Product and service reviews are conducted independently by our editorial team, but we sometimes make money when you click on links. Learn more.

Is the Public Cloud Safe?

Is the Public Cloud Safe?

Is the Public Cloud Safe?Is the Public Cloud Safe?

This article is the first of a series that examines public cloud security—its concerns, current status and questions potential adopters should ask.

Old quandaries sometimes die hard. Despite enterprises having spent years formulating cloud strategies, many have remained aloof. Others—perhaps not wanting to risk the sort of high-profile breach and data loss that Amazon/Zappos encountered in January 2012—have gone entirely with private cloud development, despite understanding its significantly higher cost in infrastructure deployment and IT demands.

However, it’s easy to be swayed by headline-grabbing security lapses. Just because airplane crashes make international news doesn’t make air travel inherently less safe than its alternatives. This article will be the first of a series that examines the question of public cloud security, examining its fundamental concerns, current status, the questions that potential adopters should be asking, and the various types of offerings now available. Out of the gate, consider this stance from Symantec’s Dave Elliott, senior manager, Global Cloud Marketing, which meshes very closely with the opinion of all the industry insiders we spoke with for this series:

“You can make a pretty compelling argument that, in the future, public clouds will be more secure than private clouds.  There’s an economy of scale and scope that can go into security and the idea that you can hire the best, bring the best tools in, and have the best practices. You need to be very, very large to be able to compete with some of the things that public cloud vendors are able to do now and that they’ll be able to do in the future.”

Public Issues: The Cloud

According to Johnnie Konstantas, director of product marketing for the Security Business Unit at Juniper Networks, the idea of public clouds took root as a collective of universities and libraries combining their computing and storage assets in order to provide a pool of resources for students. These structures evolved into the managed services now offered by public cloud providers today. Unfortunately, this also brought along some baggage that would comprise the heart of why many people still distrust public clouds.

While architecturally sound in concept, the public cloud model ignores certain things generally accepted by enterprises accustomed to running their own IT operations. First, there’s a lack of transparency. Unless covered by the service contract, it’s highly unlikely that a customer will be able to see past the proverbial front door. In a public cloud environment, customers can’t access the network or the hypervisor. In fact, about all they can control is their own virtual machines.

Also, public cloud providers may utilize national standards in their services, such as AES encryption for protecting customer data, but that doesn’t guarantee adherence to any national standards for cloud service security – because there are none. It falls to customers to learn the ins-and-outs of any vendor’s security stance or depth. Moreover, customers should make sure that the security features they expect are specifically stated in their service contracts. Just because a vendor offers a certain security feature in general doesn’t mean that the feature is implemented in every offering and/or pricing level.

Mandating contractual details is another common sticking point for customers. The less attention that gets paid at this step, though, the more risk the buyer faces.

“Smaller organizations may not have the legal counsels themselves or the wherewithal from a financial or a timing standpoint to be able to go through a very detailed contractual due diligence process,” says James McCloskey, senior research analyst with Info-Tech. “Now, from a risk management perspective, smaller organizations that lack internal expertise may still benefit from going with a professional service provider who does this for a living and has a direct interest in securing their system. That may be an advantage over trying to go it alone. There is no real easy math on that. It’s a question of risk tolerance and internal technical capability.”

McCloskey notes that there is typically not sufficient liability assignment within public cloud service contracts. In the event of a security failure on the cloud service provider’s part, smaller customers in particular are unlikely (at least without significant legal wrangling) to receive protection or compensation equivalent to the real organizational cost of that security compromise. Customers may receive some limited amount of financial compensation, free service extension, or so on following a security breach-related data exposure, but this is unlikely to match the cost in fines, public relations, customer loss, and other fallout resulting from a security compromise.

William Van WinkleWilliam Van Winkle

William Van Winkle has been a full-time tech writer and author since 1998. He specializes in a wide range of coverage areas, including unified communications, virtualization, Cloud Computing, storage solutions and more. William lives in Hillsboro, Oregon with his wife and 2.4 kids, and—when not scrambling to meet article deadlines—he enjoys reading, travel, and writing fiction.

See here for all of William's Tom's IT Pro articles.

Check Out These IT Videos

(Shutterstock cover image credit: Secure Cloud Computing)