Three Steps to Secure Cloud Computing

By Robert McGarvey

(Back to article)

You can close your eyes and pretend it is not happening—many CIOs are doing exactly that—but face this reality: “Cloud computing is with us to stay. Everybody will soon be using it.”

At least this is the prediction of Jim Haskin, CIO at Websense, a San Diego-based data security provider, and others.

A scary thought? For many CIOs, yes. “They are panicking about this,” said Kirill Sheynkman, CEO of San Francisco-based Elastra, a developer of applications currently deployed in association with Amazon’s cloud computing offering. The panic is well-founded, isn’t it? Because of the security concerns that come with jumping the firewall?

Sheynkman snorts: “Security is not the issue. Do you think your IT department knows more about data security than Amazon does?“

Reality check: “Data security in the cloud is no different than data security at a remote data center,” said John Lytle, a senior consultant with IT consulting firm Compass in Chicago.

In many cases, data at most companies “are more at risk in their own environment than in a well-managed cloud,” said Mike Eaton, CEO of Cloudworks, a Thousand Oaks, CA-based provider of cloud-based services, primarily to small and mid-sized businesses.

Capable Hands?

The big cloud players—Amazon, Google, Sun Microsystems, Salesforce.com—know more than a little about maintaining online security and, considered in that context, worries about outsiders knocking down the security walls and having their way with your data indeed seem over-wrought. “There’s been a lot of over-reaction,” said Sheynkman.

 “The question should not be about data security in the cloud,” elaborates Haskin. We need to be asking other questions that probe exactly why we are afraid of cloud computing and certainly, as a group, CIOs are resisting it. But just maybe that has to end because time to dither may be running out for CIOs.

Bill Appleton, chief technical officer at Mountain View, CA-based Dreamfactory, a developer of cloud-based applications, ominously warns: “The cloud may skip IT and sell directly to end users. It might simply bypass the command and control system of IT.”

And that may be the legitimate worry. That’s because a CIO nightmare revolves around unauthorized use of public cloud resources by employees who may be putting sensitive internal data online at Web-based spreadsheets or into slide shows.

“Most CIOs worry a lot about employees putting data that shouldn’t be public in public places,” said Christopher Day, senior vice president of security services at Terremark Worldwide, a global provider of IT infrastructure. That fear is justified. What would the board of directors say if it discovered the company’s strategic plan was accessible in a public cloud? But Day also suggests that CIOs can snuff out this potential firestorm simply by taking a direct approach.

“Just put into place clear policies, then educate employees about them,” said Day.

Pull your head out of sand (or clouds as the case may be) and directly attack this concern. That is how to make it vanish. Understand too that employees who upload sensitive data usually mean well. They are just looking for better ways to work. So, also look for other, more secure ways to let them do exactly that, adds Day. Take those two steps and most likely cloud-based shadow IT will diminish in your organization.

Securing the Logon

Another, lingering worry about cloud computing is that – with many providers – log-ons are too primitive. “Large enterprise will not embrace the cloud until security significantly improves,” flatly predicts John Gunn, general manager at Chicago-based Aladdin, a developer of digital security tools. The worry here is that when barebones log-ons are in use, old-fashioned social engineering techniques will let hackers learn employee log-ons and, watch out, data leakage will be at flood stage.

But, said Gunn, the solution is simple: enterprises should only permit data to migrate to the cloud where two-factor, strong authentication is in use and, right there, hackers probably are kept at bay. Take just that step, suggests Gunn, and considerable big company opposition to cloud computing would instantly evaporate. Most mainstream cloud providers are hanging back on this but, suggests Gunn, when enough users cry out for safeguards the cloud companies will respond.

Here Today …

A last, big worry, particularly in today’s unstable economy, is how durable is the cloud provider, said Raimund Genes, CTO at Trend Micro, the global security company. “You need a provider that will be in business three years from now. When you give up your IT infrastructure, you need a reliable service provider.” When a cloud provider goes bankrupt how accessible is your info, by whom? Better not to deal with such questions at all by instead going with cloud providers that have the wherewithal for a long-haul contest.

Parting advice for CIOs who are still wringing their hands in worry over data in the cloud comes from Elastra’s Sheynkman who reminds us: “It’s not all or nothing. It does not have to be. Put only the data you are comfortable with on the cloud. That is what most companies seem to be doing. We are still in an era of experimentation.”

Take it in little steps but start taking some steps, that’s the smart way to embrace the cloud.