Is “Secure Cloud” An Oxymoron? (Part 1)

By guest author Shaloo Shalini

In 2010, in professional and popular circles of opinion, “cloud security” has gone from being tagged as an oxymoron to no longer being one. Well, “cloud security” could be an oxymoron just for the effect of it. It is as much of an oxymoron as “honest broker” or “working from home,” unlike the true oxymoron “definite possibility.”

Several surveys and analysts across the industry have written about cloud security as the topmost concern of CIOs today. There are others who play down security concerns and believe that the cloud actually raises the industry’s bar on the security front. There have been debates among experts and communities on the topic. But these often fail to answer the question, Is cloud computing inherently less secure than traditional computing?  Is it in any way inferior to traditional IT systems when it comes to the security? Or is the perception of security in the cloud context the real issue? Security encompasses not just the physical security of computing resources and data but also access, authorization, tracking, audit, data availability, and data leakage.

Were mainframes considered more secure than desktops when the latter arrived? Was the security of distributed computing or peer-to-peer models inferior to that of client-server models?  Time and again, we have been witness to similar concerns as technology evolves, unfolding newer layers and greater specialization and sophistication. With each turn of evolution comes the need to secure the newer frontiers and interfaces that emerge in newer computing models.  System security has to evolve hand in hand with the systems themselves. Cloud computing (and cloud security along with it) is still in its early stages of evolution and deployment. It is but natural to have concerns about cloud security at this stage. At the same time, through experimentation and efforts in this direction, we need to see whether security itself is evolving to address many of the popular concerns.

In the end, it all boils down to the comfort level with the amount of control in terms of people being in charge of their data and systems at all times, directly or via delegation to a third-party provider for reasons such as scale, efficiency, and flexibility addressed through clouds in the form of XaaS offerings – IaaS, PaaS or SaaS, and a multitude of others such as data, integration, and storage as a service. Once providers begin to mature and create bulletproof and watertight security for their cloud-based offerings, taking care of the multi-layering and multi-tenancy aspects and start honoring SLAs to that effect – all concerns about cloud security will be the typical engineering problems to be solved, similar to desktop security – or physical, virtual, or mobile device security, for that matter. It goes without saying that organizations need security at all levels depending upon their specific security needs – those that are catered to by providers as well as the required level of security in applications and interfaces to such secure provider offerings.

Winston Damarillo, a serial entrepreneur and founder and CEO of Morphlabs, has a pragmatic view on cloud security and an interesting one when it comes to entrepreneurship and blue-sky opportunities in the cloud. He spearheads several initiatives in the Philippines that help entrepreneurs and is active in the World Economic Forum, where his focus is on the role of IT to help change lives in developing countries.

Winston believes that if entrepreneurs and cloud adopters start working to meet IT needs in places where they can be more inventive and innovative and take more risks, especially in areas that are not overproctected by over-engineered regulations, then they can understand cloud security concerns better because they are implementing solutions in reality. He says, “Once you know the issues very well in your cloud adoption context, you are automatically in a better position to secure it much more effectively than anybody else. But look for problems where the need is there and now. Before we talk about all the things that could go wrong, there are other things that are not serviced by IT at all today – those areas are ripe for cloud-based innovation.”

Winston sees a lot of cloud adoption in developing countries. Adoption is typically based on private clouds and private-public hybrid cloud models that make generous use of open source technology and components along with cloud computing paradigms to address e-health, e-governance, e-social, university, and community initiatives.

Comments

The comment that security will evolve to become an engineering task is a good end state to be working toward. Thank you for the comments. Security in the cloud since cloud is new does allow the ability to create new thought and prespectives and we should embrace those now. Security in cloud involves much review of the management domain of the cloud and who owns the rights assignments to the meta data. Real concerns over who controls the management domain and thus the meta data rights to some degree matter thus the provider of cloud must be able to not just technically address the issues but be reviewed from a trust standpoint that is not typical of most Internet relationships. Just WHO is the cloud provider, what is their background and who are they associated with matters, just as it is in a trusted employee relationship. Do you really know your cloud provider? Do they expose their policies and prove who they allow multi tenancy with? Do they have trusted Internet connections? Can they prove how meta data rights are protected? If not you have a valid reason to have trust and security concerns regardless of what technologies they deploy for security. The "who" matters more than the "how" in cloud security.

John Keese Sunday, January 2, 2011 at 10:26 AM PT