Perception Vs. Reality
IT professionals often perceive the cloud as insecure as or less secure than having their applications and data residing inside their own data centers. But perceptions don't necessarily match reality.
When CA and Ponemon Institute commissioned a study of more than 900 IT professionals back in May 2010, they found that IT practitioners believed security risks were more difficult to curtail in the cloud, including securing the physical location of data assets and restricting privileged user access to sensitive data. The survey found that IT staff admitted they had incomplete knowledge about which of their computing resources are deployed in the cloud, mainly because these decisions are made by end-users outside of any IT review. About half of all respondents acknowledge that many cloud resources are not evaluated for security prior to deployment within their organizations.
Perhaps all the fuss is more about insecure Web applications than the cloud itself. Many of the top Web security exploits like cross-site scripting and SQL injection are things that have been around almost since back when Web servers were invented, and for some reason they still vex many corporate installations. Ironically, a report in May 2010 by Derek Brink of the Aberdeen Group shows that users of cloud-based Web security tools fared better than their on premises equivalents with fewer malware incidents.
Certainly, there are more or less secure cloud environments, just as there are more or less secure local data centers. The Cloud Security Alliance is a non-profit organization formed to promote security assurance among cloud computing vendors. The Alliance promotes best security practices and creates consensus around particular security issues. Founded two years ago by a consortium of vendors and end-user IT managers, it has created several working groups, such as those focusing on data center operations, eDiscovery, and lifecycle management.
Anyone shopping for cloud services should seek clear and compelling answers to four questions:
- How is data encrypted, both in use and at rest, when stored in the cloud infrastructure?
- Are fine-grained access controls in place?
- How much of the cloud infrastructure is redundant?
- How well are Web applications protected?
We look at each of these in more detail through the following pages.