Although firms have understandable qualms about its security and economic viability, the cloud is becoming a fixture of enterprise IT. Ecosystems such as Amazon Web Services, Microsoft Azure and Google Cloud Platform can distribute computing, storage and networking resources at a scale far beyond that of any self-contained IT department. Add in a pay-as-you-go business model that scales with usage, along with the allure of performing less or no infrastructure management, and it's easy to see why enterprises have welcomed cloud computing.
A 2014 survey of 1,000 IT decision-makers, conducted by RightScale, discovered that the cloud was virtually ubiquitous, with 94 percent of respondents at least experimenting with infrastructure-as-a-service and 87 percent using the public cloud, the term for external solutions like AWS and its ilk. These enterprises reported that their cloud initiatives produced savings and enabled higher service availability and better business continuity than before.
Security and compliance concerns speak to data storage difficulties
What about cloud security? The same study found that while it was a leading concern for beginners, it ranked far behind compliance and cost among experienced users. This disparity makes sense, especially when one considers how many companies first take up cloud computing services because they want to mitigate the risk of storing data and run applications on-premises with only limited infrastructure, as Trend Micro's Dan Conlon noted in 2011. Worries about security then taper-off as stakeholders realize that cloud environments, however complex to manage, are often more secure than in-house IT.
Moreover, cloud management is a significant challenge for any organization – a natural byproduct of moving operations off-site and ceding control over them – but its specific forms, from performance to coordination of multiple services, vary from one enterprise to the next. Still, while compliance and security are different competencies that most acutely affect organizations on opposite ends of the cloud maturity spectrum, both require proper stewardship of data storage, which remains a weak link in the cloud chain.
Last summer's revelations of surveillance by government organizations such as the U.S. National Security Agency and the U.K. Government Communications Headquarters shined a light on the porousness of many consumer and business storage services. Users place considerable trust in cloud service providers to maintain the integrity and privacy of their assets, but it is hard to know if security is ensured:
- Hyperscale operators such as Google and Microsoft regularly receive requests from governments and courts for account information. According to Google's Transparency Report dated March 27, 2014, such inquiries are up 120 percent over the last four years, although the share of data divulged has declined slightly across the same period.
- A May 2014 study from the Ponemon Institute collected responses from more than 4,200 IT professionals and discovered that only 42 percent of them encrypted their data before putting it into the cloud. The rate for IaaS (26 percent) was much lower than that for software-as-a-service (39 percent). Overall, a growing percentage of enterprises were moving critical information to cloud environments.
- To their credit, cloud service providers have been endeavoring to make storage more secure. In 2013, Google turned on encryption by default for its Cloud Storage platform. "Zero knowledge" (meaning that no one can read an asset except its original owner) solutions like Spideroak and Wuala that give customers exclusive access to cloud encryption keys have also emerged. Still, these services may rely on middlemen vendors to verify users, creating a potential opening for insiders to use faked credentials when end users try to retrieve their data via a Web portal.
Computer scientists at Johns Hopkins University recently analyzed some of these zero knowledge offerings, finding that while they are secure in principle and often in practice, there is the potential for unauthorized access. Granted, Spideroak and others have workarounds (like using a desktop client) that minimize or eliminate such risk, but enterprises still must be aware of what could happen if proper procedure isn't followed.
"[W]henever data is shared with another user or group of users [within the cloud], the storage service could perform a man-in-the-middle attack by pretending to be another user or group member," stated Duane Wilson, a doctoral student in computer science at the university, regarding a technical paper he wrote on the subject with Giuseppe Ateniese. "This would all happen without alerting the customers, who incorrectly believe that the cloud storage provider cannot see or access their data."
Hybrid cloud: Dealing with the loss of control in cloud storage
Storing data in the cloud holds many risks, as the Johns Hopkins research illustrates. Rather than complete control over data, enterprises receive stipulations from providers, codified in service-level agreements. Plus, they assume the risk of data being mishandled by other third-parties, even if it is a remote possibility on zero-knowledge services.
In 2012, Udo Schneider, solutions architect at Trend Micro, explained that moving IT to the cloud entailed loss of control, as enterprises might no longer sense that they had a "big red emergency security button" to push if something went wrong in-house. It's possible for this feeling of control and safety to be fostered by a cloud service provider, but the widespread confusion over who bears responsibility for data in different contexts, as well as the insufficient security coverage of many SLAs, means that it's still hard to feel completely secure.
More specifically, a vendor may state that they perform redundant backup of data, yet, as Infoworld's Roger Grimes has pointed, there have been incidents of data loss despite such guarantees. In this context, it's unsurprising that many enterprises are turning to hybrid cloud architectures to shore up their positions. Hybrid infrastructure bridges on-premises systems with a public cloud ecosystem like AWS or Azure. The aforementioned research from RightScale found that three-fourths of respondents already had a hybrid strategy.
Enterprises should press their providers about how access controls are implemented and what kinds of encryption are used. By picking a service that maintains a level of security in line with their requirements, organizations can get on the road to a secure, high-performing hybrid cloud.