Cloud data needs to be tracked to ensure security

By Derek du Preez

15 Sep 2011

Comments: 2

cloud-computing

Cloud service providers should layer their infrastructure to better protect their data and alleviate security concerns, according to Imperial College London lecturer Dr Peter Pietzuch, who was speaking at a Westminster eforum event yesterday.

Pietzuch told delegates at the event, Cloud computing - security, market development and prospects for the g-cloud, that the current security model for the cloud is not transparent enough, meaning software developers that want to deploy their applications in the cloud do not have enough knowledge of that provider's security.

Further reading

You are given certain guarantees in terms of data confidentiality, integrity, secure auditing and resource isolation, but what is not transparent is how cloud providers actually enforce these," he explained.

"Our research at Imperial College aims to provide a cloud platform that can automatically detect security violations caused by either a flaw in the applications or in the cloud platform being used," he added.

"We would like to move to a model where if you deploy a cloud application it comes with a cloud security policy.

"This means there will be a specification around the type of data protection guarantees required and the cloud infrastructure will automatically enforce a standardised set of policies."

Pietzuch argued that service providers should pursue a data-centric approach to security, which would see data being tracked across the different cloud software components.

"If you consider a multi-tenanted cloud environment, where there is a particular application that consists of multiple software components, what the cloud can do is actually track the path of the user data within the cloud infrastructure," said Pietzuch.

"So, now that the cloud understands which components were exposed to sensitive data, it can isolate those components and prevent security problems," he added.

"For example, if there is a flaw in an implementation of a software component that leads to an unauthorised leakage of sensitive data, the cloud infrastructure is able to prevent the flow of this information [essentially locking it down], because it understands that this component has had access to sensitive data."

He said it is "naive" to assume one security method will solve all data protection problems in the cloud, and that there needs to be "multiple layers of defence".

"We should also create individual compartments within the cloud infrastructure, so when there is a security incident we can essentially limit its scope," he explained.

Imperial College has been working with the NHS to use the ideas Pietzuch discussed at the eforum, in the hope of creating secure healthcare applications.

Despite Pietzuch's research and his arguments that security in the cloud could be improved, he also said the industry perception of cloud security is very "skewed".

"A good analogy would be the difference between plane travel and car travel. Objectively, we know plane travel is safer per mile travelled than car travel.

"However, at the same time, more people feel anxious when they board a plane than when they take a car," he said.

"Similarly, we know cloud providers invest a lot of energy on securing the cloud infrastructure.

"They have substantial resources and the type of security mechanisms they can provide are probably better than traditional in-house security solutions," he added.

"At the same time, of course, cloud providers are collecting sensitive data from many different users, so the surface of attack is much larger and there is more incentive for criminals to attack the cloud. A single big security incident could potentially ruin a cloud provider's reputation."

Reader comments

Cloud security depends on the specific model deployed

Agreed, more technology could be used to build layers within infrastructure to better protect cloud service providers’ data and alleviate the much talked about end user security concerns. A point must be made however, about the fact that within “cloud data” comes a plethora of different cloud models, and with each separate component, there are different conversations to be had.

Indeed the security concerns that have been raised about public cloud services will differ considerably to those that have been raised about private cloud models. With a private cloud service for instance, the client is able to specify every last detail of the infrastructure supporting its data and applications, from the make and model of the hardware, to network management tools and firewalls.

The client can also be shown exactly where their data is to be held, which is typically hosted in a highly secure, Tier 3 or Tier 4 data centre environment within the UK. Such is the extent of the client’s visibility of their private cloud service that they can even be given a tour of the premises of the specified data centre, so that they can be confident that their supplier is hosting their data exactly where they want it to be hosted.

Concerns over the current security model not being transparent enough surely cannot therefore relate to private cloud services, as indeed, far greater levels of visibility are attained compared to the equivalent public cloud or on-premise solutions.

Keith Bates
Chairman
The Cloud Computing Centre
www.cloudcomputingcentre.co.uk

Posted by: Keith Bates  22 Sep 2011

But are the providers really committed to security?

I agree with Dr Pietzuch when he said in part of his conclusion that - Cloud providers “….. have substantial resources and the type of security mechanisms they can provide are probably better than traditional in-house security solutions,".
This means that on the whole, cloud solutions should be more secure than the average datacenter is able to provide in-house.
That being said, two things should be considered. The first is that, with an in house solution, the risk is “all mine”. Most organisations will still be unwilling to off load their risk to a third party even if they believe the service is more secure – it is all to do with control. This has of course lead to the significant uptake of the Private Cloud, particularly in large enterprises.
The second consideration is the lack of effort that the Cloud providers are actually putting into security. In recent research performed by Ca Technologies with the Ponemon Institute it was revealed that:
• Less than 20 percent of cloud providers across the U.S. and Europe view security as a competitive advantage. Fewer than 30 percent of respondents consider security as an important responsibility. Less than 27 percent of respondents feel their cloud services substantially protect and secure customer information.
• The majority of cloud providers (69 percent) believe security is primarily the responsibility of the cloud user.
The balance between “Trust” and “Risk” has not swung as far in favor of the cloud providers as they would like.

Posted by: Chris Rae  17 Sep 2011

Have your say on this article

All fields required. Your email address will not be displayed on the site.

By submitting a comment you agree to abide by our Terms & Conditions

  • Digg
  • Tweet

Newsletters

Sign up for our FREE newsletters

Technology Patent Wars

Large companies such as Microsoft, Facebook and Google have been hoovering up technology patents recently. Is this stifling innovation?

87 %

5 %

8 %