Problem solve Get help with specific problems with your technologies, process and projects.

Cloud computing security: Balancing risks with convenience

Cloud computing security and network controls that protect your data must be in place as enterprises move applications and services into the cloud.

The economics of cloud computing make its adoption inevitable, and it will no doubt have a huge impact on how we "do" IT.

There is a shared responsibility with your cloud provider for the security of your data, but ultimately you are responsible.
Michael Cobb
Founder and Managing DirectorCobweb Applications Ltd.
Cloud computing relies on everyone sharing their IT infrastructures, presenting a complicated challenge for network engineers being asked to secure an environment they don't control. As a result, cloud computing security and network controls must be put in place as applications and services are moved into the cloud.

The substantial economic benefits of working in the cloud change many long-established risk-reward relationships. You'll need to take a fresh look at your organization's business strategy and appetite for risk when assessing the return on investment (ROI) of any cloud computing security solutions you decide are necessary for a switch to cloud computing. You may want to take a look at the framework created by the Jericho Forum for helping companies evaluate the risks and opportunities associated with moving business processes into the cloud.

In addition, a recent report by the Information Security Forum suggested that many of the current cloud service offerings are immature. Even the large platform-as-a-service (PaaS) vendors like Google and Microsoft have short track records with cloud-based services.

Cloud computing security resources

Review the impact of cloud computing on the network

Find out how WAN engineers are preparing the network as cloud computing rises

Then analyze the risks involved as carriers offer cloud computing services

The forum advises caution and says companies should avoid putting their most important systems into the cloud until they are sure of their supplier's reliability.

While cloud computing is often presented as a bulletproof option, surveys show that around one-third of respondents experienced an outage in their service, so you need to plan for service disruptions. Multiple service providers will give you better network diversity and business continuity. Rather than relying on one T1 line, smaller businesses may well find using a cable modem and DSL combination could be cheaper and faster, but this redundancy does mean supporting multiple carriers and the loss of bundled services discounts.

WAN optimization helps users abide by security policy rules

It's no good just concentrating on connectivity to ensure availability. Network-centric tools like VoIP, centralized data stores and Web-based apps are extremely latency-sensitive. Many cease to function when a saturated WAN link is their only route to the larger network. This causes employee frustration and creates a security risk. For example, slow file transfers can lead employees to find alternative methods to transfer files, which may well break security policy rules.

WAN optimization is a relatively small investment compared with investing in mobile software solutions or adding another data center closer to mobile employees. WAN optimization solutions like the Citrix Netscaler combine traffic management through Layer 4-7 load balancing with a Web application firewall, which is ideal.

Taking responsibility for cloud computing security

Although there is a shared responsibility with your cloud provider for the security of your data, ultimately you are responsible, and that's a role you can't outsource. Therefore it's essential to conduct a thorough review of your provider's security to ensure good governance, preferably against a proven standard such as ISO 27001. Providers should be able to share the results of independent audits and penetration tests with you if you can't conduct your own.

Certainly, by the time you're ready to move data or applications to the cloud, your IT team will have gone through a steep learning curve to adapt to the new ways of working. I'd make sure that some of the money saved is used to provide adequate training for them. In the meantime, I would recommend reading the Cloud Security Alliance's guide, which will help you understand the main areas of concern for organizations adopting cloud computing.

About the author: Michael Cobb, CISSP-ISSAP, is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for several Security Schools and, as a site expert, answers user questions on application security and platform security.

This was last published in November 2009

Dig Deeper on Network Security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.