Security in the Cloud

7 09 2011

With cloud computing and storage offerings from companies like Amazon and Salesforce.com growing in popularity from consumer and enterprise standpoints, one area that sometimes is overlooked is how to manage security in cloud applications. With so many people using cloud applications already, it can be easy to assume on an individual level that what Amazon or Google offers must be safe, otherwise why would everyone else be using it?  However, the establishment of the Cloud Trust Authority as well as the Cloud Security Alliance suggest otherwise. Thus, from an executive standpoint, what things must you consider if you are thinking about moving company data to the cloud? What types of security offerings have evolved from the increased demand for secure cloud applications?

There are three general layers to examine cloud security at: 1. How security-critical is the data being put into the cloud? 2. How secure is the actual cloud? 3. How secure is the data as it moves between me and the cloud?

1. How security-critical is the data being put into the cloud?

Combined with performance and availability concerns usually associated with the cloud, high-risk data usually would not be put into the cloud. For example, would you put critical, competitive differentiating information into the cloud? Arguably one of the reasons Salesforce.com has succeeded as a cloud service is because it offers services in Customer Relationship Management, which, while it is a valuable resource, is not of the same criticality level as business-differentiating product engineering plans. Thus, anyone thinking about moving into the cloud must first consider, what is the security need for the data I plan on placing in the cloud?

2. How secure is the actual cloud?

Once decided that the data can be placed in the cloud, one once consider – how safe is the actual cloud? Will other businesses using the same cloud vendor be able to access my information as well? What are the security precautions my cloud vendor is taking to make sure my data will only be accessed by me?

3. How secure is the data as it moves between me and the cloud?

Lastly, while your own network or machines can be watertight, and the cloud you are putting that information in can be completely locked down, what about that data as it moves between you and the cloud? That is where vendors such as CipherCloud come in. The encryption that companies such as CipherCloud provide not only assures customers that their data will be safe as it moves to and from the cloud, but also that it will be safe inside the cloud as well, as only the customers are privy to the keys, not the cloud service providers.

It will be interesting to see how the security environment for the cloud will evolve as it is expected that cloud adoption will rise rapidly in the near future.  Hopefully this also encourages you to think about what types of personal information you are allowing Google, Amazon, etc. to store in their clouds for you.