Security in the cloud

eolas examines typical cloud security concerns and the measures that the industry and regulators are taking to prevent breaches.

While Irish companies may be embracing the cloud, security concerns remain. A PwC survey of 100 Irish chief information officers and IT directors in February found that 21 per cent were adopting a ‘wait and see’ approach towards moving to the cloud, with 32 per cent having only adopted a cloud strategy for non-critical systems.

The key barrier to adopting the cloud was lack of confidence in security and data privacy (37 per cent), while a further 20 per cent had concerns over regulatory compliance and intellectual property. Seventeen per cent said that the return on investment was unclear.

Among the main security concerns of cloud users, in general, are of potential breaches of security and of privacy laws (possibly inadvertently). Users can also feel uncertain over their legal role and that of the cloud provider regarding security responsibilities. It is expected that many companies will opt for hybrid clouds until privacy and compliance aspects of cloud solutions become more commonly embedded.

Access to data and clarity on whether a provider can change (at their discretion) the terms and policies of a service are also considered potential problems. Regulatory worries can arise when a provider hosts personal information for a company in a different jurisdiction to that in which the information was collected.

Cloud-based systems are also vulnerable to cyber attacks. Attacks can be initiated from within the cloud by taking control of or buying a virtual private server (VPS) in a matter of minutes. The purpose is a one-time attack before disposing of the VPS.

Attacks such as cross-site scripting and SQL injection attacks (database attacks through a website) can occur more often with the software as a service model (where the software and data are hosted centrally) due to a user’s interaction with the cloud. The cloud’s resource elasticity, however, is seen by some as ensuring greater resilience to distributed denial of service (DDoS) attacks.

Meanwhile, a cross-government implementation group on cloud computing is due to report to Enterprise Minister Richard Bruton “very shortly”, a department spokeswoman told eolas. It is examining privacy and security aspects of cloud computing usage, current legislation and how to ensure a supportive regulatory environment for cloud computing.

The Government is backing the creation of a cloud innovation centre which will see IDA Ireland and EMC constructing a cloud centre with hubs in government networks and in EMC’s data centre (see page 48).

At EU level, new data protection proposals will cover cloud computing, specifically over data control and personal data handled abroad by companies that are active in the EU market. Reform was deemed necessary as the 1995 Data Protection Directive is seen as out of date, with the Commission claiming that member states have too much flexibility in data protection and privacy law. The industry says that the current financial and administrative burdens of complying with different data protection regimes are costly.

The industry is developing services aimed at improving cloud security. Among these are advanced data encryption security services. The separation of encryption keys (accessible only by the data protector and the customer) from the service provider is seen as providing additional security.

A global collaborative project, supported by multi-nationals, professional organisations, standards setting bodies and others has produced a ‘common assurance maturity model’. This involves a certification level for cloud providers that can help when selecting a vendor.

Threat information tools are expected to become more popular as they provide pro-active monitoring around cloud environments and on-demand reporting on both compliance and threat levels.

With the appetite for the cloud strong in Irish business, the roll-out of security solutions will remain necessary to assuage the concerns of those yet to embrace the technology.