Cloud computing: What you should and shouldn't be worried about

As long as you know how to deal with the issues, infrastructure as a service shouldn't hold any fears

Businesses concerned about the security of infrastructure as a service (IaaS) cloud technology should be more worried about how they secure data themselves rather than the levels of security offered by cloud providers.

A recent survey by Forrester Research found that security is the main concern about IaaS technology for 58 per cent of European technology decision-makers.

And these concerns - combined with others - appear to be hampering adoption, with just two per cent of companies in Europe having implemented IaaS, a figure that hasn't changed since 2009, according to the analyst house.

But businesses should not be put off using the technology by security worries as long as they take the necessary precautions with their data, according to Forrester Research analyst James Staten.

Speaking to silicon.com, Staten said the levels of security achieved by cloud service providers are often higher than those seen in corporate datacentres, as security is an essential requirement for their reputation as good service providers.

Businesses must make sure they're taking the right steps to secure their data themselves
Photo: Shutterstock

Concerns about security in the cloud are therefore more psychological than technological, according to Staten: "Most organisations have security concerns because they don't understand how security is done in the cloud and they have an inherent fear of their data being outside their walls and stored on a shared service. After they spend time understanding how security is achieved [in the cloud], most of these fears typically diminish."

Securing data is a shared responsibility

Despite the good levels of security provided by cloud vendors, businesses need to ensure they do everything possible to keep their data secure when moving it to IaaS environments: "The other thing that's really important for enterprises to understand is that security is a shared responsibility," Staten said.

IaaS providers only secure data to the point of abstraction in virtual machines. Once the data is outside the IaaS environment, it's the customer's responsibility to secure the data.

"Whatever you put inside that virtual machine, it's up to you to secure it. And most of the security problems we have seen have been errors by the client not by the service provider, where they leave ports open, where they have very simple passwords or logins - the typical security concerns we see that come from not being knowledgeable enough, not being experienced, or just making some assumptions about security that are incorrect," Staten said.

Encrypting data is an obvious way to deal with this issue but...

...Staten pointed out that this can make data more difficult to work with.

"Encryption is one of your tools [but] the more important tool to use is consistent security policies and helping to educate your developers on these policies," Staten said.

With most data breaches caused by applications not being configured properly and security features not being set up, making developers more aware of its importance is clearly a key area.

How to tackle compliance

As well as securing the data, organisations need to make sure the data they put in to IaaS environments - and the service providers they choose - fit with any compliance and auditing regulations they're subject to, such as Sarbanes-Oxley.

"It's kind of a non-starter if you're running on a cloud that you can't audit or doesn't provide enough transparency to satisfy an auditor. So [services] may be secure but if they don't provide the logs, they don't provide you their operational procedures, then an auditor simply won't accept them as a proper platform," Staten told silicon.com.

CIOs therefore need to establish whether IaaS providers have compliance certification, or can provide information about a recent audit that can be taken to the customer's auditor to prove they comply.

Addressing privacy issues

Staten said privacy is also an issue that businesses should be conscious of as differences in law between Europe and the US have the potential to cause problems.

The US Patriot Act, for example, allows US government officials to seize data from US-based cloud providers if they believe it's related to suspicious activity.

The Patriot Act applies to all US-based companies, so even if data is held in Europe on infrastructure owned and operated by a US company, it can be seized. Amazon's datacentre in Ireland therefore comes under the US legislation.

"You may be doing everything legally and above board but your data may be sitting on the same storage array as two people that the [US] government's not real thrilled with. When they seize that array, they seize your data too," he added.

Staten said companies receive little warning when data will be seized, so they can't move data belonging to other users who are not of interest to the authorities off the hardware, which means access to data could theoretically be lost.

Although this situation hasn't yet occurred with cloud providers, Staten said it is nevertheless a possibility, so businesses should make sure they back up their data in a non-cloud environment so they won't lose access if the hardware it's stored on is made unavailable.

Another issue to be aware of is safe harbour agreements in which two countries - or a company and a country - agree to hold data in a way that satisfies national guidelines. Staten said these are generally safe if they are agreements between countries but are a little riskier when they are made between a country and a company, because the other national government can override the agreement if it wants to access certain data.

When thinking about IaaS, organisations need to assess...

...the importance of different types of information, how much of a target it could be and what threats concern it.

Staten said businesses need to create simple risk profiles for different application types, including the kind of data held on them, and develop policies about how they should be treated.

Other concerns shouldn't be overplayed

European businesses appear to be warier about IaaS than their US counterparts, according to the Forrester Research report.

Staten said this is due partly to the slow proliferation of the technology in Europe and because businesses this side of the Atlantic are more likely than their US counterparts to settle security issues before adopting a technology service.

As well as security concerns, European businesses are also cautious about infrastructure as a service as they're not convinced the service can deliver the cost benefits cloud providers promised.

European businesses have been more cautious about infrastructure as a service than their US counterparts
Photo: Shutterstock

Staten said this may be true but only if the services are used in a way they weren't designed for: "If you use these cloud services correctly they will absolutely deliver cost savings to your organisation, if you use them incorrectly... then they will either deliver no cost saving or they'll actually cost you more."

For example, if a business runs a system that needs to be permanently operating, public IaaS will be more expensive than running it inhouse.

However, with applications and processes that need to be scaled up and down depending on demand, IaaS will reduce costs as companies will only be paying for services when they're being used.

"Per hour, Amazon is cheaper; but per month, for consistent use, it's one of the more expensive places you can put any application," Staten said.

Another concern cited by respondents to Forrester Research's survey is that IaaS is too immature a technology.

Although some services have been around for some time - Amazon Web Services started in 2003 - IaaS is still evolving, according to Staten.

To ensure businesses don't become vulnerable due to immature services, Forrester advises them to review the provider they use every six months to make sure they are using the cloud service most suited to their requirements.

"Whenever we talk about corporate security, it's impossible to give your company a 100 per cent guarantee that they will not have a security problem. What CIOs always have to do is figure out where the right balance is between the investments they make to keep the company secure versus the degree of risk that's possible - and every company sets that balance themselves at different points," Staten said.