Apple hires...

The IT industry has identified cloud computing as a major trend for the future. But how much of a barrier to its development and adoption will security be?

It seems as though not much new is happening in enterprise IT development that doesn’t involve the cloud.

The uptake of outsourcing and software-as-as-service (SaaS) based delivery models has softened end-using organisations to the idea of not necessarily owning the IT infrastructure their business may rely on. The advent of the cloud has even encouraged blue-sky thinkers to declare it will, one day, render the IT department redundant.

But, despite the advent of more and more data centre-as-a-service-type launches, recent security issues involving the likes of vendors such as Salesforce.com and Google Docs have thrown a spotlight on the security risks associated with running IT in the cloud.

“There’s been a lot of hype around cloud computing recently,” said Ian Osborne, project director of the Grid Computing Now! initiative of IT trade body, Intellect. “It offers enterprises the opportunity to flex their IT infrastructure more dynamically to meet demand.”

Open challenges

But he told IT PRO there were inherent challenges in extending cloud infrastructures out to enterprises in an open, virtual or ‘utility’ based way. “With very little agreement on standards, the issues of provisioning, security and ownership of the data could be major inhibitors to adoption,” Osborne said.

In response, both enterprise IT suppliers and consumers have stepped up attempts to close security loopholes and offer best-practice solutions and guidance on governance, standards and compliance. In fact, it was just over a year ago that Gartner first warned IT organisations that alternative delivery models like cloud computing would make the governing principles that worked with the traditional models of buying, building and accessing IT irrelevant.

David Mitchell Smith, vice president and Gartner Fellow, said: “Why pay to build it and maintain it, if you can buy it in at a fraction of the price?”

But he added that one of the main challenges for IT organisations in adapting to this next technological revolution will be dealing with the cultural impact both internally and in the way IT interfaces with other functional areas, which is exactly where loopholes around data governance can open up.

Jericho looks to best practice

Earlier this month, the independent security expert group Jericho Forum announced it was focusing its activities on establishing best practices to meet the challenges of collaborating securely in the cloud. As a result, it has published a cloud cube model designed to provide clarity of vision on the essential areas organisations need to consider when evaluating a cloud-computing environment.

“The cloud approach to organising business can be both more secure and more efficient than the old-style silo structure,” said Adrian Seccombe, Jericho Forum board member, who is chief information security officer and senior enterprise information architect at healthcare giant Eli Lilly. “Viewed from a different perspective it opens a potential Pandora’s box of security nightmares…not least of which is loss of data confidentiality and integrity.”

Seccombe argued that a carefully analysed and chosen approach to implementing cloud computing can bring those security issues back under control.

He explained how the cloud cube model provides a framework for exploring the nature of different cloud formations and understanding the key characteristics, considerations, as well as the benefits and risks that must be taken into account when entering clouds. And he stressed that the path to success is to architect security in from the beginning.

Guy Bunker, chief scientist and distinguished engineer at Symantec, endorsed the forum’s work: “Jericho’s next phase, which addresses secure collaboration in the cloud, is seen as a big step in the right direction. Bringing together enterprise, system integrators and application vendors has resulted in a practical approach to security in the next generation of collaboration architecture.”

Working together

At the same time, other collaborative industry efforts include the creation of the Cloud Storage Technical Work Group (TWG) by the Storage Networking Industry Association (SNIA), aimed at developing SNIA architectures and best practices related to cloud storage technology. Gene Ruth, Burton Group senior analyst confirmed a number of vendors were rushing to offer cloud storage services, either as a focused storage offering or as part of a compute cloud and therefore, security would be a key consideration.

“Confusion over definitions, positioning and concerns over service delivery are slowing acceptance,” commented Ruth. “The Burton Group believes that a strong industry association can provide a focal point to bring the many cloud players together. SNIA’s efforts to define what cloud storage is and how it fits into the cloud compute paradigm will help spur its acceptance.”

In addition to industry wide activity, individual vendors have also taken steps to improve security in the cloud, with the most recent being Cisco. The networking and software vendor made a number of cloud-related security announcements this month that looked to expand its hosted security service offerings and deepen the integration of security-as-a-service applications with corporate network infrastructures.

And Cisco chief executive, John Chambers hit the headlines at RSA this week by describing the cloud as a “security nightmare”.

Cisco has said its new offerings would protect data and communications in support of the increasing extension of connectivity outside the walls of the enterprise walls. From the Cisco Security Intelligence Operations centre, it manages an extensive threat-monitoring network called ‘SensorBase’ that it uses to monitor and collect security data from hundreds of millions of client-side device and computers.

“Security needs to capture the latest threat intelligence to mitigate shifting threats,” added Tom Gillis, vice president and general manager for Cisco’s Security Technology business unit. “Our vision for security is based on a balance of protection and enablement, which integrates security from the network through to the endpoint and the user.”

So the industry has begun to answer the security challenges faced in the cloud. But the emerging challenges around data integrity, recovery, privacy and governance, not to mention areas like e-discovery, regulatory compliance, and auditing, demand that cloud adopters must fully qualify the vendors, services and security processes they use to ensure its survival.