracle

(Editor’s note: This is the second part of a two-part series on addressing security risk on cloud computing. Click here for the first part.)

A few years ago, Google Enterprise president Dave Girouard had his laptop stolen from the trunk of his car at a San Francisco Giants game.

But if the thief was looking for information, he would have been disappointed. “There was nothing on that laptop,” he says through a spokesman. “Everything was stored remotely — there was no loss of data, and no loss of productivity.”

Girouard’s story highlights the potential of cloud computing, which experts acknowledge is still in its infancy. And Google’s Eran Feigenbaum advises consumers to “carefully consider to whom they entrust their data, be it on-premise or in the cloud.” But he says that Google is taking steps to ensure the data in their cloud is secure.

“Google has a full-time security team, and we employ some of the top security experts in the world,” Feigenbaum says. “Our operations work at a large scale, allowing our security teams to detect, act upon and resolve a wider variety of security threats than one single company would ever face – sometimes even before the threat is discovered by the antivirus companies.”

“With a traditional software vulnerability, a patch is released and companies typically take 30-60 days to deploy it,” Feigenbaum adds. “During that time, they remain vulnerable. With cloud computing, companies don’t need to patch their own servers. We designed our servers with security in mind from the start, and we can patch them quickly to help ensure our customers are safe.”

Christofer Hoff, director of Cloud and Virtualization Solutions at Cisco Systems, says he understands security concerns from both the business and consumer angles. But he also says the security issues are complex and they will be ironed out, in time.

“For the cloud service provider, there are questions of hardware, facilities, infrastructure, ability to build applications and software. Each of these has trade-offs,” Hoff says. “The business side is still maturing in this market.”

“For the consumer, it comes down to two things: trust and control,” Hoff says. “Cloud computing is about gracefully giving up control while trusting that a provider will exercise the appropriate due diligence and care of your information. The issue of giving up control is an emotional response – in many cases it’s a response formed around the opinion that a provider cannot do as good a job protecting one’s assets. We have to balance between control issues and making sure we have adequate visibility and transparency so that people can trust that the information is safe with these service providers.”

Hoff says these are some of the issues that will be addressed:

  • Privacy standards. “The challenge comes in the way in which these services are delivered,” Hoff says. “Privacy concerns in cloud are not that different from non-cloud service offerings although they are exasperated – because in a single-tenant, non-cloud environment you generally know where information is and how it’s being kept. With lots of different customers, that isolation of that data is appropriately maintained.”
  • Massive amounts of multi-tenancy and massive amounts of scale. “Providers have to manage service and isolation of potentially millions of customers and this presents a challenge as we see infrastructure and applications scale to address consumption at this level,” Hoff says.
  • “You have to take a holistic view (on confidentiality and privacy) and what the policies and service levels are,” Hoff says. “The standards I was talking about were less about regulations and more about open API and interfaces between cloud providers so that you have a choice of providers.”
  • There are 18 different organizations and standard bodies that are coming up with cloud standards and APIs. “That should settle down over time as a normal function of market dynamics and customer demand, but it’s very confusing and difficult at times to determine where to place your bets,” Hoff says.


Cloud Computing as an Operations Model

Amazon Web Services (AWS), which is also working on perfecting its cloud, has a white paper on how it secures its network. Companies that use AWS include ESPN, the New York Times Company and Pfizer, says spokesman Kay Kinton.

When asked about public vs. private clouds, Kinton says, “What we’ve seen dubbed a ‘private cloud’ is really just another form of virtualization and lacks the key benefits of the AWS cloud and Amazon VPC [Virtual Private Cloud]. Virtualization of an existing IT environment still means that you have to deal with the hassles of owning, managing, and operating the hardware – contract negotiations, facilities management, staffing.

“In addition, you still incur all the capital expenditure of owning all of your assets, instead of simply paying as you go,” Kinton adds. “Most important, these types of virtualized environments lack the key benefit of elasticity. With AWS not only can an application scale on demand but when the resources are no longer needed, an enterprise can release them and stop paying for them. It would be very hard for most enterprises to duplicate the scale and heterogeneity of use cases of AWS, and thus to simultaneously maintain high server utilization and the ability to scale up and down instantly.”

“It’s less about ‘what is the cloud?’ then ‘how can I use the cloud?’” Cisco’s Hoff says. “It’s still really early days in cloud computing. The technology is evolving but people are beginning to understand that the cloud is not a technology, it’s an operations model.”

Hoff also adds that Cisco is not looking to compete with companies like Google with its own cloud. Rather, its is focusing on enabling service providers with the infrastructure and solutions needed to deliver secure public cloud services as well as customers to build their own private clouds.

James Zipadelli is a Connecticut-based freelance journalist. He has written for CTNewsJunkie.com, Helium.com and several publications in Boston. You can find him on the Web at www.jameszipadelli.com or on Twitter @redsoxlive.