McDonald presented IBM’s perspective on cloud security at CIO Canada’s Frankly Speaking Breakfast Series in Toronto last week, where IT executives gathered at the Fairmount Royal York Hotel for a panel discussion on cloud computing risks.
“Security is usually the No. 1 concern for any new IT solution, but the additional external aspects of the cloud exacerbate this concern,” he said.
“One question I’m asked constantly is, ‘How secure is my data? If it’s sitting on somebody else’s site, what’s preventing some disgruntled employee from going out and selling it to my competitors?’” noted attendee Perry Brock, managing director of Thornhill-based Venture Consulting Inc.
Data centre concerns have evolved from outsider to insider attacks, perimetre to layered defense, infrastructure protection to data-centric protection and issues with identity management to federated identity management, McDonald pointed out.
Cloud data centres mark the next evolutionary step, with concerns focusing on ubiquitous attacks, asset-based defense, business asset protection and trust management. The future will include new threats from “the guy in the cloud right next door to me,” he said.
McDonald’s slide presentation provided suggestions for dealing with high-level cloud security concerns such as control, reliability, compliance, security management and data security.
Cloud providers need to provide a “high degree of security transparency” to ease concerns regarding limited control and “comprehensive auditing capabilities” for compliance.
Reliability requires high availability. “IT departments will worry about a loss of service should outages occur. Mission-critical applications may not run in the cloud without strong availability guarantees.”
To deal with security management issues, “providers must supply easy, visual controls to manage firewall and security settings for applications and runtime environments in the cloud.”
“Migrating workloads to a shared network and compute infrastructure increases the potential for unauthorized exposure,” so “authentication and access technologies become increasingly important.”
The risks and migrations costs associated with database, transaction processing, ERP and highly regulated workloads might be too high for enterprises, according to McDonald.
But the cloud can work for web infrastructure applications, collaboration infrastructures, development and testing and high performance computing, he said.
McDonald referrred to IBM’s Resilient Cloud program for further advice. Announced last fall, the consulting service “validates the resiliency of cloud computing infrastructures” and helps businesses determine whether the services from a potential cloud provider will match up with their businesses policies.
Jimmy Abraham, VP of IT, Support and Deployment at BroadSign International Inc., joined McDonald in the panel discussion.
“Using cloud services changed how we provide them,” said Abraham. One lesson BroadSign learned was to expose security practices, such as sharing a disaster recovery plan with clients. Another is finding balance between vendor and client security policies.
BroadSign, which delivers SaaS solutions for digital signage, requires its player to reach out to a server over the Internet. But one particular network had a very tight policy that didn’t allow an open connection to the Internet, Abraham explained.
“They didn’t allow that, so they funnelled everything through one point. We established a point-to-point VPN with them to comply with their security,” he said.
McDonald suggested a couple of ways enterprises can use their experience with external cloud providers to improve internal security.
“When you move out to an outside provider, you need to be more disciplined. As you learn that discipline, bring it in-house as well … use the factor to moving into the environment where you need to be more disciplined to be more disciplined in-house,” he said.
Enterprises can also benefit by simplifying security. “Cloud computing also provides opportunities to simplify security controls and defenses, such as identity management … encryption services you can use internally as well,” he suggested.
Cloud computing can be a catalyst for within the organization, according to McDonald.