Cloud security: Better than you think

Security is almost always cited as the primary inhibitor to wider cloud adoption by businesses.

For example, more than three-quarters (77 percent) of 390 IT pros surveyed think the use of cloud computing makes it harder to protect privacy, and 50 percent worry about a data breach or loss, according to the 2011 IBM Global Business Resilience and Risk Study. (s ibm)

Well, those IT pros need to get over it, said Joe Coyle, CTO of Capgemini, the system integrator and IT consultant.

“Everyone is screaming for an accepted security model for the cloud, and I think it’s already here. People just need to take a deep breath,” Coyle said in an interview this week.

On the technology side, his only concern is at the hypervisor level, and even there, it’s not so much about security as it is about auditing. “You need good reporting and auditing tools so that providers can prove that virtual machine A doesn’t encroach on virtual machine B,” he said.

Virtualization is great at carving up a physical environment into multiple pieces, but moving that technology into a shared environment opened a whole can of worms where people worry about overlapping partitions and other things. Those tools are now becoming available, he said.

Whether companies run their technology in-house, in the cloud or a combination, they need to make sure they (or their proxy) run a hardened, properly patched operating system; that idle CPUs are shut down; that files are encrypted; and that firewalls and DMZs are up to date and working.

Bulletproofing SLAs for the cloud

Companies also need to make their service level agreements (SLAs) reflect those expectations for performance, uptime, etc. and clearly delineate which vendor (or cloud provider) is responsible for which pieces of the puzzle. That’s not all that different from how SLAs should be negotiated and written by companies with in-house data centers running hardware, software and networking gear from multiple vendors.
A big caveat here: Large public cloud providers, like Amazon(s AMZN), don’t negotiate SLAs, so this discussion revolves around enterprise, private or co-located clouds.

People think SLAs are a bigger deal in the cloud, but the principles are the same, Coyle said. Just as with security, a company needs to break down the layers of its stack from the operating system and hypervisor to the file systems, the network, the applications. Then it needs to lay out who has  responsibility for each tier and component within that tier clearly. Layering the cloud atop existing IT doesn’t change any of that and reinforces the need for very detailed SLAs.

“The famous example is ‘I can’t be down for more than two hours,'” Coyle explained. “Well, what do you mean by ‘down?’  If you can’t get to your data, is that because your building [itself] is down or is it the connection to an outside data center?”

IT pros for the buying company need to spell that out in advance and in as much detail as possible so the SLAs are enforceable, Coyle said.

Photo courtesy of Flickr user rpongsaj