Cloud Providers Need to Step up on Security
Cloud providers ought to provide data security--that should be obvious. But some providers themselves, along with some security analysts, say they also ought to be doing more, such as educating their customers about best security practices.
Not that all providers are providing the basics themselves. CenterBeam, a managed services provider for midsize businesses, reported about a week ago that a recent security test of cloud providers found that some were not securely separating virtual servers located on shared hard disks. This vulnerability would allow an attacker to access fragments of customer data and possibly gain control of other servers.
But a more common problem, according to The 2012 Information Security Breaches Survey (ISBS), is that businesses are simply putting their data in the hands of third parties with little or no scrutiny.
It found that 34 percent of small businesses were allowing personal mobile devices to attach to networks, but without putting proper Bring Your Own Device policies in place.
The survey, written by Pricewaterhouse Coopers in conjunction with Infosecurity Europe and supported by the department for Business, Innovation and Skills, found that 73 percent of organizations are using at least one outsourced service over the Internet, but only 38 percent ensure that data being held by external providers is encrypted.
According to the Cloud Industry Forum (CIF), encryption may not be enough, or may not be the right solution. CIF, a UK-based organization founded in 2009, has mostly European members but some American firms like Microsoft and Dell.
In some cases, the organization says, access control, firewalls, VPNs may be more efficient and cost less than encryption. CIF Chairman Andy Burton, speaking last week to BusinessCloud9, said cloud providers need to do a minimum of three things:
- Be clearer up front with their prospects and customers about their approach to security and what options are available to adapt it, without compromising security in the process.
- Communicate in standardized language about classification of security risks and solutions, allowing procurers to compare different providers easily when making purchasing decisions.
- Educate end-users on what they need to look for technically, commercially and legislatively to ensure data security when migrating to a coud-based solution.
CIF spokesman Richard Merrin, managing director of Spreckley Partners, says one goal of the organization is to "help end users identify critical information that can aid their selection of cloud service providers. In that sense it aims to clear up the confusion and FUD [Fear Uncertainty and Doubt] in the market."
It is also good business, he says. "What is right for one company with one specific application may not be right for another," Merrin says. "The suppliers that will succeed in the market over the long-term are those that recognize and embrace this and provide confidence and clarity to their customers and prospects."
Read more about cloud security in CSOonline's Cloud Security section.