Organizations are increasingly looking to cloud computing to improve operational efficiency, reduce headcounts, and help with the bottom line. But security and privacy concerns present a strong barrier-to-entry. In an age when the consequences and potential costs of mistakes are rising fast for companies that handle confidential and private customer data, IT security professionals must develop better ways of evaluating the security and privacy practices of cloud services.
Cloud computing comes in many forms: There are SaaS providers like salesforce.com; platform-as-a-service (PaaS) like Amazon's SimpleDB; Web services that offer application programming interfaces (APIs) that enable developers to exploit functionality over the Internet, such as Yahoo! Maps and Flickr; and infrastructure as service plays like those offered by Rackspace, Terramark, and Savvis.
Different from traditional outsourcing where it is still very much standalone computing, cloud decouples data from infrastructure and obscures low-level operational details, such as where your data is and how it's replicated. Multitenancy, while it is rarely used in traditional IT outsourcing, is almost a given in cloud computing services. These differences give rise to a unique set of security and privacy issues that not only impact your risk management practices, but have also stimulated a fresh evaluation of legal issues in areas such as compliance, auditing, and eDiscovery.
Based on close to a dozen interviews with vendors and IT users about the security issues surrounding cloud computing services, Forrester has synthesized three main areas companies should consider:
- Security and privacy. Concerns such as data protection, operational integrity, vulnerability management, business continuity (BC), disaster recovery (DR), and identity management (IAM) top the list of security issues for cloud computing. Privacy is another key concern—data that the service collects about the user (e.g., event logs) gives the provider valuable marketing information, but can also lead to misuse and violation of privacy. One way for customers to evaluate a provider's security and privacy practices is through auditing, which can help to lend some visibility into the vendor's internal operations. However, auditing goes against the very grain of cloud computing, which attempts to abstract away the operational details by providing easy-to-use interfaces and APIs. A cloud provider may not allow internal audits, but they should offer provisions for some form of external audits on their infrastructure and network.
- Compliance. Users who have compliance requirements need to understand whether, and how, utilizing the cloud services might impact your compliance goals. Data privacy and business continuity are two big items for compliance. A number of privacy laws and government regulations have specific stipulation on data handling and BC planning. For instance, EU and Japan privacy laws demand that private data—email is a form of private data recognized by the EU—must be stored and handled in a data center located in EU (or Japan) territories. Government regulations that explicitly demand BC planning include the Health Insurance Portability and Accountability Act (HIPAA), Federal Financial Institutions Examination Council (FFIEC), Basel II, Payment Card Industry (PCI), and the UK Contingency's Act.
- Legal and contractual issues. Liability and intellectual property are just a few of the legal issues that you must consider. Liability is not always clear-cut when it comes to cloud services. The same goes for intellectual property (IP). For some services, the IP issue is well understood—the cloud provider owns the infrastructure and the applications, while the user owns her data and computational results. In other cases, the division is not quite so clear. In software mashups, or software components-as-a-service, it can be difficult to delineate who owns what and what rights the customer has over the provider. It is therefore imperative that liability and IP issues are settled before the service commences. Other contractual issues include end-of-service support—when the provider-customer relationship ends, customer data and applications should be packaged and delivered to the customer, and any remaining copies of customer data should be erased from the provider's infrastructure.
While cloud computing is able to deliver many benefits, organizations should not jump on the "cloud" wagon without a compelling business driver and a clear understanding of the security, privacy, compliance, and legal consequences. An effective assessment strategy covering these items will help you reach the ultimate goal: Make the cloud service work like your own IT security department and find ways to secure and optimize your investments in the cloud.
The security and legal landscape for cloud computing is rife with mishaps and uncertainties. In the long run, however, cloud operators will continue to find economies of scale, not only in their core services, but also in their treatment of security.
To take full advantage of the power of cloud computing, end users need to attain assurance of the cloud's treatment of security, privacy, and compliance issues. To that end, we need an industry with open standards, clearer regulations, and community-driven interoperability. A standards-based approach will make it easier for vendors to support flexibility, agility, and expanded cloud service offerings such as collaboration, and it will also make it easier for customers to evaluate cloud vendors and build trust in its privacy and security promises.
With the rising popularity of cloud computing and the emergence of cloud aggregators and integrators, the role of an internal IT security officer will inevitably change—we see that an IT security personnel will gradually move away from its operations-centric role and step instead into a more compliance and requirements-focused function. ##
Chenxi Wang, Ph.D., is a principal analyst at Forrester Research where she serves Security & Risk professionals. For more information on Forrester's upcoming Security Forum, to be held September 10-11, 2009 in San Diego, Calif., please visit www.forrester.com/securityforum2009.