The concept behind clouds isn’t entirely new – for years, there’s been a market for managed security service providers, where a company streams their data over the Internet to a service provider, and the service provider performs analysis on that data in their security operations centre.
For a small business, this can greatly improve their security capabilities, especially where they don’t have the security expertise or staffing resources to run their own security operations centre. “You can get seven-by-24-by-365 monitoring from a service provider,” said Mark Nicolett, a security analyst with Gartner. “If you’re a small company, it’s just not economical to put that many bodies into a function like monitoring.” They can also save money, but it depends on the fee structure of the service provider.
There are a few attributes of a cloud-based offering, however, that set it apart: It’s delivered over the Internet, but the data goes into a shared environment, so it’s co-mingled with other customers’ data, and the location of the data is not fixed and not necessarily known. That means there are risks to consider. “For some workloads that’s a big deal,” said Nicolett, “while for other workloads it may not be so important.”
This location independence, and the possibility of a service provider “subcontracting” services, can result in compliance and legal issues unique to cloud computing. “You’re still on the hook for the integrity of the data and the protection of customers’ privacy,” he said. “Just because you’ve outsourced it doesn’t mean you’re no longer obligated from a compliance or legal standpoint.”
Why cloud now? The proliferation of netbooks and low-cost computing devices is leading to more interest in cloud computing, where one could use a thin-client device with a Web services architecture to access data in the cloud. As a result, many software vendors are changing the way they deliver products.
Symantec sees backup as an obvious task to outsource to a cloud-based service, said Jody Gibney, senior product manager for OnlineFamily.Norton. Norton Online Backup combines a local agent with backup services in the cloud, but the data is stored in the U.S. at this point, so privacy legislation comes into play in Canada and Europe. The stored information is encrypted and only the user has the key, said Gibney, and the activity data is stored separately from customer information.
In prototype right now is a password management service where users could store their credentials in the cloud (36 per cent of adults still use a paper list to keep track of their passwords), so if an employee is in an airport or at a hotel, they could easily access this information.
But it doesn’t make sense to push everything into the cloud, said Gibney. While the cloud offers a low-maintenance model for small businesses, drawbacks include limited access to local resources and bandwidth limitations.
“Just thinking a cloud will solve the problem is at the least naïve,” said Kevin Haley, group product manager with Symantec Security Response. “It’s only a delivery method.” In the security realm, the cloud serves as a repository for signatures downloaded from the network, but it can only contain known signatures. In many instances, threats pretend to be legitimate files, and some threats affect legitimate practices.
The reputation concept, where executable content is submitted anonymously, uses reputation to determine if a file, e-mail, application, Web site or Web service is good or bad. The key differentiator, said Haley, is not the cloud but reputation information that the cloud delivers.
Before sending your data off into the cloud, Gartner recommends evaluating the risks (data segregation, service provider viability, availability and recovery) through a third party. Start with low-risk workloads, said Nicolett, and get to know your service provider before moving workloads with more security and compliance requirements into the cloud. Always lay out availability and security requirements explicitly, so you can evaluate the service provider against those requirements.
“We’re not saying don’t do it,” said Nicolett. If a small business does their homework, they could benefit from cloud-based services by avoiding significant investments in their own infrastructure, as well as the ongoing maintenance fees associated with it – while gaining access to a higher level of security capabilities.