Cloud Security: Oxymoron?

Here's how some early adopters of cloud computing are approaching the problem.

1 2 3 4 5 Page 2
Page 2 of 5

The division of labor between Logiq3 and BlueLock actually strengthened security, because "no one person or company has all the keys to the kingdom," says Westgate. Because BlueLock manages the firewall, for example, "none of my admins can go in and decide to sell or move the data," he notes. "And BlueLock admins can't do it either, because they don't control the systems."

How much responsibility lies with the cloud-based service provider largely depends on the type of service.

With an IaaS setup, the customer is usually responsible for protecting everything above the middleware and APIs, including the applications and operating system, says Todd Thiemann, senior director of security vendor Trend Micro Inc.'s data protection group. The terms of service for Amazon's IaaS offering, for example, state that the customer is responsible for protecting the data it puts into the public cloud, he adds.

In contrast to IaaS arrangements, in software-as-a-service deals, the provider is usually responsible for protecting whatever customer applications and data reside on its cloud. That setup often works well for budget-challenged businesses, because it gives them access to advanced security technologies and resources that they might not be able to afford in-house.

IBM's LotusLive SaaS offering, for example, uses "the same standards, security, compliance and governance we use to run major business systems for some very large and important companies," says Sean Poulley, IBM's vice president of online collaboration services. LotusLive data centers are protected by physical and biometric controls, including closed-circuit TV. Access control is handled by IBM's enterprise-scale Tivoli software.

However, many providers of cloud-based services -- particularly SaaS vendors -- feel that their security practices and technologies give them a competitive advantage, so they don't like to talk about how they approach security. That means companies have to take the vendor's word that its systems are indeed secure and compliant.

"Vendors have done little to accommodate security risk evaluation," says Gartner's Heiser. "They may have incredibly secure and robust systems, but there's no sensible way to ensure this."

Security accreditation standards such as ISO 27001 and SAS 70 Type 2 provide some assurance, he adds, noting that "27001 is more relevant to cloud security issues but weak when applied to new forms of technology."

Playing Nicely Together

Many SaaS vendors are understandably reluctant to have a customer insert third-party security products into their proprietary platforms, even if it's just an agent that would permit a customer's security system to interact with theirs.

For example, Pfizer Inc. had outsourced some security services to D3 Security Management Systems Inc. and was interested in using Oracle Corp.'s Access Manager in D3's incident management applications. But D3 expressed concerns about installing Oracle agents on its systems, says Kurt Anderson, the pharmaceutical company's manager of global operations business technology.

1 2 3 4 5 Page 2
Page 2 of 5
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon