Executive Briefing

Cloud and Security

SPONSORED BY
Cloud services are gaining popularity amongst IT users, allowing them to access businesses applications
and platforms, storage and even whole chunks of IT infrastructure over a public or private network. As a
result, users benefit from lower-cost network infrastructure and data centre resources, and can turn fixed
IT costs into variable operational expenses.

However, there is a significant problem with cloud offerings, namely that they present new challenges
to IT managers, both in general security within their own enterprises and in assessing the risk profiles
inherent in each cloud offering they might source.

Experts are warning cloud adopters to check the security credentials of their service providers, but also
to strengthen and secure their own corporate networks that interface with the cloud, whilst retaining
responsibility for their own data compliance.

The authoritative Information Security Breaches Report, published by business consultancy

PricewaterhouseCoopers (PwC) in April 2010, found that a new wave of security breaches is hitting UK
businesses and costing them billions of pounds, as cloud computing, unified communications (UC), web-
based collaboration and social networking rapidly evolve.

Chris Potter, partner OneSecurity at PwC, says that almost half the organisations polled have increased
their expenditure on information security in the last
year. Meanwhile, most organisations (82 percent of
large enterprises and 75 percent of smaller businesses)
now formally assess their security risks, compared to
just 48 percent in 2008.
“Organisations are getting better at understanding
security risks in a changing business environment
where a large majority of them are relying increasingly
on external services hosted over the internet,” Potter
says.
Infrastructure on tap
Forrester Research VP Randy Heffner says that
with the emergence of cloud computing, and more
specifically Infrastructure-as-a-Service (Iaas), “there is
a fundamental shift in the security boundary”.
What data types do firms encrypt?
Laptop hard disks
Large organisations . . . . . . . . . . . . . . 75%
Small organisations . . . . . . . . . . . . . . 57%
Desktop hard disks
Large organisations . . . . . . . . . . . . . . 19%
Small organisations . . . . . . . . . . . . . . 25%
Wireless networks
Large organisations . . . . . . . . . . . . . . 74%
Small organisations . . . . . . . . . . . . . . 73%
Online customer transactions
Large organisations . . . . . . . . . . . . . . 62%
Small organisations . . . . . . . . . . . . . . 42%

“For many firms, the most fundamental security
boundary between their infrastructure and the rest of
the world consists of the perimeter security provided
by firewalls in their DMZ [demilitarised zone]. IaaS
moves the fundamental security boundary to the
configurations of virtual machines and virtual network
paths in your IaaS provider’s data centre.”
Data transfers to other organisations
Large organisations . . . . . . . . . . . . . . 57%
Small organisations . . . . . . . . . . . . . . 28%
Smart phones/blackberries
Large organisations . . . . . . . . . . . . . . 43%
Small organisations . . . . . . . . . . . . . . 23%

Heffner argues that IT users need to develop a
more pervasive approach to application, data, and
infrastructure security, like the pervasive security
considerations that come with mobile workers,
personal mobile devices, data privacy concerns, and
internal security threats.
Data held on virtual storage (Cloud)
Large organisations . . . . . . . . . . . . . . 14%
Small organisations . . . . . . . . . . . . . . . 9%
Information Security Breaches Report,
PricewaterhouseCoopers, April 2010

2
“With any non-public data in IaaS, you must make the fundamental shift to more-pervasive security,
especially if you have applications sharing data and transactions across internal and external boundaries.”

Securing the Cloud

Duncan Hughes, systems engineering manager EMEA at storage and networking specialist Brocade, says
that the cloud computing model requires networks to be more secure than ever before, as well as being
robust and reliable.

It is not a new concept to have large, ring-fenced computing resources which are available over a
network, he says. But what is new is the commercialisation of these services, whether they are Software-
as-a-Service (SaaS), Platform-as-a-Service (PaaS), or IaaS. Mass adoption means it will be harder to
police the cloud and secure organisations using it.

“We need to go deeper than the multi-layer security
approach we have today to enable the network to defend
itself against threats in the infrastructure,” Hughes says.
“If you think about telephony, a lot of communication
is happening at a peer-to peer-level, and we’ve got no
visibility of what’s happening to that UC traffic. We’re
going to need security at every point of the network.”
number has risen to well over double what it
Cloud adopters, he says, need a keen awareness of
who is accessing their data. “You may have an insular
network today and only allow certain data through your
brick walls, but you have to think about the implications
of giving wider access to applications. Is your IT
infrastructure secure enough? Think about encrypting your
connections.”
“Organisations are getting better at
understanding security risks in a changing
business environment where a large
majority of them are relying increasingly on
external services hosted over the internet.
However, this focus is not translating into
fewer breaches of security; in fact the
was two years ago and has reached record
levels for all sizes of organisation.”
Chris Potter, partner, OneSecurity,
PricewaterhouseCoopers.

Leigh Ann Campbell, cloud-agile programme director at utility storage vendor 3PAR, says there are
additional issues organisations should consider when moving to the cloud. They should ask what kind of
data is being stored and for how long; who has access to it; and what regulations a given enterprise needs
to comply with.

Also worth thinking about are how data is stored and segregated, and what the disaster recovery plan is.
“What’s important to consider is the cloud provider’s experience and infrastructure: look for a trusted and
experienced provider.”

Taking responsibility

When it comes to using the public cloud for applications or storage, users still need to take responsibility
for complying with regulations and ensuring data is secure, warn the experts.

David Bradshaw, research manager European SaaS and Cloud Services at IDC, says there are still grey
areas with regards to how cloud service providers help their customers to meet regulatory and legal
compliance requirements.

“Cloud services are still emergent, particularly PaaS. The ground rules are in place and follow similar
rules to the established SaaS sector, but there are some curious gaps, particularly with PaaS. And with
IaaS, the responsibility is switched around to you for security and compliance because you are effectively
using a managed, hosted server or storage unit.”

3
He adds: “You can expect service providers to make
their environments as secure as they can, and to do
their level best to ensure their security is much better
than what their clients can do on their own. But it’s not
impossible for users to do something foolhardy, such
as not having any security software on a server that is
connected to the internet.”
As well as securing their own IT systems, users need to
maintain responsible web and password usage amongst
workers.
A new service that could help raise the level of cloud
security comes from McAfee. In March 2010, the
vendor launched an offering for cloud providers that
combines vulnerability scanning, certification services,
automated auditing, and remediation and reporting
capabilities.
It is likely that other security vendors will follow
suit, Bradshaw believes. The McAfee Cloud Secure
Programme already has two high-profile cloud services
providers, Amazon Web Services and SuccessFactors.
Attitudes towards cloud services
Pros
44% saw paying just for what you get as
one of the key advantages
40% said a major advantage of cloud was
that it is easy and fast to deploy
40% considered not needing to buy
additional IT infrastructure as a key
advantage
Cons
38% of survey respondents were
concerned about the security and
compliance of cloud services
34% were concerned about the location of
their corporate data in the cloud
Source: IDC Survey

“With services like this, user organisations can demonstrate that they are taking reasonable care in
safeguarding their customers’ information, and all reasonable measures to hold financial information in a
safe and controlled way,” says Bradshaw.

In terms of meeting legal, regulatory and contractual requirements for data usage and storage, the
approach mirrors that of outsourcing, says Bradshaw. Outsourcing contracts have dealt with such issues
for many years.

Some organisations have security concerns about moving information offshore. But he says there is no
blanket reason why data has to be kept onshore, though certain industries may have requirements.

“The EU data protection laws, which have been effectively transferred to the UK, cover data transfer in
Europe. Also, there is a safe harbour agreement with the US, allowing UK organisations to have the same
data protection rights there,” argues Bradshaw.

Experts agree that users need secure mechanisms when moving data off-site, including a secure and
robust network with encryption and access controls at the right levels.

The right infrastructure

It will be essential for organisations to have the right We need to go deeper than the multi-
infrastructure in place to support cloud services, says Simon layer security approach we have today,
Pamplin, southeast manager UK and Ireland at Brocade. to enable the network to defend itself
against threats in the infrastructure.
“Over the past couple of years the number of users, Duncan Hughes, Brocade
combined with the broader use of collaborative applications,
has had a staggering impact on enterprise network traffic. In fact, a January 2009 Yankee Group Report
predicted that network loads will increase 1,000 percent in the next five years.”

4
The benefits of Cloud have been widely discussed, but
what hasn’t been readily talked about is the support
needed at the back-end to deliver such technologies.
One of the key enablers of cloud computing is IT
organisations using software to configure and provision
systems that are then consumed by end users from a
self-service catalogue of available resources, Pamplin
says.
In addition, changes to the infrastructure have to be
made in coordination with other data centre resources
such as storage and compute elements, effectively blurring the line between what have traditionally been
silos of resources.
“Cloud services are still emergent. The ground
rules are in place and follow similar rules to
the established SaaS sector, but there are
some curious gaps. With Infrastructure as a
service, the responsibility is switched around
to you for security and compliance because
you are effectively using a managed, hosted
server or storage unit.”
David Bradshaw, research manager,
European SaaS and Cloud Services at IDC

“So, for organisations to fully harness the benefits of cloud computing they need to first ensure they have
a robust, high-performance, standards-based network infrastructure in place. Whether public or private,
all clouds share the same enablers; pay-per-use software; virtualisation and automation; broadband
networks; and large, robust data centres. The network is therefore key to efficiently connecting and
supporting these enablers,” says Pamplin.

The cloud is by no means fully formed, but it is developing to be one of the biggest movements in the IT
industry for some time.

However, before heading for the cloud, organisations should do two things. First, they should ensure
they have a secure network infrastructure in place to support cloud integration. And second, they need
to make sure any prospective service provider will help them meet their security and data compliance
responsibilities.

© IDG 2010. IDG Communications Ltd, 101 Euston Road, London NW1 2RA