Security in the Cloud – Does Every Cloud Really Have a Silver Lining?

Sunday, January 3, 2010 by Thought Leadership Team

Defining the abstract concept of cloud computing is easier said than done.

According to the National Institute of Standards and Technology1, “cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.” Other organizations take a more basic approach, defining cloud computing simply as virtual servers available over the Internet. Regardless of definition, cloud computing is a phenomenon that continues to grow in popularity within the business world.

The benefits of cloud computing are undeniable. Cloud technology boasts greater flexibility, allows users to increase mobility, provides organizations with increased storage and reduces the burdens placed on IT departments through the use of conventional computing systems – all at a fraction of traditional computer technology costs. It is this needs-based, cost-effective outsourcing of computer requirements that continues to drive the increasing use of cloud computing. However, no technology is free from complications. As organizations continue turning to cloud computing to help meet technology needs, the risks associated with operating in the cloud are becoming more apparent, the most prominent of which is security.

Data security is an integral component of successful business practice. Corporate data security policies are developed and enforced not only to ensure compliance with federal and regulatory requirements, but also to protect the integrity of consumer and business information. When service providers in the cloud are employed to provide remote data storage and processing – albeit at a greatly reduced cost – organizations subject sensitive information to the security practices of the third-party provider. Ultimately, the organization itself is charged with ensuring that proper security protection is in place, and therefore any outsourcing of data storage or processing involves an inherent risk.

The risks associated with cloud computing are naturally dependent upon such factors as type of business, amount of data outsourced and the service provider selected. Nonetheless, issues such as data location, access and recovery relevant to cloud computing have emerged as key concerns.

First, cloud customers are potentially unaware of the physical location of data entrusted to cloud computing service providers. In the ordinary course of business, the physical location of data may appear to be inconsequential. However, the location of stored data determines applicable data protection laws. International data protection laws often afford more protection than comparable regulations in the United States. Therefore, cloud customers may unknowingly subject themselves to higher levels of data protection scrutiny. Second, cloud customers must educate themselves about who will manage the remotely stored data. Organizations maintain control of user access from the corporations’ side, but some members of the third-party provider team also acquire access in off-site storage. Finally, cloud customers must be concerned with the practices and procedures adopted by service providers regarding data recovery in the event of a security breach or data loss.

While these security risks represent important concerns associated with conducting business within the cloud, it is simply the tip of the iceberg. The cloud computing market’s continued growth has sparked a movement advocating for standardized security practices in the industry. The Cloud Security Alliance (CSA)2is a nonprofit organization comprised of leading subject matter experts that was formed to “promote a common level of understanding between the consumers and providers of cloud computing regarding the necessary security requirements and attestation of assurance.” The CSA is just one organization that has identified the need to reduce security risks associated with cloud computing, and although such organizations have had a strong impact on the industry, standards have yet to be officially enacted. In the absence of obligatory industry security standards, service providers are free to implement protocols without regard to individual business needs. While these providers have undoubtedly evaluated and developed sophisticated procedures to protect against security risks, the fact of the matter remains that these are self-developed standards.

Ultimately, the responsibility of ensuring the security of remotely stored and processed data falls upon the individual businesses that use cloud computing technology. Cloud customers must educate themselves on the security policies and procedures of cloud service providers, and actively negotiate and contract for any additional security measures deemed necessary. The significant cost savings associated with cloud technology provide strong incentives for businesses to outsource some, if not all, of their data storage needs. However, a failure to ensure that the security offered by service providers complies not only with corporate policies, but also with any federal or regulatory requirements could spell disaster for organizations conducting business in the cloud. Ignorance is not bliss in the world of cloud computing. Data security – not cost savings – must remain top of mind for organizations that choose to enter the world of the cloud.

1 NIST Definition of Cloud Computing v15, available at http://csrc.nist.gov/groups/SNS/cloud-computing. 2 http://cloudsecurityalliance.org.