The cloud represents tremendous opportunities for IT to achieve better agility and scale. According to Mike Rothman, Analyst and President at security research firm Securosis, the cloud also represents a different set of risks that enterprises need to understand.
Rothman detailed his views on securing the cloud at the SecTor security conference, currently underway in Toronto. While some in the audience weren’t sure if they were going to be deploying in the cloud, Rothman warned that any developer with a credit card can get an enterprise into the cloud.
“The security implication of the cloud is that you only have a variable amount of control, visibility and resources,” Rothman said. “If you have bare metal you know all that stuff.”
In a physical enterprise datacenter, administrators have full control and visibility over their hardware and software. That also means that enterprise administrators have full accountability for all those components. Rothman noted that there is a different security accountability in the cloud.
“If Salesforce.com loses your database will they alert all your customers?” Rothman asked. “No they will not.”
In the cloud, while networking assets are not directly maintained by the enterprise, the enterprise is still accountable. That said, having a cloud vendor manage infrastructure can be a good thing for some companies.
“If you suck at security than a Salesforce.com is likely going to do a better job than you are,” Rothman said.
When new security issues come to light, the solution in the physical IT world is often simply to deploy another network appliance that fixes the issue. Rothman said that method doesn’t work in the cloud and as such it’s imperative to think through issues more thoroughly than simply just dropping in a new hardware box.
While the cloud is different than a physical datacenter deployment, it is also similar in a number of respects. Issues of reliability, availability and survivability all are concerns in the cloud, just as they are with physical infrastructure.
“The cloud never goes down, until it does” Rothman said. “In the cloud you still have to think about business availability and continuity.”
Rothman noted that the Amazon outage that occurred earlier this year, is great example of the need for enterprises to have availability plans in place.
Another concern in the cloud has to do with geography. Some enterprises have a need for data to be restricted to certain countries. In the physical world, administrators can easily monitor that. In the cloud, the actual geography of where data sits is not as visible.
“It’s all about faith in the cloud, that providers are doing what they say they will do,” Rothman said.
When it comes to cloud security defenses, Rothman said that the first line of defense is the service level agreement (SLA). He stressed that organizations need to understand cloud SLAs and ask questions. Questions that need to be asked include whether there are contractual penalties for non-complaince, as well how an organization can audit against the SLA.
Rothman suggested that enterprises get SLAs for data security, user account management and personnel security. Additionally Rothman stressed that enterprises not trust non-contractual SLA, since they’re not binding.
“Don’t trust anything that is not in writing that doesn’t have penalties for non-compliance,” Rothman said.
There are some risks and tradeoffs involved in moving to the cloud from a security perspective. Rothman’s advice is that organizations develop their own list of cloud security requirements as well as security documentation.
“You need to understand your cloud,” Rothman said. “That means understanding what security controls are available, what security documentation is available and what the contingency plans are.”