Cloud-based services are being rolled out without enough attention being paid to securing these services and the information they handle. That was the finding of a recent study commissioned by RSA Security.
While the report's findings are alarming, there is still time for providers of these services to address the problem, said Art Coviello, executive vice president at EMC and president of RSA Security. The key is to look at security as an integral part of the service and not as an add-on feature, he said.
Coviello recently sat down with IDG News Service to discuss the security of cloud-based services. What follows is an edited transcript of that conversation:
IDG News Service: Were you surprised by the report's findings?
Art Coviello: It was startling to me that a lot of this cloud computing was being done with security left behind, because I viewed cloud computing as an opportunity to really change the way people approached security. In essence, you're rebuilding the information infrastructure from the ground up. It'll be years before all these legacy systems get moved over, either to internal, private clouds or external clouds, or some combination thereof. Ultimately, that's where it's headed and because of that, because we have knowledge and forethought of all the issues we've had in security over the last decade and a half.
One would think that we've learned our lesson about building security in. Having said that, it's still very early days. Although I find the research alarming, I don't necessarily find it conclusive that this is the way it will turn out.
IDGNS: Is part of the problem that vendors aren't necessarily liable for all of the risk associated with offering these services? Would the services be more secure if they had to fully assume all of that risk?
Coviello: It could be if the person that purchases these services are not careful. But it's hard to imagine that any responsible provider of these services would deliberately make their offering insecure. Woe unto them, they'll be out of business pretty quick. The one thing you can rest assured of is if there's any security breach in one of these services, someone is just going to take their infrastructure and go elsewhere. It's a lot easier to do that in a cloud environment than it might be if you've outsourced your infrastructure.
IDGNS: How does a company know that a cloud-computing provider offers a secure service?
Coviello: Enterprises have the wherewithal and the skill to evaluate the cloud provider's capability and their capability in security, and they would be stupid not to do a thorough investigation because they're outsourcing everything.
IDGNS: What do you think is the greatest security weakness for cloud-computing services?
Coviello: It's almost too early to tell. How many instances do you see of cloud computing out there? I can give you a number of places where there could be insecurities. What people tend to worry about is the co-mingling of information, and that's probably the least of anybody's worries because it's very easy to partition data. What they ought to be more worried about is what are the access controls, what the authentication mechanisms are, how you ensure information doesn't somehow leak out to somebody outside.
I'd worry about those things, but these are things that are going to have to be investigated and developed as people start to get a feeling for what cloud computing is all about.