Depending on whom you talk to, cloud security is either the industry's biggest oxymoron and won't be resolved anytime soon or it's no big deal because cloud vendors typically have tighter security than do any of their customers.
Wherever you fall on that continuum, the notion of security comes up as a key concern in many surveys on the topic, so it's clearly top-of-mind at most IT shops. There are a few security standards initiatives that might eventually help clear up matters (see sidebar below), but those are a long way from being ready to implement.
One thing is clear, experts say: Don't assume anything before doing your own due diligence. "It would be nice to think the vendors are doing a great job [of protecting the data] and they are building a highly robust application framework that provides a high level of security," says Jay Heiser, an analyst at Gartner who studies risk in the enterprise and regulatory compliance.
"The biggest frustration is determining whether they did that -- if a provider cannot give you definitive evidence [through testing and data verifications] that their product is [as] secure as they say it is, you have no ability to make a business decision to use it," Heiser adds.
Fred Cate, director of the Center on Applied Cybersecurity Research at the Indiana University Maurer School of Law, says the single biggest issue facing companies when it comes to cloud security is deciding who is really accountable from a legal perspective.
"The cloud vendors say the company is responsible, but the companies say the vendor is responsible," says Cate, who adds that some companies resolve the problem by going to a trusted brand like Microsoft. But taking that strategy narrows customers' choices considerably. And, he says, there is still no guarantee that just because you choose a known provider for your cloud infrastructure, the data is truly safe.
Fortunately, several emerging technologies are helping to secure the cloud, or at least make it more difficult for employees to post intellectual property or other sensitive data on a public cloud.
United Airlines: Cloud computing in the cockpit
United Airlines is about to embark on a radical experiment. This year, the airline will deploy about 10,000 Apple iPads for use by cockpit crews. The iPad will replace the flight bags used for storing manuals, flight charts and other nonsensitive information used for flight preparations. Instead, crews will access managed service providers such as Jeppesen for online flight manuals. United will also use the iPad as a communication vehicle for company news and employee updates.
John Van Hoogstraten is the managing director of IT security and risk management at United Airlines. He says the airline tends to move slowly when it comes to cloud-related deployments, but that mobile devices like the iPad present too many benefits to delay much longer, including better management of the flight manuals and even lower fuel costs because crews do not have to carry around heavy flight bags.
He says the airline already uses Symantec products for identity management and antivirus, and the next step he is considering is a single sign-on product called Symantec O3 Cloud Identity and Access Control for a single authentication process.
"We will need to use a secure authentication system to ensure that the person who is using the iPad is who they say they are, especially when crews are traveling into places that are less than secure like third-world countries," says Hoogstraten. His plan is to use single sign-on because it taps into United's Active Directory system and presents one portal for crews to access their service providers. This means a pilot does not have to log in to six or seven different services, thus saving time in the cockpit.
Single sign-on is one of the most common new mechanisms for dealing with cloud security. The downside, though, is that it means one point of failure. O3 runs as an appliance in a data center, which means all cloud access flows through that device, potentially slowing connections.
"Single sign-on addresses a fundamental aspect of cloud security, namely the convenience equation," says Gartner's Heiser. "Of course, authentication is not always the biggest issue. Just look at the history of Gmail [password] failures where people gain access so easily. Companies should realize that passwords are flawed."
Symantec uses two-factor authentication to address this problem. In a typical scenario, an employee might need a token ID installed on the iPad and a password to gain access to cloud-based services. Hoogstraten says two-factor authentication forces employees to think beyond one password.