Cloud security: Are firms still fretting about the wrong issues?

Security still tops the list of issues that put firms off cloud services. But many concerns may be misplaced, wrong or simply missing the point.
Written by Toby Wolpe, Contributor

Even though many businesses have been using the cloud in some form for years now, real or imagined security fears persist as the biggest single issue hampering wider adoption.

Companies are still hung up on questions such as the physical location of their data in the cloud, as much for emotional reasons as for regulatory compliance, a recent Dell round-table event in London heard.

"The irony is that most of these organisations will be using outsourced development teams in India, who probably have access to live production instances and have access to all the data anyway," technical lead for Dell's EMEA information security practice Don Smith said.

He saidd that one of Dell's largest European customers is in Finland, which shares a robust approach to data protection with Germany.

"They're very happy for their data to be flowing to the US. They're mature about it. They realise that that if an intelligence agency wants to access their stuff, whether it's Finnish, British or American, they're going to get it. Let's be big boys about it," Smith said.

"They are far more comfortable with being secure and getting good services than they are with a fallacious argument about where their data flows to."

DLA Piper UK managing partner Mark O'Conor said customer companies choose their risk appetite — and it might not be real risk.

"It might be perceived or emotional risk or the need to demonstrate to shareholders or the regulator that you've taken appropriate steps," he said.

New European data protection rules that could be in place in 2015 will provide an opportunity for vendors, according to O'Conor.

"The fact is the new rules are coming through as a directly applicable regulation — all 28 member states at the same time, same words — mainly to deal with the anomalies and weirdness and local peculiarities that came around last time with people doing it slightly differently," he said.

"If you go to Germany, it's fortress Germany, or CNIL in France, or a slightly more liberal, relaxed attitude in the UK. So that should go. If you're a vendor, you're talking to your US customers and saying, 'It's one set of rules, 28 member states. Here's how it's going to be'."

Dell EMEA director of cloud services Nick Hyner said the company is setting up partnerships in a number of countries to address the demands for cloud services to be delivered locally.

"It's often not lawyers' perception. People say, 'I want it in my own country'. They actually sometimes can't be bothered to be bothered about all the legal stuff: 'I want to be able to go to the data centre and the backup'," he said.

"You can say until you're blue in the face, 'Under model clauses, it's all allowed. It can all move'. But they say, 'Yes, but your competitor is going to keep it here."

Companies are interested in encrypting all data sent to the cloud to address data protection issues but their fundamental concern in this context should be the location and ownership of encryption keys, Dell's Don Smith said.

"If you're going to stick data in the cloud and you're going to encrypt, who's got the keys? Does the provider have the keys, does an escrow agency have the keys or do you have the keys?" Smith said.

"I had conversation with a very big bank in the UK a couple of months ago and they were particularly interested in leveraging the Trend [encryption key] technology, simply because they could keep the keys in their walled garden.

"The data that was flowing out could be encrypted, and privileged users at the cloud provider would never ever be able to decrypt that. That's a game-changer but it requires people to understand it, get over the fear of geeky words like encryption and just take it seriously."

Because the response to many cloud security questions is emotional rather than rational, Smith said he wished the Americans had given the Patriot Act a less interesting name.

"Ours isn't called the Union Jack Act. It's called the Regulation of Investigatory Powers Act. If theirs was called the really boring investigatory act, no one would be talking about it in Europe," Smith said.

"But the fact they called it the Patriot Act — they might as well have called it the Stars and Stripes Act. The UK government has exactly the same powers. If they want something, they can get it."

In any case, the focus of cloud concerns should not be purely on national security agencies, according to Smith.

"There are some large — you could argue — cloud providers that aren't just monitoring us but are actually trying to influence our behaviour. Spooks watch but they don't want you to know they're watching," he said.

"Google Analytics is the biggest privacy breach in the universe, where they're giving away the web master tools. More than 50 percent of websites globally are feeding back everyone's surfing habits to Google so that they can then use it to target advertising. That's insidious."

More on Dell and security

Editorial standards