Despite widespread interest in cloud computing, many organizations are “flying blind” with respect to making them secure. Not only that, cloud computing is yet to be mandated under regulatory compliance!
Cloud computing is undoubtedly the next wave of transformation in the IT industry. According to a recent Gartner report, worldwide cloud services revenue is forecast to reach $68.3 billion in 2010, while the industry is poised for strong growth through 2014, when worldwide cloud services revenue is projected to reach $148.8 billion.
When you turn toward India, the market is extremely exciting for the adoption of the cloud, if not more. The Indian cloud computing and cloud services market holds a potential of more than $1 billion by 2012, according to a study by Zinnov Management Consulting.
The total market of cloud computing in India stands at $110 million today and is likely to reach a figure of about $1,084 million by 2015, the study reveals.
Adoption of cloud computing and cloud services has been on the rise among enterprises – both large and small. Given the ease of use, end-user accessibility through Internet, potential cost savings and productivity improvements, IT managers are thinking strategically about deploying cloud services.
Despite this widespread interest in adopting cloud computing technologies, many organizations are “flying blind” with respect to making them secure, potentially putting their operations, intellectual property and customer information at risk. The valuable offerings of cloud computing can make it difficult for companies to engage the IT staff necessary to maintain and secure sensitive and confidential information.
Cloud awaits regulatory compliance
As we talk of security issues involved in cloud computing, how can we forget that cloud computing is yet to be mandated under regulatory compliance.
Vishal Dhupar, managing director, Symantec India, said: “The use of cloud computing is relatively new and is growing quickly. Consequently, organizations may have been caught off guard because they have not updated their security procedures and policies to include cloud computing and its requirements. In addition, lines of business may be circumventing IT in their efforts to realize the benefits of cloud as soon as they can. These factors present a real challenge for IT.
“Despite security concerns and the expected growth in cloud computing, most organizations lack the procedures, policies and tools to ensure that sensitive information they put in the cloud remains secure. Processes for approving cloud applications that use sensitive or confidential data need to be enforced control.”
A point of potential concern is that most organizations use conventional security tools to protect information in the cloud, even though some of those tools don’t work in the cloud environments. This suggests that many enterprises don’t understand the specific security risks and remedies that cloud computing environments present.
Dhupar added: “Cloud providers and their customers must be in sync about security, but that level of maturity by and large hasn’t developed yet. Such syncing is particularly challenging because most organizations don’t have IT professionals involved in assessing cloud-related risks.”
Vamsicharan Mudiam, Country Leader – Cloud Lab, IBM India/South Africa, is of the view that: “Cloud computing auditing methods need to be mandated under the regulatory compliance and need to be re-evaluated. Compliance requires a reasonable certainty since data is not persistent in or outside of the cloud. So, saying that the cloud model will fail because it is not compliant or can’t be audited is erroneous.”
“Regulatory compliance is often an issue with cloud computing, though not impossible it takes a different level of effort. In a cloud computing environment, though the customers are ultimately responsible for the security and integrity of their data, providers can be selected based on their compliance and transparency to track and provide information for auditing on where the customers’ data is and what parts of the network it passes through,” noted Sundararaj Subbarayalu, founding team member of Anantara Solutions.
Compliance environments such as SAS 70 – Statement on Auditing Standards 70: Service Organizations," issued by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) can be made applicable to cloud computing environments, Subbarayalu points out.
As the industry evolves and matures, more regulatory compliance environments and
Certifications specific to cloud computing will emerge, which might mandate compliance in the long run.
How safe is the cloud anyway?
Even the recession-hit companies have been aggressively tapping into cloud computing. But the question remains: How safe is the cloud environment for these companies?
Surveys reveal that the biggest growth in cloud computing deployments is among companies with higher revenues. They are discovering the financial value - lower costs, economies of scale, and easier budgeting - of employing cloud-computing solutions for a variety of applications and situations. However, with that value comes security concerns: Who is responsible for security, compliance and governance? What kind of effect does cloud computing, which is virtual rather than physical, have on these aspects?
“Investing in cloud computing is as safe for recession-hit companies as it is for others. It is only necessary for providers and potential consumers of any industry to examine the attributes of any service before deploying it within their business. In case of cloud computing, it is even more essential as it is important to establish if a business case exists within an organization for an investment in cloud computing,” said Mudiam.
“Any organization should first identify and prioritize IT issues and challenges, growth areas within an organization, next the attributes and benefits of cloud computing should be mapped against these priorities IT issues,” he felt.
Cloud hosting companies and security
With cloud computing gaining significant traction as a new IT delivery model with potential business and financial benefits, today, we have a number of cloud hosting companies offering services. However, it is about time to do a reality check on how have these hosting companies approached security?
“As a market leader in security, storage management, data loss prevention, compliance, endpoint management, backup and archiving, Symantec is positioned to support its customers' cloud initiatives across multiple IT disciplines. By taking an information-centric approach to securing and managing information, Symantec can help organizations protect information assets as they adopt cloud computing to optimize costs and IT service delivery,” informed Dhupar.
"All service vendors, including cloud vendors like Microsoft, Amazon, Google must comply with the regulatory requirements of governmental entities within the jurisdictions where the cloud vendor operates. For instance, Microsoft’s cloud offering Azure undergoes annual audits for PCI DSS, SOX, HIPAA, ISO/IEC 27001:2005 and SAS 70 attestations," added Subbrayulu of Anantara.
“As a cloud hosting company, we deliver products, solutions and services to organizations so that they can build their own secure clouds capable of supporting enterprise-class SLAs. The company also has also been enabling service providers to deliver secure cloud solutions and services to their customers. Further, it is also investing to advance the market for Cloud by driving technology innovation, open standards (addressing vendor lock-in concerns) and ecosystem development,” said Prem Nithin, principal consultant, Cisco India and SAARC.
As a cloud systems integrator, Collabera leverages on the security frameworks offered by cloud vendors like Microsoft, Amazon and design/build leveraging security framework features like claims-aware authentication, Identity federation, Service bus based discovery and integration, SSL based data transfers.
Both public and private cloud models are now in use and offered by IBM. In IBM’s point of view, a provider of enterprise-class cloud services must support a range of security and service-level options, as well as an extensible and industry standards-based security infrastructure that makes it easy to integrate with existing operations. In addition, the service provider must integrate with and extend the client’s cloud security capabilities as needed.
Conclusion
While the customers are happy with the IT and business benefits offered by cloud computing, there is a pressing need to address the associated security risks and compliance issues. Enterprises would also do well by making serious attempts to understand the specific security risks cloud computing environments present and take necessary steps toward building a secure, robust cloud!
—By: Usha Prasad The author is a well known technology journalist, blogger, and a part of Pradeep Chakraborty's Blog team. |
