Info-Tech Research Group recently held a Web seminar on cloud computing and security. Security, Info-Tech says, is not about eliminating risks to the enterprise, it is about mitigating these risks to acceptable levels. As organizations increase their use of software-as-a-service, some question the security risks associated to the business. Is our information at risk from unauthorized use or deletion? Is security the same with the internal and external cloud? In the webinar, Info-Tech’s senior analyst James Quin discussed the challenges and concerns the market faces today regarding security and cloud-based technologies. 

The following questions were asked during the webinar. Some were answered in the webinar conversation with James and others are answered below.

Q: What types of businesses are currently using the cloud and what businesses are best suited for the cloud?

A: Many organizations are using the cloud right now. This includes both large and small organizations across all industries. Organizations that are testing or cleaning generic data that is not deemed to be confidential or sensitive is well suited for the cloud. The cloud allows the infrastructure necessary to make use of the data and shut it down when necessary. Short term data recovery capabilities are well suited for the cloud as well as software-as-a-service, for example, CRM tools. 

Q: Do legislative requirements exist for companies who are operating in the cloud?

A: Legislative requirements do not exist for companies operating in the cloud. It’s important for companies to understand and set up contracts with vendors. It’s your responsibility (not the vendor) to ensure audit practices are developed to ensure data integrity and security.

Q: How do you know the geographical location of the cloud in order to be compliant with state and federal laws for holding private information? 

A: The short answer to this is that you don’t know. That’s one of the challenges. There are massive data centers all over the world and we don’t know the geographical location of the data and can’t control where it is. That’s the fundamental challenge of using the cloud. It doesn’t mean you shouldn’t use cloud computing, it just means you need to understand what applications are best suited for its use.

Q: What is the impact of US Patriot Act on privacy concerns of non-US organizations?

A: The US Patriot Act allows for search and seizure in the event of suspected terrorism, or dealings with terrorists. Depending on how the seizure is executed, in theory should law enforcement wish to seize electronic data, they could seize actual storage devices, which would affect multiple clients. This leads to an inability to access to data, but also leads to a potential of loss of data. Encryption is fundamental and a tactic companies should consider implementing.

Q: Can companies develop exit strategies for the cloud?

A: Companies can and definitely should set up exit strategies. This is a fundamental issue, not necessarily a security one. Companies must be very careful about this. First, companies must ensure they are using cloud providers who do not use proprietary data storage or something unique to them. An exit will be difficult if this is the case. Second, contractual stipulations need to be worked out between the client and vendor. As a client, a tactical measure is to make sure that removal and cleansing is clear in the contract.

Q: Has the cloud changed the ISO Model?

A: No, the ISO model doesn’t care about the cloud. ISO is a standard. Cloud is fast moving and has not been addressed in the ISO model. Companies are however looking for direction in this area. One of the best organizations which may be able to help answer your questions about this is Cloud Security Alliance at www.cloudsecurityalliance.org.

Q: With the tremendous amount of sensitive/proprietary data in the cloud, what are cloud vendors doing to protect it? Whose responsibility is it to protect the data? How can I be sure that the vendor doesn’t have access to my data?

A: One step organizations can take is an audit process to ensure your data is protected. If the vendor is unable to do this or pass the audit, you may need to look at your exit strategy. If it’s your data then it’s your responsibility to protect it. Ask what security controls the vendor provides and make sure that you are using strong encryption with self-managed keys.

Q: What work has been done on total cost of ownership in a secure cloud environment?

A: Not much work has been done in this area. Right now, cloud is a model built on efficiency, not evaluation. For example, how much security costs to you. The Cloud Security Alliance, mentioned earlier, is working on this.

Q: What providers are using TXT?

A: Intel is releasing chips with TXT capabilities this year. Uptake by providers will be another story. That being said, TXT is only one component because software will be required as well to monitor and report on what TXT sees.

Q: What are the risks associated with major Internet outages?

A: Cloud providers work to build a great infrastructure but one thing that the provider doesn’t and cannot necessarily provide the pipe between you and them. They don’t really do anything about ensuring you can connect to them. If you are looking at pushing key capabilities you may be looking at more than one internet provider.

Q: Are regulation bodies such as PCI Security Council addressing 'new' trends in computing such as cloud computing?

A: The likelihood that legislative regulation will be updated specifically to address the implications of cloud computing is very low because change requires legislative involvement. Industry regulations are more likely to change, but standards such as the PCI-DSS have defined review and revision schedules. Until the next versions are released, we won’t know whether, or to what degree, current issues such as cloud computing are addressed.

Q: How does encryption work, with CRMs, for example?

A: Assuming that this question is referring to the use of a CRM SaaS provider the answer is going to be individual to each CRM (or any other SaaS offering) provider. Whether and how their systems work with encrypted data will be part of their “secret sauce” and they not be willing to provide any more information than “yes” or “no”. Remember SaaS vendors control the entire stack and so are required to secure the entire stack – make sure that the security they provide meets enterprise standards before committing.

Q: With PII, PCI and Heath Care regulation, it seems, I can put very little out in the cloud.  Are there providers who have built the secure model today.

A: The secure model, as described, is purely theoretical at this point and no providers are known to offer tiered service packages based on differential security requirements. That being said the need for the adoption of such structures is recognized by many technology leaders and it is anticipated that changes will be brought to bear.

That being said, regulatory compliance is the biggest obstacle to cloud adoption. Cloud is still a viable model for heavily regulated industries so long as they are careful in those uses (i.e. test and development) and the manner in which data is protected (i.e. encryption) while in the could.

Q: How is cloud computing different than other outsourcing options?

A: Cloud is differentiated from traditional outsourcing because it is based on the essentially real-time provisioning and deprovisioning of compute capability. Most traditional outsourcing models call for the delivery of fixed capabilities, for a fixed period of time, at a fixed cost. Cloud provides access to an elastic pool of resources than can be grown or shrunk on demand.

Q: Are there any unique considerations for health insurance organizations (regarding their need to keep HIPAA/PHI data secure)?

A: The considerations for health insurance organizations are essentially the same as for any business or industry that is subject to regulatory compliance – if the regulations contain stipulations about the controlled access to confidential information then the cloud must be approached with caution. Storage in the cloud is one thing – data can be encrypted while in storage – but processing in the cloud is different – data must be decrypted to be processed.

 

For more information about this topic, visit Info-Tech’s Server & Storage Virtualization Solution Road Map. The Solution sets include:

-          Get Moving with Server Virtualization

-          Select the Right Vendor for Server Virtualization

-          Avoid Server Virtualization Implementation Pain

-          Leverage Server Virtualization for DR Affordability and Agility

-          Build an Optimized Infrastructure-as-a-Service Internal Cloud

-          Use Cloud Computing to Achieve Small Enterprise Savings

 

You can also follow Info-Tech’s blog at http://blog.infotech.com/.

© 1998-2010 Info-Tech Research Group. All rights reserved. Reprinted by permission

Info-Tech's products and services combine actionable insight and relevant advice with ready-to-use tools and templates that cover the full spectrum of IT concerns. For more information, go to www.infotech.com.

 

 

 

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access