Cloud; Barriers to adoption

My second post relating to cloud computing will focus at a high level on what seems to be the current major barrier(s) to the wider adoption of cloud use by businesses.

Future posts will likely go into more detail around technical threats such as side channel attacks (e.g. trying to connect to the target guest server from another guest known to be on the same host) and cartography (“mapping” the target environment by methods such as traffic sniffing and analysis), but this one will focus on providing a high level overview of the risks and fears around moving to the ‘cloud’.

It is already clear that in many instances the elasticity (ability to scale up and down on demand), resilience and cost vs. hosting services internally can offer clear benefits to businesses.  So why then are many businesses reticent to move completely or even partially into the cloud?

Outside of any general resistance to change the main concern is with security and regulatory requirements.

When infrastructure and applications are hosted internally you intrinsically feel that your data, and that of your customers, is safer.  Outside of potential ‘insider’ threats, data on your servers in your server room is inside your companies perimeter, no matter how porous this may be, protected by your firewall(s), AV(Anti Virus), DLP (Data Leakage Protection) tools, trusted staff and company policies.  Even when the data leaves site it is likely on managed, and hopefully encrypted, tapes or via a managed, and hopefully encrypted, network link to a DR / BCP site.

Now when you move to using the cloud in some way your systems and data are hosted elsewhere, potentially moving across multiple physical servers or even datacentres outside of your control.  This movement along with the environment being shared by other companies (e.g. multiple businesses may have guests on the same physical host) are the primary drivers of fear around the security of systems in the cloud.  Using the cloud also obviously shares various concerns with other forms of hosting / co-location around third party access to data etc.

Hand in hand with security are regulatory / compliance concerns that also stem from the above features of using the cloud;

–          Who can audit the systems and overall cloud?

–          Does the data move across state boundaries (e.g. does it leave the UK or the EU?)

–          Who could potentially access the data?

–          What happens in a disaster recovery scenario?

–          How can you move to another provider? (Vendor lock in concerns)

–          How is the data deleted from the cloud (data retention / incomplete deletion concerns).

Various measures exist to mitigate the risks, these include –

–          Procedural; Ensuring due diligence is carried out prior to engaging the vendor and contracts are in place to ensure adherence to legal / regulatory requirements.

–          Security checks; Regular penetration tests and other security checks of the vendors systems and facilities should be carried out, and any issues identified remediated within agreed time frames

–          Encryption; ensure all sensitive data (ideally all data if possible) is encrypted in transit and at rest – this prevents prying and mitigates risk of data not being deleted

–          Authentication; ensure all systems in the cloud utilise strong authentication methods to prevent unauthorised access.

The ENISA (European Network and Information Security Agency) report titled ‘Cloud Computing Security Risk Assessment’ neatly sums up the benefits of cloud and the security concerns;

The key conclusion of this paper is that the cloud’s economies of scale and flexibility are both a friend and a foe from a security point of view. The massive concentrations of resources and data present a more attractive target to attackers, but cloud-based defences can be more robust, scalable and cost-effective.

K