On 09.10.30, In How reliable and secure is data stored in the cloud? This is a critical perception – and reality – that must be addressed by cloud computing providers and users, in order to foster confidence in the cloud model. What can – and is – being done to improve both the perception – and reality – of cloud security and reliability.
One of the principal concerns about cloud computing is the reliability question, and this is certainly a case where when a tree falls (i.e. an outage occurs and data/services/processing capacity are unavailable), everyone hears the sound. Unfortunately, worries over cloud reliability and availability – or specifically, the lack thereof when such instances arise – are not just theoretical. There have been well-publicized outages of many of the most popular public cloud services, including Gmail and Google Apps, Apple’s Mobile Me service and Amazon’s S3 cloud service. And, as one commentator astutely pointed-out, when cloud service outages or inaccessibility occur, “most of the risk and blame if something goes wrong will fall directly on the shoulders of IT — and not on the cloud computing service providers.”
For private sector IT executives, there is a reluctance to shift core, mission-critical data storage or applications to public cloud environments, even if the cost savings and efficiency arguments are there, over concerns about the reliability and security of cloud offerings. Take for instance the case of the Princeton, New Jersey-based Educational Testing Service, which administers the SAT and other standardized tests. While the Educational Testing Service uses Software as a Service platforms from Salesforce.com and other vendors for non-core functions, the firm’s Chief Information Officer, Daniel Wakeman, recently expressed his reluctance to shift data storage and processing for the tests themselves to a cloud environment. This is in spite of the fact that due to the highly cyclical nature of test administrations, scoring, and reporting around specific testing schedules throughout the year, the Educational Testing Service has an average server utilization rate of just around eight percent, making the firm a prime candidate for acquiring computing resources on-demand. Wakeman simply stated that due to security issues which have yet to be worked-out in what he and other perceive to be an “immature market,” Educational Testing Service will monitor developments in the cloud marketplace and “not (be) putting anything up there that we really care about.”
Cloud providers typically guarantee a particular benchmark for the availability of their services through what are known as service-level agreements. Yet, for all the reliance on service-level agreements, there is misunderstanding as to what they really guarantee – and what can be done should a cloud provider fail to live-up to their promises. In many instances, collecting on the rebate provided for in the SLA may not be a routine matter. It also may not mean much if the outage comes at a critical moment that no amount of money can make-up for. As one commentator opined, “Frankly, I think SLA and $3 will get you a coffee.” Still, avoiding cloud computing solely on the basis that service-level agreements invariably can’t cover actual business losses from downtime or outages is a rationalization, not a reason for not engaging the cloud computing model.
One of the truths about cloud computing is that in-house IT can rarely match the service levels provided by commercial cloud providers. For a cloud provider to offer a service-level agreement with “four-9s performance,” they would be guaranteeing 99.99% up-time. Translated into “real life,” four nines availability translates into just 52 minutes of downtime per year! If there was more downtime or unavailability than that .01%, then the cloud provider would be liable for penalties or rebates. To assure this level of service, cloud service costs typically rise as the service-level agreement escalates from 3, 4 or even now some “five-9s” levels of performance. Service-level agreements have been criticized for not protecting cloud procuring organizations from a loss of system up-time, but protecting cloud providers from financial and legal exposure due to their failure to deliver. As such, they have been labeled as only applying “after-the-fact” and basically being a vehicle for lawyers to argue over after the damage is done.
For the public sector, service-level agreements may be especially vacuous if a data breach occurs and a law is broken – as the bar is raised much higher for a government client. As analyst Eric Chabrow recently commented, in such instances:
“The government doesn’t have the luxury of just saying, ‘Oh, give me my money back.’ They need to follow laws that have been specifically laid out to protect national security, to protect personal liberties; so, it’s really not just a commercial transaction. They really need to understand the details within these infrastructures. It’s not enough to say, ‘Oh, yes, it’s secure.’ The government has to understand how it is secure, why it is secure, what are the risks. If the government can’t see that, then it’s very difficult for them to leverage that type of service.”
Cloud providers invest a great deal in their systems to provide for reliability and assure that their services – and user data – will be available on demand. For instance, Amazon Web Services has a feature in its EC2 (Elastic Compute Cloud) dubbed “fail-over,” where if an user’s application fails to run in one of Amazon’s data centers, a second center will automatically take-over and run the application. There are even early versions of cloud applications that can be run offline – in the absence of a network connection. Developments in this area would enable cloud computing to move to the edge of the network and be functional in remote areas where there is spotty connectivity – defeating one of the exclusionary rationales for not making use of cloud-based offerings.
Analogies have been drawn between the advent of cloud computing today with the introduction of wireless technologies a decade ago. As Ron Ross, Director of Security for the National Institute of Standards and Technology recently observed, “When wireless came along, we didn’t really know a lot about how to protect it, but we developed that understanding as we went forward, and now we do a pretty good job of protecting wireless.” However, Wyatt Kash, who is the Editor-in-Chief for Government Computer News, warned that the shift to cloud computing could be slowed by what he termed as “a darker cloud of Internet security vulnerabilities.”
As the reliability of a cloud provider’s system is of utmost concern for public IT executives considering shifting functions and data to the clouds, security is a front-burner issue as well. Indeed, the security of cloud computing is an issue that will inevitably “blow-up” each time data breaches occur in cloud offerings and hit the media. If a cloud provider sees a data breach occur, this calls into question the efficacy of storing files and information on-line, causing huge security concerns for all affected users and not just the target cloud provider, but indeed, the whole cloud computing universe, which could be painted with a broad brush in such security matters. Yet, as Stephanie Condon recently observed, “Perfect security on the cloud is an illusory goal…and the vulnerabilities of the cloud will have to be weighed against (its) benefits.” Indeed, many security experts believe that the notion of putting more data and more applications on the Internet via the cloud model could present vast new opportunities for criminal activity through identity theft and misappropriating intellectual property, hacking, and other forms of malicious activities.
Cloud providers have been characterized as addressing such security concerns by going “over the top” with their physical and data security measures, which one writer labeled as measures that “could easily outdo anything ever seen on Mission: Impossible.” For instance, Salesforce.com’s data center employs “five levels of biometric hand geometry scanners and even ‘man trap’ cages designed to spring on those without the proper clearances.” This is evidence that cloud providers are very much aware of and attune to both their clients’ concerns in the security area and the legal and regulatory risks that are being taken on by both the client and their firm by accepting a sizable portion of the client’s IT operations.
There are signs that there is some backlash against cloud providers to improve their security safeguards and practices. For instance, in response to a data breach that occurred with Google Docs, The Electronic Privacy Information Center (EPIC) asked the Federal Trade Commission (FTC) to investigate Google’s privacy and security measures for Gmail and Google Apps. Likewise, the Constitution Project, concerned that a user’s personal information has weaker privacy protections in the cloud than when contained on a single device, has called for the cloud computing industry to set privacy standards and for the Congress to examine the privacy issues as well.
And for the concerns about security and privacy, centralizing operations in a cloud environment may not just make computing more secure, but make compliance easier – and cheaper – as well. From the viewpoint of the federal government’s CIO, Vivek Kundra, “When you look at security, it’s easier to secure when you concentrate things than when you distribute them across the government.” Cloud providers have been characterized as addressing such security concerns by going “over the top” with their physical and data security measures, which one writer labeled as measures that could “easily outdo anything ever seen on Mission: Impossible.” He cites the fact that at Salesforce.com’s data center employs “five levels of biometric hand geometry scanners and even ‘man trap’ cages designed to spring on those without the proper clearances.” This is evidence that cloud providers are very much aware of and attune to both their clients’ concerns in the security area and the legal and regulatory risks that are being taken on by both the client and their firm by accepting a sizable portion of the client’s IT operations (Golden, 2009c).
There are signs that there is some backlash against cloud providers to improve their security safeguards and practices. For instance, in response to a data breach that occurred with Google Docs, The Electronic Privacy Information Center (EPIC) asked the Federal Trade Commission (FTC) to investigate Google’s privacy and security measures for Gmail and Google Apps. Likewise, the Constitution Project, concerned that a user’s personal information has weaker privacy protections in the cloud than when contained on a single device, has called for the cloud computing industry to set privacy standards and for the Congress to examine the privacy issues as well.
And for the concerns about security and privacy, centralizing operations in a cloud environment may not just make computing more secure, but make compliance easier – and cheaper – as well. From the viewpoint of Federal CIO Kundra, “When you look at security, it’s easier to secure when you concentrate things than when you distribute them across the government.”
Yet, as Bernard Golden recently observed, those who view cloud computing as too risky may be “overly optimistic” in their view on how well there own security and risk management efforts work – both in reality and in comparison to the cloud model. He remarked that: “This attitude reflects a common human condition: underestimating the risks associated with current conditions while overestimating the risks of something new. However, criticizing cloud computing as incapable of supporting risk management while overlooking current risk management shortcomings doesn’t really help, and can make the person criticizing look reactive rather than reflective.”
In the end, improved cloud security measures, combined with enforceable and meaningful service level agreements, may garner more confidence in the cloud model. Time is also on the side of the proponents of cloud computing, as the rising generation in the information technology workforce – comfortable in their use of and reliance upon a whole host of web-based tools and services – will be much more willing to shift operations and data to the cloud than will be the current generation of computing decision makers. They see their older peers’ reliability and security concerns regarding the use of cloud computing as “exaggerated and quaint.” Thus, in a matter of a few short years, we may come to see the cloud as a more reliable and more secure version of computing than what is available in-house and on our desktops and laptops today.
Leave Your Response