Editor's note: Customers may be willing to negotiate and compromise with a cloud provider on cloud pricing or performance guarantees, but evidence of a secure cloud will always be non-negotiable. In the first part of this two-part series, security expert Neils Johnson outlines how and why cloud providers must address customers' cloud security concerns. Don't miss the second part of this series on addressing cloud computing security risks, which contains a cheat sheet of customer questions every cloud provider should be prepared to answer.
The mountains of Nevada are pocketed with mines dug long ago to exploit the resources found deep underground. The security systems of those mines -- with wooden support beams to prevent cave-ins and ventilation shafts to air out poisonous gas -- were essential for a mine owner to have in place before the miners would consider entering that dark and ominous space. The potential for robbery had to be addressed as well, lest a criminal carry off the valuables.
Customers worry about the cave-ins of unmet SLAs, the poisonous gas of malware and social engineering, and preventing the modern-day Jesse James from pilfering the gold mine of data that grows richer every day.
Cloud providers and enterprise IT organizations find themselves in a very similar set of circumstances today as they address the need for a secure cloud. Adoption of cloud storage and cloud servers is not just a good idea for enterprises and small- and medium-sized businesses (SMBs) -- it is quickly becoming a requirement under the strains of data growth rates and storage demands. Yet many prospective customers resist adopting cloud services because they doubt providers' abilities to build a secure cloud. Customers worry about the cave-ins of unmet cloud service level agreements (SLAs), the poisonous gas of malware and social engineering, and preventing the modern-day Jesse James from pilfering the gold mine of data that grows bigger and richer every day.
Corporate IT environments are built and managed with a self-imposed conservatism -- which is not necessarily a negative position -- about availability, security, testing and deployment. They pay those people to be paranoid. Opposite these high expectations is the reality that global IT budgets have not fully rebounded from the economic turmoil that began in 2008. Yet the dramatic growth rate that enterprise data will experience in 2012 -- 62% -- is forcing customers to consider moving as much data as possible to the cloud.
Consequently, cloud providers must demonstrate their ability to store cloud data with a level of security as high as or higher than what customers are able to provide for themselves in corporate data centers. Fortunately, the differences between securing a large enterprise data center and building a secure public cloud are almost negligible. Both must guard against internal and external threats; for cloud providers, this must be done just at a far greater scale.
Providers must balance SLAs and requirements of secure cloud
External threats are abundant and only getting more dangerous. Network worms, Trojans and social engineering continue to display levels of expertise in craftsmanship that have not been seen before. Unfortunately, and at the risk of sounding hyperbolic, we are only seeing the latest iteration of what the bad guys are capable of. Duqu, built upon the shoulders of Stuxnet, is a strong demonstration of the kinds of technical expertise threatening service providers' ability to secure cloud services. And Duqu is only a device to lay the groundwork for whatever it is setting up to follow.
Internally, cloud providers face another set of challenges and threats. Compliance requirements, budgetary constraints and SLAs may conflict with what service providers must do to build a fully secure cloud. Those challenges are multiplied by the number of customers and the specific requirements of each customer.
It's clear which cloud providers will be the winners and how they'll achieve success, but many will find the strategy hard to swallow. The cloud providers that win the minds, hearts and wallets of IT will be the ones that best meet customers' criteria and answer the difficult cloud security questions with complete transparency. Remember, customers are preparing to put the crown jewels of the company – mission-critical applications and data repositories -- in the hands of an outsider. And if the cloud provider is compromising a secure cloud to meet SLAs, or vice versa, those prospective customers won't be signing any contracts.
Continue reading: Cheat sheet: Talking to clients about cloud computing security risks
About the author: Neils Johnson is a consulting strategist at ACG Research. He has more than 20 years of experience in the security industry, including more than over 16 years with Symantec, where he continues to present, teach and offer security expertise to sales, CXOs and partners focusing on security for their customers.