The most mature and readily available security controls today in cloud computing are associated with identity and access management mechanisms and server-based encryption, he said. But cloud customers have to ask how encryption keys are managed and stored and if the risk is acceptable, he noted. Gateway-based encryption, or what's sometimes called a broker gateway or proxy, is another option, and it's changing quickly, he added. Forensics investigations are not really viable today, he noted, and in terms of overall security controls, it will probably take five to 10 years to really see a "solid set of technologies" for cloud computing.
The economic appeal of cloud computing is strong and sometimes it does appear economic benefits outweigh potential risks. Gartner is advising clients in general to allow low-sensitivity data to be considered for cloud services; but if it falls in the "medium" range of sensitivity, there's a strong need to conduct a risk assessment. And if the data is of high sensitivity, it should not be considered feasible or permissible for cloud services.
This process also means making sure that the business managers are engaged and realize they "own" the data, and are up to speed on the risks associated with cloud computing, says Heiser.
Nonetheless, cloud services providers rarely offer any indemnification against hacking, Heiser says. And SaaS remains more "mysterious" than IaaS in terms of making it clear how they really operate even as customers basically enter into a kind of supply chain cloud. Since one risk is that a cloud provider might go out of business, there needs to be assurance that the provider can return data or has a contingency plan for back-up. When the Mumboe SaaS went out of business two years ago, they gave customers two weeks to go get their data back, mentioned Heiser. That was a wake-up call of sorts that clouds sometimes do evaporate, and plans need to be made for these kind of downpours.
Even at some of the household names in cloud-computing today Amazon, Google, Microsoft there have been instances where data has disappeared, at least for a time, or never returned, says Heiser. "Restoration is not an easy process," he adds. "Put loss of service and availability at the top of your list." Live upgrades of services can lead to widespread data corruption, he pointed out.
IT managers have become accustomed to the idea they have control over what they can do in-house in terms of the application, services, servers, storage and network, and security. He says they need to fully realize that this accustomed level of flexibility isn't going to be there in cloud computing by its very nature.
Sign up for Computerworld eNewsletters.