Cutting Through the Fog of Cloud Security

As cloud computing's security gaps become more visible, users are finding ways to safeguard their data.

Daniel Flax, CIO at New York-based investment banking and financial services firm Cowen and Co., relies on cloud computing to automate his company's sales activities. While he's satisfied with cloud technology's potential to lower upfront costs, decrease downtime and support additional services, he admits that he has had to work hard to get a handle on the emerging technology's security weaknesses. "Security is one of the things we've had to come to grips with," he says.

Evan Jones, owner and IT chief of interactive production company Stitch Media, located in Toronto and Halifax, Nova Scotia, is also concerned about cloud security. "It's a scary concept when you just hand all of your important company data over to a third party," he says.

Like a growing number of IT managers, both Flax and Jones are beginning to realize that cloud computing doesn't offer companies a free ride when it comes to security. A Gartner Inc. report released last year identified concerns about risks in several areas, such as data privacy and integrity and compliance management, that should give pause to anyone thinking about rushing into cloud computing.

"Enterprises, particularly those in regulated industries, need to weigh both the business benefits and risks of cloud computing services," warns Jay Heiser, a Gartner analyst.

One of cloud computing's biggest risks arises from its very nature: It allows data to be sent and stored just about anywhere -- even divided among locations around the world. While data dispersion helps give cloud computing a cost and performance edge, the downside is that business information can land in storage systems in locales where privacy laws are loose or even nonexistent.

Flax, who is using Salesforce.com Inc.'s Force.com platform to automate Cowen's global sales systems, says the best way to ensure that data steers clear of risky destinations is to work with a cloud vendor that is a public company and is therefore required by law to disclose how it manages information.

Salesforce.com is publicly traded, and "as a result, we have a sense of comfort that there are strict processes and guidelines around the management of their data centers," Flax says. "We know our data is in the U.S., and we have a report on the very data centers that we're talking about."

Agora Games, a company in Troy, N.Y., that builds Web communities for video game players, currently has no say on the matter of where its cloud computing provider, Terremark Worldwide Inc., hosts its data and applications. But that will be changing in the near future, says Brian Corrigan, Agora's chief technology officer.

Terremark will soon give Agora "the option to choose where virtual machines actually run," he says. "Right now, the only choice is the Miami facility, but Terremark is adding other locations, so [it will be] an issue we can manage however we want."

Track and Trace

Cloud computing's dispersed nature also makes it challenging to track unauthorized activity, even when careful logging procedures are used. Virtually all cloud computing providers use encryption, such as Secure Sockets Layer technology, to safeguard data in transit. But Heiser notes that it's also important to ensure that stored data is encrypted. "If data is stored in a shared environment, which is what usually happens, you can assume that unencrypted data may be read by unauthorized parties," he says.

Mike Mullin, IT director of Indian Harvest Specialtifoods, a Bemidji, Minn.-based company that distributes rice, grains and legumes to restaurants worldwide, says he relies on provider NetSuite Inc. to ensure that the data he sends into the cloud is fully protected. "With SSL, I'm pretty confident that our data is secure," he says. "If it isn't, then I think a lot of people will have problems and that the [cloud] industry as a whole will have a problem."

Mullin notes that cloud adopters also need to closely assess their own infrastructures and security practices, particularly access controls. "Your side of the infrastructure is just as vulnerable, if not more vulnerable, than the provider's side," he says.

1 2 Page 1
Page 1 of 2
  
Shop Tech Products at Amazon