Looking for the Silver Lining

The business is looking at cloud computing. But our manager finds some glaringly obvious problems.

I've had my head in the clouds ever since I attended a meeting last week. The IT department is interested in exploring cloud computing, so I've been busy trying to identify any security risks inherent in this emerging technology.

I've done some basic reading on cloud computing, and to be honest, I've had a hard time understanding exactly what vendors are selling. Before I delved deeper, it was hard to tell the difference between cloud computing and earlier business models, some of which I have personal experience with.

Back in 2000, I worked for a start-up that hosted other companies' servers. This was a managed service provider. After it was acquired, I worked for a company that hosted a time card application. It called itself an application service provider. So, peering into this nebulous entity called cloud computing, I saw some obvious similarities with the MSP and ASP models. A closer look brought out the differences -- some of them obvious security concerns.

The major differentiators are the location of data and the technology used. In the MSP/ASP models, we always knew where a customer's data resided: in one of a handful of data centers. We even let customers choose which regional data center their data would be served from. In the MSP model, individual servers were provisioned in a data center, with minimal interaction from the vendor. We simply hosted the physical server infrastructure, providing power, networking and rack space. With cloud computing, vendors have several data centers and use virtualization to provision servers.

Storms Brewing

There are more security concerns with this model than I can cover in this space. You'll have to conduct your own research to come up with a comprehensive list. But here are my main concerns.

First, my company has to comply with a lot of regulations. By hosting our applications ourselves, we can clearly define our control objectives and maintain the integrity of our financial data as required by law. If we were to put our financial applications into the cloud, we would certainly have to re-evaluate our control objectives to ensure that compliance wouldn't be compromised.

The second concern is the commingling of data. Cloud vendors typically store data from multiple customers on the same hardware. We need our data to be properly segmented from that of our competitors. And when the vendors back up data, do they commingle data on shared media? If we terminated our contract, would they pull only our data from the tapes? Might some of our data end up in the hands of a competitor that way?

The third concern is virtualization. For example, VMware offers a feature called the Distributed Resource Scheduler that continuously monitors utilization across the guest operating systems living on a virtual machine and intelligently allocates available resources among other virtual machines. When virtual-machine resources are constrained, additional capacity is made available by migrating live virtual machines to a different physical server. Sounds cool, right? Well, it is. But what if the server that your source code repository lives on is dynamically moved to a server in, say, Russia or China? Can you vouch for the integrity of infrastructure that physically resides in a risky location?

I will continue to explore these and other potential security risks so I can provide the best possible guidance should the company decide to pursue cloud computing. Through my research, I hope to scope out vendors and craft a contract that will truly protect our interests and those of our customers.

This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at mathias_thurman@yahoo.com, or join the discussions in our security blogs: computerworld.com/blogs/security.


Copyright © 2008 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon