Forrester: A Close Look At Cloud Computing Security Issues

Chenxi Wang examines security, compliance and contractual issues in cloud computing

By Chenxi Wang, Ph.D., Forrester Research

July 01, 2009

Organizations are increasingly looking to cloud computing to improve operational efficiency, reduce headcounts, and help with the bottom line. But security and privacy concerns present a strong barrier-to-entry. In an age when the consequences and potential costs of mistakes are rising fast for companies that handle confidential and private customer data, IT security professionals must develop better ways of evaluating the security and privacy practices of cloud services.

Cloud computing comes in many forms: There are SaaS providers like salesforce.com; platform-as-a-service (PaaS) like Amazon's SimpleDB; Web services that offer application programming interfaces (APIs) that enable developers to exploit functionality over the Internet, such as Yahoo! Maps and Flickr; and infrastructure as service plays like those offered by Rackspace, Terramark, and Savvis.

Different from traditional outsourcing where it is still very much standalone computing, cloud decouples data from infrastructure and obscures low-level operational details, such as where your data is and how it's replicated. Multitenancy, while it is rarely used in traditional IT outsourcing, is almost a given in cloud computing services. These differences give rise to a unique set of security and privacy issues that not only impact your risk management practices, but have also stimulated a fresh evaluation of legal issues in areas such as compliance, auditing, and eDiscovery.

Also see Cisco CEO: Cloud Computing "A Security Nightmare"

Based on close to a dozen interviews with vendors and IT users about the security issues surrounding cloud computing services, Forrester has synthesized three main areas companies should consider:

  1. Security and privacy. Concerns such as data protection, operational integrity, vulnerability management, business continuity (BC), disaster recovery (DR), and identity management (IAM) top the list of security issues for cloud computing. Privacy is another key concern—data that the service collects about the user (e.g., event logs) gives the provider valuable marketing information, but can also lead to misuse and violation of privacy. One way for customers to evaluate a provider's security and privacy practices is through auditing, which can help to lend some visibility into the vendor's internal operations. However, auditing goes against the very grain of cloud computing, which attempts to abstract away the operational details by providing easy-to-use interfaces and APIs. A cloud provider may not allow internal audits, but they should offer provisions for some form of external audits on their infrastructure and network.
  2. Compliance. Users who have compliance requirements need to understand whether, and how, utilizing the cloud services might impact your compliance goals. Data privacy and business continuity are two big items for compliance. A number of privacy laws and government regulations have specific stipulation on data handling and BC planning. For instance, EU and Japan privacy laws demand that private data—email is a form of private data recognized by the EU—must be stored and handled in a data center located in EU (or Japan) territories. Government regulations that explicitly demand BC planning include the Health Insurance Portability and Accountability Act (HIPAA), Federal Financial Institutions Examination Council (FFIEC), Basel II, Payment Card Industry (PCI), and the UK Contingency's Act.
  3. Legal and contractual issues. Liability and intellectual property are just a few of the legal issues that you must consider. Liability is not always clear-cut when it comes to cloud services. The same goes for intellectual property (IP). For some services, the IP issue is well understood—the cloud provider owns the infrastructure and the applications, while the user owns her data and computational results. In other cases, the division is not quite so clear. In software mashups, or software components-as-a-service, it can be difficult to delineate who owns what and what rights the customer has over the provider. It is therefore imperative that liability and IP issues are settled before the service commences. Other contractual issues include end-of-service support—when the provider-customer relationship ends, customer data and applications should be packaged and delivered to the customer, and any remaining copies of customer data should be erased from the provider's infrastructure.

RESOURCE CENTER