A Chicken and Egg security conundrum among incumbents: Wait for the cloud or plan for its imminence?

19 02 2012

The recent and rapid adoption of cloud computing among incumbent organizations has created opportunities that have advanced their technology infrastructure and business operations. Although the evolutionary response of cloud computing towards advancing technology operations is promising, its ubiquity and transformational nature are cause for concern among incumbents as they intersect with legacy security practices (Song, Shi,  Fischer, 2012). This cause for alarm is supported further by the projection that the overall market size of cloud computing was poised to reach $40 billion in 2011 and grow to over $240 billion by 2020 (Villasenor, 2011).

According to Mell and Grance (2001), cloud computing enables ubiquitous and on-demand network access through sharing or the pooling of computing resources for rapid provisioning and releasing with minimal management effort or interaction. However, there remains a striking paradox in cloud computing when it comes to security. On the one hand cloud computing has the potential to provide low-cost security yet companies increased their security risks by storing sensitive data in the cloud.  Similarly, cloud suppliers are typically larger than their clients and likewise targeted by hackers as information stored in the cloud has the goldmine effect for cybercriminals (Kshetri, 2011). Therefore, it is obvious that cloud-based systems cannot be protected in the same secure manner as traditional organizational distributed systems.

Another consideration is that the elasticity of cloud computing presents incumbents with unique policy, regulatory and legal challenges in its deployment. For example, although cloud computing resources can be located worldwide, its physical location of data centers prescribes the laws to the management of the cloud-based data. In a security context this may preclude the use of certain cryptographic techniques or data that can or cannot be stored within national borders (Voorsluys, 2011).

Therefore a few questions remain: Does an incumbent create a forward looking security policy with a projected cloud deployment in mind or does the incumbent simply wait, react and rely on deploying security plans when they are ready to deploy into the cloud. In either case the incumbent must consider a sound solution that considers the security triad (CIA) that is preemptive, portends a cloud provider’s security policy, or create a hybrid approach that assumes the practices, resources, process and perhaps even the values of the cloud provider.

In terms of the first question it is this bloggers view that incumbents develop security policies ahead of an inevitable or budgeted cloud deployment. The rapid adoption of cloud computing is in itself disruptive to existing infrastructures and the pervasiveness and ubiquity of computing devices has likewise accelerated. Due to the lack of physical control of a cloud provider’s environment, incumbents must place added emphasis on the cloud and plan into their existing Service Level Agreements (SLAs) and contract requirements as a matter of organizational policy that mitigate risk (CSA, 2011).

Next, an organizations security can be exemplified by the maturity, effectiveness and the completeness of the controls that have been implemented (CSA, 2011). However, one of the greatest challenges incumbents face when migrating to the cloud environment is an awareness of the provider’s own policies of security and governance that may be different from the incumbent. The distinction highlights the point that policies of the incumbent have been created over time that addresses business practices and regulatory needs. However, the cloud provider on the other hand has policies established to provide services to a broad range of customers. Incumbents must therefore undertake a proactive approach with their audit staff of due diligence to determine what policies are negotiable, can be discarded or re-written to conform to the new environment (Riley, 2011).

In addition, control frameworks for cloud environments are not yet mature. With preemption in mind organizations that are considering a move to the cloud for control compliance can consider frameworks such as COBIT, ITIL and ISO 27001 as starting points. Similarly, incumbents can review cloud guidance from the Cloud Security Alliance (CSA), National Institute for Science and Technology (NIST), Information Systems Audit and Control Association (ISACA) and the European Network and Information Security Agency (ENISA) (Halpert, 2011).

Finally, in terms of preemption and with these precipitous changes in mind, organizations must address the fundamental security issues in cloud computing prior to the outset of such a deployment rather than treat security as an incremental item (Halpert, 2011; Robinson et.al, 2007). For example, companies may elect to deploy private clouds rather than public clouds with security issues in mind. However, these decisions can be problematic if the organizations do not make the requisite operational or management changes to create a private cloud solution and take steps to secure private data online (Bittman & Scott, 2011; Song, Shi, Fischer, 2012).

Winston Churchill said it best, “Let our advance worrying become advance thinking and planning” (Brainyquote, 2012).


Bittman, T., Scott, D. (2011). Private Cloud Computing ramps up in 2011.  Gartner Research #G00210768.

Brainyquote (2012). Let our advance worrying become advance thinking and planning. Retrieved February 18, 2012 from: http://www.brainyquote.com/quotes/quotes/w/winstonchu156920.html

Cloud Security Alliance (CSA) (2011). Retrieved February 18, 2012 from: https://cloudsecurityalliance.org/

Halpert, B. (2011). Auditing Cloud Computing. Wiley: Hoboken.

Kshetri, N. (2010, October). Cloud Computing in Developing Economies. IEEE Computer Society.

Mell, P., Grance, T. (2011). The NIST definition of cloud computing (Draft). National Institute of Standards and Technology. Special Publication 800-145.  Retrieved February 18, 2012 from: http://csrc.nist.gov/publications/drafts/800-145/Draft-SP-800-145_cloud-definition.pdf

Riley, S. (2011). Systems and Infrastructure Lifecycle Management for the Cloud. In: Halpert, B.  Auditing Cloud Computing. Wiley: Hoboken

Robinson, N., Bottermna, M., Valeri, L., Ortiz, D., Litgvoet, A., Shoab, R., Nason, E. (2007). Security Challenges to the use of Disruptive Technologies. RAND Corporation Technical Report.

Song, D., Shi, E., Fischer, I. (2012, January). Cloud Data Protection for the Masses. IEEE Computer, p39-45.

Villasenor, J., (2011, June 25). Addressing Export Control in the Age of Cloud Computing. Center for Technology Innovation at Brookings.

Voorsluys, W., Brober, J., Buyya, R., (2011), Introduction to Cloud Computing. In: Cloud Computing: Principles and Paradigms, Buyya, R., Broberg, J., Goscinksi, A Wiley: Hoboken.




Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: