Clouds of confusion – Interoute’s view on Cloud Security

It’s easy to forget from the constant barrage of marketing messages and hype that heralded the arrival of cloud computing that we’re still in the early days of enterprise adoption. Given the wave of enthusiasm that carried the cloud message to all corners of the IT world, it’s also not surprising that there is a still great deal of confusion regarding what cloud computing actually is, says Gareth Williams, CEO at Interoute

What is broadly accepted though, is that cloud computing has the ability to fundamentally change an organisation’s IT for the better. The cloud effectively frees the enterprise from its responsibility for directly managing large parts of its IT infrastructure. Instead, it allows businesses to benefit from increased efficiencies and flexibility by moving IT infrastructure into a shared resource, managed by a trusted third party that is the ‘cloud’.

Adding to this confusion is the variety of services available from cloud computing. The most commonly talked about is Software-as-a-Service (SaaS), where business applications like desktop productivity, accounting, collaboration and enterprise resource planning are delivered to the users desktop on demand (think streamed video rather than physical DVD). At the other end of the cloud is Infrastructure-as-as-Service (IaaS), which enables organisations to purchase processing, operating systems, storage and networking on a utility basis.

The over-emphasis on the freedom that the cloud brings, seems to have left many believing that it really does have the ability to fly or at least that it does not have to be grounded by any kind of physical asset, but rather exists, Zen like, floating within the internet in an open access environment. Understandably this has lead to deep-routed concerns over the suitability of the cloud to hold sensitive and confidential data securely. But even with SaaS and IaaS the software, applications and physical infrastructure have to exist somewhere and to travel from that place to the people who want to use it requires a physical delivery platform. And it is this that dictates how the secure the cloud really is.

Is life in the cloud inherently insecure?

Three out of four businesses think so, rating security in the cloud as their biggest challenge. Whilst it is fair to say that sharing resources from a vast, undifferentiated pool of servers and switches carries its own real risks, it is the path to the cloud that businesses need to chew over first. Any cloud, however secure, that relies on the public internet to connect it is exposing its data to unnecessary risk. CIO’s and CTO’s are right to be cautious when faced with highly unpredictable access through the internet, where service level guarantees are non existent and the access is, well, ‘public’.

One alternative to a public cloud environment is the private cloud. Private clouds do not cross the public internet; they enable the same high level of protection of established private networks, but with the flexibility of an internet access model. Whilst a few question whether the private cloud is a misuse of the term ‘cloud’ due to its inference around open accesses shared resources, the principles of pooling resources and on-demand service are ever-present in this scenario. By taking a slice of an IP network that is separate and securely partitioned from the internet, organisations can benefit from service level guarantees around the availability and performance of their computing resources.

For corporations, this is the biggest advantage of the private cloud – vastly improved security, with the flexibility of the public cloud. Often created from privately owned infrastructure where access is tightly controlled and guarded, private clouds are much more suitable where data security is essential.

Security: back to basics

It might be a simple premise, but data in the cloud is like any other data governance issue: if it is poorly managed then it will be insecure; if it is properly managed then it is more secure. The cloud doesn’t naturally make your data vulnerable; security remains a function of how you control access to the data, the defences remain the same.

Unlike the public internet, security measures such as DDoS protection, firewalls, and intrusion detection and prevention technologies should come as standard in private clouds. There are legislation stamps to monitor whether the latest security measures are adhered to. By classifying data and then building the right layers of protection around it, organisations can be assured that their assets are secured.

Security comes at a price – build or buy?

The very fact that private clouds are built on assured and dedicated infrastructure to guarantee control and greater security, generally means that building a private cloud is the more expensive option. After all, purchasing the infrastructure resource and the power to transform a data centre into a private cloud, not to mention centralising computer and storage systems, requires significant capital.

The downside is that these clouds generally don’t deliver the key advantages of cloud computing: open access to your community, efficiency and the ability to rapidly flow data and computing resource over your “own private internet” to the entire business.

These are best served through finding a provider that can give you the privacy you need but the flexibility of the internet based solutions. Using a providers Private IP network enables your network to access shared corporate computing resources, whilst remaining separate and secure from the internet. Private clouds bought in this way, as a service, build cloud computing into your corporate network infrastructure, offering a secure controlled cloud environment with guaranteed higher availability, inherent disaster recovery, as well as flexible and scalable capacity.

This model enables organisations to benefit from a greater level of protection than a DIY private cloud, but with the flexibility of an internet delivered model.

Between the ground and the cloud– hybrid cloud

As the name suggests, the hybrid cloud sits between public, private and more traditional ways of managing IT. If your IT department has just invested in physical infrastructure or if you’re running an application that won’t run on a cloud based service then you can create a “hybrid cloud” allowing you to push some of your data into a private or public cloud. This will be a very common situation for many as they move from the traditional capital and manpower intensive model of managing ICT infrastructure, to the more flexible, cost effective and immediate delivery of the cloud.

Conclusion: The ground beneath the cloud

There is no getting away from the fact that cloud computing services are still developing. And, until the fog of confusion surrounding cloud computing and its security implications clears, there will be those reluctant to adopt it. That said, the benefits – flexibility; scalable costs; and, enhanced performance; are too good to ignore.

Who doesn’t need the flexibility to migrate, change and re-organise their IT world as the business needs change? Is there any CIO out there not wanting to scale their IT costs according to volume and usage? Moreover centralising the physical technology and improving efficiencies by outsourcing the maintenance and support just makes plain sense.

But organisations don’t just have to maintain security levels; they need to improve them. Simultaneously, they must increase access and transparency internally and externally. While business executives have long realised that access to required information everywhere enhances productivity, up until now, many organisations have had to choose between security and efficiency.

The secret to unlocking the cloud, and getting both, is ensuring they understand how their cloud is accessed and connected, in essence who controls the ground beneath the cloud. Then, for the organisation as a whole, or within the divisions or applications being supported, they can select the cloud delivery platform that matches their security requirements.

Guest Post by Gareth Williams, CEO at Interoute

Improve our visibility and share this article with your friends !
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • RSS
  • Slashdot
  • Twitter
About Vendor

This article is provided by a security vendor. ITsecurity.be is not related to the vendor or the author involved and does not have any responsibility about the contents this article. ITsecurity.be does not necessarily share the viewpoints in the article.