Assurance needed on availability, data and security policy
Symantec Corp’s chief scientist has urged businesses considering the use of cloud services to carry out robust and regular risk and data security assessments of their service providers.
Guy Bunker, who is responsible for cloud security strategy at Symantec and sits on the Jerico Forum said, “A common misconception is that because security issues in the main don’t happen in the data centre but out at the end points, then stuff out in the cloud is going to be more secure and is more resilient against attack. It is not the case.”
He said that questions need to be asked about how data is stored and managed, where it is located and how it is transferred.
“The security of virtual environments needs to be assured, so that compliance and governance aren’t compromised. That means a service provider’s information security policies, systems security and network security have to be auditable.”
Availability of data also has to be guaranteed and according to Bunker, this means more than worrying about possible outages.
“We can expect an increase in the number of cloud service coming onto to the market and not all of them will survive” he said, noting the early withdrawal from the consumer cloud storage market by HP.
In March, HP told users of its Upline online backup service that the plug was being pulled, less than a year after going live. Customers had just 30 days to remove their files.
The Symantec executive asks “What happens if that happened with enterprise cloud services? How do I set about retrieving data that is hosted in the cloud, and push it out to a new service provider without incident, loss or downtime?”
Bunker argues that some of the security concerns about cloud will depend on its type and purpose.
There are clouds which are internal, those that are external, insourced or outsourced, proprietary or open. ”The other issue depends on whether we are talking about infrastructure as a cloud services and traditional hosting made popular by the likes of Rackspace, a platform-as-a-service such as Amazon’s EC2, or software-as-a-service like Symantec delivers.”
At present the cloud has become all things to all people. The reality is that it will end up being a mixture, with data sets from one organisation being run next to those of another and where admins can see all data. “Then there are opportunities that data is wrongly accessed, lost, or sold.”
The Jericho Forum last week launched a latest initiative and a paper detailing its proposed cloud cube model.
Bunker said in essence this defines the variety of different cloud computing models that are available to companies and starts to address some of the key benefits and risks for each one.
Elsewhere, the National Institute of Standards and Technology, International Organisation for Standardisation, and industry groups such as the Cloud Security Alliance are all currently working on frameworks for enforcing privacy and protection of data in the cloud.