Security and the Cloud: Something Old, Something New

Security considerations in a cloud computing universe are real, but not much different than the threats organizations wrestle with today in a traditional networking environment.

"This is not a new set of issues," said Ellen Rubin, founder, CloudSwitch. "The issues are the same that you have in your own internal environment."

Rubin was one of the speakers on a "Security and Cloud Migration" panel at the inaugural CompTIA Tech Summit, co-located with CompTIA Breakaway 2011.

Just like in-house IT departments, cloud providers have been focused on issues such as the physical security of data centers, encryption of data and user access considerations.

"To me it's still networking," said Ron Culler, chief technology officer, Secure Designs Inc. "Networking fundamentals and principles still apply no matter where you put it."

A huge difference, however, is that the IT community "hasn't fully grasped all the ways organizations are using the cloud," according to Scott Crenshaw, vice president, cloud business units, Red Hat.

In a cloud environment, there's often no longer a need for the IT department to act as the interface between users and the applications and data they access.

"Policies are changing, not out of design but out of customer demand," Crenshaw said. "It's not just about the evolution of the technology. It's a change in expectations about policies and procedures."

Crenshaw cited as an example the move by many companies - large and small - to a cloud composting solution for managing and maintaining their customer data, sales records, revenues projects and assorted related information. Many of these companies made this shift without the approval or blessing of a board of directors, c-level executive or any level of thorough and thoughtful consideration.

"They did it because application's features and functions were so compelling that they had to have it, even though there was a potential for risk and liability," he said.

"It's easy to write an app, but where does it live?" Culler asked. "The large public clouds are extremely interesting targets for hackers around the world. There's a lot of people out there with a lot of computing power and a lot of bandwidth."

Culler's advice to current and prospective cloud users: find out where the service provider is actually storing the application, whether it's in a public or private cloud and its physical, geographic location (domestic or overseas).

Rubin said security is one of three main concerns organizations have in their consideration of cloud computing solutions. The other two are interoperability with existing systems and "lock in" with a cloud provider once you make the move, then decide that it's not for you. Issues about service levels, pricing, deciding which apps to migrate and what benefits will occur are also still in flux.

"Answers to those questions area still very amorphous, still very unknown to most organizations," Rubin concluded.