TORONTO – A little while ago, a CIO friend of Richard Reiner’s asked him to look after an agreement his firm had signed with a service provider. This was a contract the CIO’s predecessor had set up and he wanted Reiner to ensure it dealt with security issues.
“It did some security aspects – that was a good start, because not all of them do,” said Reiner, CEO of Toronto-based consulting firm Enomoly. “But when you looked at it very carefully, what it boiled down to is that the integrator had undertaken to have firewalls. Not that they would plug in the firewall, not that they would upgrade them, but that they would have them.”
Reiner, who sat on a panel at the Security Practitioners’ Conference this week, was using the story to illustrate the challenge of safeguarding IT with third-party providers of cloud computing infrastructure. While cloud computing offers the potential to deliver IT resources in a utility model, there have been ongoing questions about whether having service providers host data or virtual infrastructure would increase enterprise vulnerability to downtime, data loss or worse.
Chris Hoff, technical advisor to the Cloud Security Alliance and director of cloud and virtualization solutions at Cisco Systems, said many IT departments already recognize that cloud computing security is less than perfect.
“If (service providers) can deliver an acceptable service level, good enough is good enough,” he said. “I think we’re going to see more and more of that attitude, especially as people are trying to cut costs.”
Even if companies could find service providers that provided the highest levels of security and information protection, they may not be happy with the result.
“What you could end up with is something slow and bureaucratic and all the things that people complain about,” he said. “Some people are more focused on performance and price, even at the expense of security.”
Security is not just up to the service provider, though, said Glenn Brunette, distinguished engineer and chief security architecture at Sun Microsystems.
“I’d like to see a lot more coming from the OS vendors, where they could create hardened versions of their operating systems,” he said. “Why couldn’t we see more security-hardened stacks for Drupal, Oracle?”
Enterprise IT departments could also minimize their risks based on what kind of workloads they put in the cloud, Brunette added. These could include resources devoted to development or quality assurance or historical data being used for analytics. “You could even use high-performance computing workloads that aren’t mission-critical,” he pointed out, such as the movie rendering done by entertainment companies.
Much like any other kind of outsourcing or vendor relationship, cloud computing requires due diligence and going through a standard list of business scenario planning, said Doug Howard, chief strategy officer at Perimeter eSecurity and president of USA.Net. A big issue is assessing the long-term viability of cloud providers, especially given the uncertain economy.
“I think we’re starting to see who are the real players. This is still new,” he said. “It all comes down to what you’re comfortable with, but providers are pretty candid about reporting, risk and compliance.”
No matter how a cloud computing arrangement is set up, security needs to remain a CIO responsibility first and foremost, Hoff added. “We’re transferring responsibility but not accountability,” he said.
The Security Practitioners’ Conference ran in Tandem with the Open Group’s Enterprise Architecture Practitioners’ Conference on Wednesday.