Someday, cloud security vendors and cloud services providers will convince enterprise IT that it's safe to move sensitive data and mission critical apps from the private cloud to the public cloud.
Unfortunately, that day has not yet arrived.
Security practitioners, consultants and analysts interviewed for this story say cloud security vendors and cloud services providers have a long way to go before enterprise customers will be able to find a comfort zone in the public cloud, or even in a public/private hybrid deployment.
When asked for predictions as to when enterprise IT will be willing to elevate their level of play in the public cloud from dabbling in non-sensitive data storage and consuming a little bit of SaaS from trusted entities like Salesforce.com, to running business critical applications, the answers ranged from six months to two years.
So, what's hindering public cloud adoption? The hesitation over security in the public cloud centers on:
• Concerns about securing the communications channels within multi-tenant virtual networks.
• Uncertainty about how the exploding number of heterogeneous mobile devices will be securely supported in the cloud.
• An inconsistent path for extending existing identity and access control mechanisms used in the enterprise up into the cloud.
• Questions on how trusted encryption and tokenization models need to be changed to adequately protect sensitive data stored in the public cloud.
Tech debate: Public vs. private cloud
These potential technical issues are compounded by the fact that public cloud providers are notoriously unwilling to provide good levels of visibility into their underlying security practices. For an enterprise, not having a proper window into the security posture of its cloud provider will stall necessary auditing processes and compliance checks.
But all of the sources interviewed are confident that eventually public cloud security will reach the level that enterprises currently expect in their privately controlled networks.
The public cloud is well past the infancy stage, says Jacob Braun, president and COO of Waka Digital Media, a managed security service provider and consultancy based in western Massachusetts.
"It's more like a gifted adolescent who's recently moved to a new community. She looks at things a little differently than others. She handles things differently. People are intrigued because she's kind of cool, but at the same time they hold back a bit because she's still a bit unpredictable," Braun says.
But give her just a bit more time and most people are going to want to glom onto her popularity.
Analysts, consultants and customers say they are encouraged by product announcements from established security vendors as well as from start-ups that address many of these perceived problem spots in cloud security.
Customers are acutely aware that this extensive conversation about security in the public cloud is taking place before they've been forced to actually jump in, which is a luxurious switch from how security was handled during past corporate computing shifts, such as moving to the LAN, setting up client/server operations and opening up the enterprise to the Internet.
"Security administrators simply dealt with the post-deployment security issues as they cropped up," says Gary Loveland, a principal in PricewaterhouseCoopers' Advisory Practice and a lead in the company's Global Security Practice.
With those experiences under their belts, enterprise IT shops are working out the public cloud security issues pro-actively. "Before they go and add public cloud to the mix, they are asking the right questions that will push their prospective vendors to provide a cloud ... that is locked down with most -- if not all -- the controls they need in place," Loveland says.
According to a study published in late July by the Aberdeen Group's Derek Brink called "Security and Cloud Best practices", nearly half of the 110 enterprise IT shops surveyed said they are taking an approach that involves putting pressure on cloud service providers to implement strong security practices and augmenting those with technology that remains under enterprise control when the cloud providers' measures seem to come up short.
"Enterprise trust of the public cloud is pretty limited at the moment," says Jon Oltsik, principal analyst at Enterprise Strategy Group. But that mistrust doesn't necessarily reflect any hard evidence that security in the public cloud is bad, he adds.
For example, Oltsik says Amazon "is doing incredible things to build security into its [EC2] infrastructure, to acquire all the proper certifications, hire very talented security personnel" and has upwards of 500 security controls in place that should provide some comfort level for enterprise customers.
According to Simon Crosby, former Citrix CTO and founder of Bromium, a start-up looking to build products that use virtualization to secure mobile clients, the legal and compliance fears being raised today are remnants of how computing was done 10 years ago.
The public cloud structures being built today are actually far more able to withstand attack than any private network, Crosby says.
"If you told me to go build a secure application, that would run 24 by 7 worldwide and wasn't at risk for data theft I would build something like Netflix, which runs in Amazon's public cloud," Crosby says. "There are 30 billion objects in that store. Go ahead and try to find my stuff in there. And it's so distributed that it can withstand massive DDoS attacks from all sorts of anonymous sources. Yeah, I'd build it in the public cloud. And I wouldn't lose any data."
According to a cloud security study written by Phil Hochmuth, program manager of security products at IDC in August, users aren't as bullish on that point. When asked if they thought a cloud provider's architecture could be more secure than their own internal one, only one-third of the 500 organizations surveyed said yes.
However, among those that had already jumped into either public or hybrid cloud deployments, more than half of each group agreed that providers offer better security than their respective IT teams.
Richard Rees, manager of EMC's virtual cloud consulting services, suggests there are some enterprise business workloads whose security posture can be greatly improved by pushing them into the public cloud. Take messaging for, example. In IDC's survey, messaging security registered as the most prevalent security software-as-a-service platform employed today. It's used in 30% of the 250 enterprises surveyed and in almost one quarter of the 250 SMBs surveyed.
"IT security administrators have struggled for years to deal with things like automatic digital signing and public/private key encryption for secure email," Rees says. Those security parameters are implemented in the cloud by IT professionals who understand them completely. And they are turned on by default in the public cloud because it's more economical for a provider to consistently manage one highly secure user profile across its customer base.
"So you automatically get that high level of protection [from the cloud] that you may not have been consistently delivering for a variety of business and logistical reasons yourself," Rees says.
Larry Campbell is vice president of Information Management and Technology at DAI, an international project development firm in Bethesda, Md., with 2,000 development professionals in the field around the world. DAI first built a private cloud to better understand the issues surrounding virtualized computing, then this year completed a move to the public cloud, using multiple providers.
DAI works with NaviSite to run its Oracle databases in the cloud and recently went with VirtuStream to host its shared data drives, run a SharePoint portal and manage its messaging services.
There was a lot of back and forth with NaviSite and VirtuStream before Campbell was able to make sure the providers' security practices jibed with DAI's internal ones. "But in the end, the reality is that we're a mid-size company that doesn't have a huge IT budget. These [public cloud] providers have deep, technical staffs who have a greater understanding of the security issues in the cloud than we have inside our company," Campbell says.
The proof is in the audit
The public cloud business model hinges on a dynamic environment where it can host many different kinds of workloads that can be moved around at will to optimize the underlying infrastructure. Customers want to make sure there are controls in place to protect their workloads from attacks and want to be able to view information about those controls down to a very granular level.
"But that level of detail is really just outside of the scope of most public cloud providers' business models. Therein lies the disconnect," Oltsik says.
Public cloud providers have been notoriously tight lipped about details pertaining to their security practices for two reasons. First, they don't want to disclose security practices that give them a competitive advantage and, second, they don't want to risk exposing potential attack vectors.
Sure, some providers give you a pretty dashboard that provides a window into your services running in their cloud. But according to Beth Cohen, senior cloud architect with Cloud Technology Partners, most aren't providing enough information about security deep down in the stack on an ongoing basis to satisfy enterprise customers. Cohen thinks it is unlikely that the industry will see much of an improvement in this area because "most cloud vendors aren't likely to give away the store."
Cohen thinks it's more likely that cloud providers will continue to turn to third-party certification groups like SAS 70, ISO 2077 and PCI DSS to help provide some piece of mind to their enterprise customers. They can get the certification without having to publicly divulge how they are delivering on their security promises.
CA Technologies Tim Brown, who serves as chief security architect for the company's Security Customer Solutions Unit, agrees. "If there is a cloud service provider that has passed all the tests [to earn a publicly recognized certification], it will be far faster for a customer to go with an approved provider than to pursue the certification themselves."
"But we're certainly not at that point, yet," Brown says.
The Cloud Security Alliance (CSA) - a vendor-neutral industry group that is widely credited with shining a steady light on security in the cloud - is homing in on the issue of cloud provider disclosure with its STAR registry. The CSA holds considerable clout with both vendors and customers because of the yeoman's work it's done to compile and publish guidance documents about cloud security best practices.
The CSA STAR registry is open to all cloud providers and allows them to submit self-assessment reports that document compliance to CSA published best practices. The searchable registry - which is set to go online this month -- will allow potential cloud customers to review the security practices of providers, accelerating their due diligence and leading to higher quality procurement experiences.
"There is a reasonable middle ground between proprietary security and fair disclosure" and that is the level of information the STAR registry is positioned to collect, says Jim Reavis, CSA's Executive Director. The CSA matrix asks upwards of 200 questions in the areas of compliance, data governance, physical security, human resources security, information security, legal requirements, risk management, release management, resiliency and security architecture.
The question remains, though, how many cloud services provider are going to be willing to pony up the necessary information.
According to CSA research director J.R. Santos, the organization is working on vendor participation from two angles. "We are trying to create some friendly competitive pressure on the vendor side and we are hoping that customers will make referring to the STAR registry part of their procurement process to help push the demand."
John Ambra, director of technical services for Modulo, a risk management service provider in Atlanta, works with large enterprise customers to assess the risks involved with taking on new products and services for deployment both in-house and in the cloud.
Whether or not the STAR registry will provide efficient enough information about a cloud provider's environment will be based on what services you're considering, Ambra says.
"If you are just looking to get your help desk tickets, then you are probably fine collecting that level of information. But if you want to use them for credit card transactions, you are still going to do the legwork and do a full scale on-site assessment," says Ambra, noting that with most public cloud SLA agreements in place today, liability for security issues (and therefore the burden of due diligence) remains squarely on the customer.
The number of customers pushing the big public cloud providers to assume some of the liability for security breaches is still very small, contends Michael Berman, CTO at Catbird Networks, a virtual security company in Scotts Valley, Calif. Catbird works with enterprise customers to secure their private clouds and is used by Amazon in its public cloud.
"Amazon is making a ton of money delivering CPU, bandwidth and storage while assuming none of the liability for the sensitive data stored there," Berman says. "The economics to make them change that course just aren't in place yet."