This year, April study conducted by independent research firm Ponemon Institute and sponsored by CA Technologies, surveyed 103 cloud service providers in the U.S. and 24 in Europe representing a mix of cloud service and deployment models. 70% said they allocate 10% or less of IT resources to security and control-related activity.
Who is most responsible for ensuring the security of the cloud resources ?
“Right now, organizations are focused on moving their least sensitive data and applications to the cloud for cost savings and rapid deployment, leading to cloud providers not making security a priority” Matthew Gardiner, director in the security business unit at CA
The chart above shows the different perceptions about who is responsible for security in the cloud. According to this chart, both 32% of cloud users and cloud providers believe the cloud provider is most responsible for ensuring the security of cloud services. In sharp contrast, 69% of IaaS providers see the cloud users as most responsible for security, while only 35% of users believe they are most responsible for ensuring security.
These different perceptions between cloud providers and cloud users about who is responsible for securing the cloud means organizations may be over relying on their cloud vendors to ensure safe cloud computing. Despite the risks to data in the cloud, it is interesting that providers do not consider the security of cloud services as a competitive advantage.
“… more than 33% of the respondents were not very confident that their data was going to be protected and isolated in the cloud. It’s also the cloud technologies. They hear about private clouds and community clouds. And, again, more than 70 percent of the respondents were either not confident or really didn’t understand how they could get sensitive data controlled in a private cloud.” Tom FieldInterview of Russel Dietz, CTO of SafeNet
No doubt that the IT industry understands those risks pretty well and recognizes them as the major obstacles of the cloud’s future. The recognition of the security issues brought the establishment of the Cloud Security Alliance (CSA), a non-profit organization formed to promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing. The CSA is actually a consortium that was established at 2008 by the major IT companies including the Cloud providers that want to protect their business interests. The CSA’s board includes members from IBM, Rackspace, EBay, Accenturem, Trend Micro, Lockheed Martin, Google, Zynga and more other.
“The Cloud Security Alliance (CSA) will partner with ISO to develop key standards for cloud security. Organizations dependent on cloud services and the security executives charged with their safety will soon be able to measure cloud-based security controls using the same tools and measures currently used in traditional control structures,” says Marlin Pohlman, CSA’s global strategy director. Read more
Pohlman also compares the cloud security evolution with the development of railroad standards in Europe in the 19th century.
“Countries realized eventually that having a joint infrastructure was in everybody’s best interests.” Read More
Together with the Ponemon’s findings, there strong positive winds from the side of the US federal government. Federal IT managers indicate that cloud computing will become a core component of government IT in next five years, according to the December 2010 survey.
The Federal agencies recognize the security issues and are pushing to deal with them including establishment of the Federal Risk and Authorization Management Program (FedRAMP). The FedRAMP allows joint authorizations and continuous security monitoring services for Government and Commercial cloud computing systems intended for multi-agency use. The use of this common security risk model provides a consistent baseline for Cloud based technologies and ensures that the benefits of cloud-based technologies are effectively integrated across a variety of cloud computing solutions. The risk model will enable the government to “approve once, and use often” by ensuring multiple agencies gain the benefit and insight of the FedRAMP’s Authorization and access to service provider’s authorization packages.
——————————————————- Cloud Security Vendors
The cloud security vendors are scattered across the different layers of the On-Demand industry, from support of the IaaS vendors to monitoring and securing of a SaaS application and data. The evolution of the security industry somehow aligned with the evolution of the IT hosting industry from a dedicated in-house environment all the way to the cloud era. In The Cloud Security part 1 I list the security benefits and drawbacks that comes with shifting to the cloud, summarizing those I can say that the concentration and the uniformity that comes with the public clouds will create new and complicated threats, hence development of more regulations and better security standards that will keep the security companies imperative even more than in the past.
The Cloud Security Vendors’ Evolution
Protection in the Cloud services include Web Filtering, Managed firewall, vulnerability scanning, authentication, managed VPN, intrusion detection, Web security and hosted e-mail security. On March this year the CRN.com Magazine listed the 20 top cloud security vendors, those provide services to secure data flow from and to the cloud including IaaS platform security, policy management and web filtering. From examination of those and other, you will find security vendors from all sizes, from the old, known and experienced huge IT companies such as IBM, CA and VMware (vCloud Security), to the midsize vendors such as Symantec, WhiteHat, ProofPoint, Panda Security, M86 Security, ApprRiver, Barracuda Network and more.
I consider myself as a `SaaS groupie` and due to that I searched and come the following short list of promising evolving fresh vendors with “pure SaaS” products that include a self-provisioning option. Those provide security tools mainly on the public clouds and I strongly suggest to try them as those products demonstrate the strong value of SaaS that slowly but surely penetrates the traditional IT security industry –
CloudPassage – came out of the gate with products to manage cloud security and defend cloud servers. The Halo SVM and Halo Firewall perform server exposure assessments, monitor configuration compliance and provide network access control to secure public and hybrid cloud servers.
Duo Security – offers Authentication-as-a- Service with its two-factor authentication offering designed to thwart account and data breaches and theft. Using a mobile device for its second factor, Duo leverages the cloud for an extra line of defense and does so seamlessly
Porticor – provides security and encryption for data in the Cloud. With no code changes, up and running within minutes. Simply login to their website and select the relevant options. It seems that currently they focus on supporting Amazon AWS cloud.
Dome9 – The concept is based on the securing a single atomic unit of the cloud. I found the approach interesting and folowing my discussion with Roy Feintuch, the company CTO and Co Founder, we can expect the beta version to be launch in the next few days. Follow me by twitter and I will be happy to update you.
There are ISVs and IT organizations that tend to think of a private cloud as better secure. There is a difference between private and public clouds which remembers me at the time when it was forbidden to use the Internet because of security reasons. As of today everybody laughs at it. As I noted several times in the blog I hold the opinion that it is just a matter of time and eventually public cloud will be the standard including a better security due to control and implementation of the better standards and more strict regulations.
One of the main Amazon outage lessons was that the companies who use the public cloud should expect disasters including downtime and I would have use the same approach here as well and say that a security disaster will happen. ISVs specifically and other cloud customers need to study the public cloud strengths and weaknesses and make sure to protect the application and the data from a potential security breaches. The liability of the ISV to its customers can’t be outsourced.