15 Sep 2011
Cloud service providers should layer their infrastructure to better protect their data and alleviate security concerns, according to Imperial College London lecturer Dr Peter Pietzuch, who was speaking at a Westminster eforum event yesterday.
Pietzuch told delegates at the event, Cloud computing - security, market development and prospects for the g-cloud, that the current security model for the cloud is not transparent enough, meaning software developers that want to deploy their applications in the cloud do not have enough knowledge of that provider's security.
You are given certain guarantees in terms of data confidentiality, integrity, secure auditing and resource isolation, but what is not transparent is how cloud providers actually enforce these," he explained.
"Our research at Imperial College aims to provide a cloud platform that can automatically detect security violations caused by either a flaw in the applications or in the cloud platform being used," he added.
"We would like to move to a model where if you deploy a cloud application it comes with a cloud security policy.
"This means there will be a specification around the type of data protection guarantees required and the cloud infrastructure will automatically enforce a standardised set of policies."
Pietzuch argued that service providers should pursue a data-centric approach to security, which would see data being tracked across the different cloud software components.
"If you consider a multi-tenanted cloud environment, where there is a particular application that consists of multiple software components, what the cloud can do is actually track the path of the user data within the cloud infrastructure," said Pietzuch.
"So, now that the cloud understands which components were exposed to sensitive data, it can isolate those components and prevent security problems," he added.
"For example, if there is a flaw in an implementation of a software component that leads to an unauthorised leakage of sensitive data, the cloud infrastructure is able to prevent the flow of this information [essentially locking it down], because it understands that this component has had access to sensitive data."
He said it is "naive" to assume one security method will solve all data protection problems in the cloud, and that there needs to be "multiple layers of defence".
"We should also create individual compartments within the cloud infrastructure, so when there is a security incident we can essentially limit its scope," he explained.
Imperial College has been working with the NHS to use the ideas Pietzuch discussed at the eforum, in the hope of creating secure healthcare applications.
Despite Pietzuch's research and his arguments that security in the cloud could be improved, he also said the industry perception of cloud security is very "skewed".
"A good analogy would be the difference between plane travel and car travel. Objectively, we know plane travel is safer per mile travelled than car travel.
"However, at the same time, more people feel anxious when they board a plane than when they take a car," he said.
"Similarly, we know cloud providers invest a lot of energy on securing the cloud infrastructure.
"They have substantial resources and the type of security mechanisms they can provide are probably better than traditional in-house security solutions," he added.
"At the same time, of course, cloud providers are collecting sensitive data from many different users, so the surface of attack is much larger and there is more incentive for criminals to attack the cloud. A single big security incident could potentially ruin a cloud provider's reputation."
Agreed, more technology could be used to build layers within infrastructure to better protect cloud service providers’ data and alleviate the much talked about end user security concerns. A point must be made however, about the fact that within “cloud data” comes a plethora of different cloud models, and with each separate component, there are different conversations to be had.
Indeed the security concerns that have been raised about public cloud services will differ considerably to those that have been raised about private cloud models. With a private cloud service for instance, the client is able to specify every last detail of the infrastructure supporting its data and applications, from the make and model of the hardware, to network management tools and firewalls.
The client can also be shown exactly where their data is to be held, which is typically hosted in a highly secure, Tier 3 or Tier 4 data centre environment within the UK. Such is the extent of the client’s visibility of their private cloud service that they can even be given a tour of the premises of the specified data centre, so that they can be confident that their supplier is hosting their data exactly where they want it to be hosted.
Concerns over the current security model not being transparent enough surely cannot therefore relate to private cloud services, as indeed, far greater levels of visibility are attained compared to the equivalent public cloud or on-premise solutions.
Keith Bates
Chairman
The Cloud Computing Centre
www.cloudcomputingcentre.co.uk
Posted by: Keith Bates 22 Sep 2011
I agree with Dr Pietzuch when he said in part of his conclusion that - Cloud providers “….. have substantial resources and the type of security mechanisms they can provide are probably better than traditional in-house security solutions,".
This means that on the whole, cloud solutions should be more secure than the average datacenter is able to provide in-house.
That being said, two things should be considered. The first is that, with an in house solution, the risk is “all mine”. Most organisations will still be unwilling to off load their risk to a third party even if they believe the service is more secure – it is all to do with control. This has of course lead to the significant uptake of the Private Cloud, particularly in large enterprises.
The second consideration is the lack of effort that the Cloud providers are actually putting into security. In recent research performed by Ca Technologies with the Ponemon Institute it was revealed that:
• Less than 20 percent of cloud providers across the U.S. and Europe view security as a competitive advantage. Fewer than 30 percent of respondents consider security as an important responsibility. Less than 27 percent of respondents feel their cloud services substantially protect and secure customer information.
• The majority of cloud providers (69 percent) believe security is primarily the responsibility of the cloud user.
The balance between “Trust” and “Risk” has not swung as far in favor of the cloud providers as they would like.
Posted by: Chris Rae 17 Sep 2011
Have your say on this article
Newsletters
Latest stories from Networks
Latest videos
You may also like
Networks jobs
Technology Patent Wars
Case studies from large organisations across all sectors
... And rich media, and flexible working, and peaks in traffic ...
Upcoming Events
Join us for this Computing web seminar, in which the Head of BI at the Co-operative Group Nick Colebourn will be explaining just how he reigned in the Group’s sprawling database estate and how significant savings were realised and data quality improved as a result.
Date: 31 May 2012
Time: 11:00 AM
Live June 13th 11:00am: Register now. During this web seminar we will be looking at the sorts of incidents that can bring data centres grinding to a halt and what can be done about them.
Date: 13 Jun 2012
Time: 11:00 am
Receive the latest jobs direct to your inbox
Are you being paid what you are worth?
