Cloud security: Are firms still fretting about the wrong issues?

Cloud security: Are firms still fretting about the wrong issues?

Summary: Security still tops the list of issues that put firms off cloud services. But many concerns may be misplaced, wrong or simply missing the point.

SHARE:

Even though many businesses have been using the cloud in some form for years now, real or imagined security fears persist as the biggest single issue hampering wider adoption.

Companies are still hung up on questions such as the physical location of their data in the cloud, as much for emotional reasons as for regulatory compliance, a recent Dell round-table event in London heard.

"The irony is that most of these organisations will be using outsourced development teams in India, who probably have access to live production instances and have access to all the data anyway," technical lead for Dell's EMEA information security practice Don Smith said.

He saidd that one of Dell's largest European customers is in Finland, which shares a robust approach to data protection with Germany.

"They're very happy for their data to be flowing to the US. They're mature about it. They realise that that if an intelligence agency wants to access their stuff, whether it's Finnish, British or American, they're going to get it. Let's be big boys about it," Smith said.

"They are far more comfortable with being secure and getting good services than they are with a fallacious argument about where their data flows to."

DLA Piper UK managing partner Mark O'Conor said customer companies choose their risk appetite — and it might not be real risk.

"It might be perceived or emotional risk or the need to demonstrate to shareholders or the regulator that you've taken appropriate steps," he said.

New European data protection rules that could be in place in 2015 will provide an opportunity for vendors, according to O'Conor.

"The fact is the new rules are coming through as a directly applicable regulation — all 28 member states at the same time, same words — mainly to deal with the anomalies and weirdness and local peculiarities that came around last time with people doing it slightly differently," he said.

"If you go to Germany, it's fortress Germany, or CNIL in France, or a slightly more liberal, relaxed attitude in the UK. So that should go. If you're a vendor, you're talking to your US customers and saying, 'It's one set of rules, 28 member states. Here's how it's going to be'."

Dell EMEA director of cloud services Nick Hyner said the company is setting up partnerships in a number of countries to address the demands for cloud services to be delivered locally.

"It's often not lawyers' perception. People say, 'I want it in my own country'. They actually sometimes can't be bothered to be bothered about all the legal stuff: 'I want to be able to go to the data centre and the backup'," he said.

"You can say until you're blue in the face, 'Under model clauses, it's all allowed. It can all move'. But they say, 'Yes, but your competitor is going to keep it here."

Companies are interested in encrypting all data sent to the cloud to address data protection issues but their fundamental concern in this context should be the location and ownership of encryption keys, Dell's Don Smith said.

"If you're going to stick data in the cloud and you're going to encrypt, who's got the keys? Does the provider have the keys, does an escrow agency have the keys or do you have the keys?" Smith said.

"I had conversation with a very big bank in the UK a couple of months ago and they were particularly interested in leveraging the Trend [encryption key] technology, simply because they could keep the keys in their walled garden.

"The data that was flowing out could be encrypted, and privileged users at the cloud provider would never ever be able to decrypt that. That's a game-changer but it requires people to understand it, get over the fear of geeky words like encryption and just take it seriously."

Because the response to many cloud security questions is emotional rather than rational, Smith said he wished the Americans had given the Patriot Act a less interesting name.

"Ours isn't called the Union Jack Act. It's called the Regulation of Investigatory Powers Act. If theirs was called the really boring investigatory act, no one would be talking about it in Europe," Smith said.

"But the fact they called it the Patriot Act — they might as well have called it the Stars and Stripes Act. The UK government has exactly the same powers. If they want something, they can get it."

In any case, the focus of cloud concerns should not be purely on national security agencies, according to Smith.

"There are some large — you could argue — cloud providers that aren't just monitoring us but are actually trying to influence our behaviour. Spooks watch but they don't want you to know they're watching," he said.

"Google Analytics is the biggest privacy breach in the universe, where they're giving away the web master tools. More than 50 percent of websites globally are feeding back everyone's surfing habits to Google so that they can then use it to target advertising. That's insidious."

More on Dell and security

Topics: Security, CXO, Cloud, Dell, Enterprise Software, EU

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

4 comments
Log in or register to join the discussion
  • pabulum

    “Companies are still hung up on questions such as the physical location of their data in the cloud, as much for emotional reasons as for regulatory compliance, a recent Dell roundtable event in London heard.”

    Regulatory compliance is an “EMOTIONAL” issue? BS. It is a very real issue that affects many industries.

    “They realise that that if an intelligence agency wants to access their stuff... they're going to get it. Let's be big boys about it,"

    Because some agency can get at your data, it is okay to make it far easier for them to do so? Let’s give it to a third party, probably in a foreign country?

    "They are far more comfortable with being secure and getting good services than they are with a fallacious argument about where their data flows to."

    What “fallacious” argument? Where your data goes and who has access to it is very important.
    The points about security of the encryption keys are valid, but the question still remains, why give the data to a third party in the first place?

    “Because the response to many cloud security questions is emotional rather than rational, Smith said he wished the Americans had given the Patriot Act a less interesting name.”

    Why devote a whole section to the name of the “Patriot Act?” It’s there, it makes people justifiably nervous, and what you call it does not matter.

    “More than 50 percent of websites globally are feeding back everyone's surfing habits to Google so that they can then use it to target advertising. That's insidious."

    Got that right. But what does that have to do with handing your data over to a third party? Because half the websites hand some data about you to a third party, it’s okay to put your company’s critical data in the hands of a someone else?

    This whole article, except the point about keeping keys safe, sounds like “don’t worry, everything is fine” pabulum. Especially when you consider all the other issues with the cloud: internet down time, increased bandwidth costs, slower response time compared to in-house, vendor lock-in, etc.

    The cloud should be reserved for certain specific applications that can REALLY benefit from it, not for everyone to jump on the bandwagon just because it’s the latest “in” fad.

    Doc
    Doc.Savage
  • Misplaced security concerns

    The problem with clown... err... cloud computing is not the privacy concerns, it's the uncertainty about the ill defined infrastructure and data protections. How are these "as a service" services keeping my data and resources that have to be protected by regulation, laws, or the fact that I will lose a lot of money if disclosed from being disclosed because of mistake, accident, or intent? Most cloud providers cannot protect my data if another in their "service" gets hacked.

    The risks to data are more than just transmission issues. Data at rest is a big target as well as the proprietary processes that work on them. VMs do not protect against systems that abuse resources and large disk subsystems are not partitioned to be resistant to cross domain attacks. These alleged stack definitions are myopic in their look at the services they deliver and the security in their context, but not in the context of the overall risk.

    What is funny is that those of us who are old enough to remember timesharing services of the 1970s and 1980s are bringing up the same arguments in a different context. We see that the same mistakes are being made without thinking about their overall impact to the services. Without assessing the overall risks and not just the risk to one aspect of the stack, cloud computing will go the way of timesharing--and if you have to look up what timesharing services are, you confirmed my point on its lack of success.
    sbarman
  • Translations:

    Translations:

    "Companies are still hung up on questions such as the physical location of their data in the cloud, as much for emotional reasons . . ."

    Translation: "We're going to be quick to blame emotions, and hold our fingers in our ears when it's not emotions or regulatory concerns."

    "Companies are still hung up on questions such as the physical location of their data in the cloud,"

    Translation: "We have confused ownership and physical location. Intentionally, of course."

    "They're mature about it."

    Translation: "We have declared anybody who disagrees with us as immature."

    "They are far more comfortable with being secure and getting good services than they are with a fallacious argument about where their data flows to."

    Translation: "We can neither describe nor name the fallacy, but everybody who disagrees of us is guilty of making a fallacy."

    "You can say until you're blue in the face"

    Translation: "We're pushing our point of view on you, like it or not. And we we pushed our point of view onto your competition too."

    "The data that was flowing out could be encrypted, and privileged users at the cloud provider would never ever be able to decrypt that. "

    Translation: "What?! We need to be able TO SPY ON YOU! What's so hard about that?!"

    "There are some large — you could argue — cloud providers that aren't just monitoring us but are actually trying to influence our behaviour."

    Translation: "COME TO THE DARK SIDE!!"
    CobraA1
  • Protection

    Cloud computing security or, more simply, cloud security is an evolving sub-domain of computer security, network security, and, more broadly, information security. It refers to a broad set of policies, technologies, and controls deployed to protect data, applications, and the associated infrastructure of cloud computing. Cloud security is not to be confused with security software offerings that are cloud-based such as security as a service.
    catherinej02