Cloud security needs to improve, analysts warn
With businesses trusting third-party cloud providers with little scrutiny, the onus is on the providers to be transparent about risk
Tech4Biz | 03 May 2012 :
Cloud providers ought to provide data security-that much should be obvious, but some providers themselves along with some security analysts maintain they ought to be doing more, such as educating their customers about best security practices.
Not that all providers are providing the basics themselves. CenterBeam, a managed services provider for midsize businesses, reported about recently that a recent security test of cloud providers found that some were not securely separating virtual servers located on shared hard disks. This vulnerability would allow an attacker to access fragments of customer data and possibly gain control of other servers.
A more common problem, according to the 2012 Information Security Breaches Survey (ISBS), is that businesses are simply putting their data in the hands of third parties with little or no scrutiny. It found that 34% of small businesses were allowing personal mobile devices to attach to networks, but without putting proper bring your own device (BYOD) policies in place.
The survey, by Pricewaterhouse Coopers in conjunction with Infosecurity Europe and supported by the UK department for Business, Innovation and Skills, found that 73% of organisations are using at least one outsourced service over the Internet, but only 38% ensure that data being held by external providers is encrypted.
According to the Cloud Industry Forum (CIF), encryption may not be enough, or may not be the right solution.
In some cases, the organisation says, access control, firewalls, VPNs may be more efficient and cost less than encryption. CIF Chairman Andy Burton, speaking last week to BusinessCloud9, said cloud providers need to do a minimum of three things:
- Be clearer up front with their prospects and customers about their approach to security and what options are available to adapt it, without compromising security in the process.
- Communicate in standardised language about classification of security risks and solutions, allowing procurers to compare different providers easily when making purchasing decisions.
- Educate end-users on what they need to look for technically, commercially and legislatively to ensure data security when migrating to a cloud-based solution.
CIF spokesman Richard Merrin, managing director of Spreckley Partners, says one goal of the organisation is to "help end users identify critical information that can aid their selection of cloud service providers. In that sense it aims to clear up the confusion and FUD [Fear Uncertainty and Doubt] in the market."
It is also good business, he says. "What is right for one company with one specific application may not be right for another," Merrin says. "The suppliers that will succeed in the market over the long-term are those that recognise and embrace this and provide confidence and clarity to their customers and prospects."