Corporate IT security group the Jericho Forum has offered security advice for companies that want to adopt cloud computing.
While cloud computing offers companies the opportunity to operate much more efficiently and with flexibility, it can open up a "Pandora's Box of security nightmares", the Jericho Forum said in a paper published on Thursday. Challenges include keeping data confidential and ensuring that it is not intercepted.
Many organisations, including HP and other technology leaders, have voiced concerns about about issues such as security, performance and the availability of internet-based services in the cloud.
To help companies deal with these issues, the group has developed a "cloud cube model", meant to be a "practical blueprint, geared to showing each organisation how to architect for safe business collaboration in a way that suits its individual needs", John Meakin, director of digital security for BP and a Jericho Forum founder, said in a statement.
First, companies should assess the sensitivity of the data they are considering moving to the cloud, the Jericho Forum said. Then they should consider the risks and benefits of different types of cloud-computing environment, using the group's cube model as a guideline.
The cloud cube model, described in a Jericho Forum video, is a framework based on four aspects of cloud computing:
- Is it an internal or external cloud?
- Does it use proprietary or open technology?
- Is the cloud service outsourced or done in-house?
- Does the cloud work within the company's security perimeter, such as a network firewall, or outside it?
Once that assessment is complete, organisations should then be in a good position to decide which processes to move to the cloud.
The best cloud option for flexibility and collaboration is likely to be one that is external, open and de-perimiterised, the Jericho Group said.
The cube model is "designed to provide clarity of vision on the essential areas organisations need to consider when evaluating a cloud-computing environment", according to Adrian Seccombe, a senior information architect at Eli Lilly and a Jericho board member.
The group made the point that security in modern cloud applications may in fact be "significantly better" than that of the customer's own IT systems. However, one key issue for many companies is perimeters: when companies operate only within their IT security perimeter, this inhibits collaboration, the Forum noted.
One solution is to extend the organisation's perimeter into the external cloud-computing domain, using a VPN and operating the virtual server within the company's own IP domain, the group recommended. This approach would make use of the company's own directory services to control access. When the task is completed, the organisation can then withdraw the perimeter back to its original position.
The Jericho Forum is asking users and IT vendors to co-operate with them in establishing best practices for securing collaboration in cloud computing. "Tackling the challenge of collaborating securely in the cloud is a natural evolution for the Jericho Forum," Meakin said.