Gartner: High levels of cloud computing security still require long hard work

Gartner Research Vice President Jay Heiser: to achieve a high standard of http://www.aliyun.com/zixun/aggregation/13634.html "> Cloud security, still arduous, needs a long climb and effort." He said business and government agencies with sensitive data seemed more inclined to suspend cloud-based services until the security situation improved.

"The financial industry is taking a more conservative approach to cloud computing than other small businesses," Heiser said yesterday in an online exposition with Gartner customers. With regard to "preparing for minimizing cloud computing security risks", Heiser, it is easier to use IaaS to establish a secure baseline than to use SaaS, if only because of more flexibility and less reliance on service provider capabilities. But in general, cloud service providers are not as clear as they should be about business continuity, disaster recovery practices, and so on, which makes it difficult for them to win the trust of their customers.

"Almost all of Gartner's customers are disappointed" as they see the incompleteness of their cloud-computing contracts, they fail to look at the professional standards of security they expect, Heiser said.

The struggle between cloud and customer to define technical and legal obligations has been used by the federal government in its FedRAMP project, which aims to provide certification to cloud service providers for government use, and the struggle is also being adopted by the Cloud Security Alliance (CSA), Some of the organization's working groups have expended considerable effort to define industry standards.

Heiser also points out that the American Institute of Chartered Accountants (AICPA) has replaced its original SAS70 certification as a SOC1 certification by the service provider, and now SOC2 and SOC3, as well as the trust and security of the service provider system.

But despite our applause for these standardised efforts, cloud computing has a significant security effect, Heiser said FedRAMP, a project expected to run next year, along with CSA standards, is still an early plan, and their impact on cloud security may take years to emerge. Heiser holds the same view for iso/iec27017 cloud security standards and 27018 cloud privacy standards. All of these cloud computing security efforts are worthwhile, but they all need 1-5 years of development time before they can mature.

At the same time, businesses and governments have scaled back their security needs and started to assess potential cloud services and the security options for those services. Heiser says the focus should be on finding the sensitivity of the data used for the service, and that companies have to ask themselves questions about how the data loss will affect whether security is the key competitive value, whether the data are in line with conventional concerns, and "ultimately to determine the suitability of the service."

The most mature and effective approach to cloud computing security is related to identity and access management, and service based encryption, he admits, but cloud customers have to consult the management and storage of cryptographic keys and ask whether the risks are acceptable, he notes. Gateway based encryption, or sometimes referred to as a proxy gateway or management, is another option, but he adds that "this approach often changes quickly." Forensics is not so effective at the moment, considering overall security controls, it may take 5-10 years to see a "solid technology" for cloud computing.

The economic attractiveness of cloud computing is strong, and sometimes the economic benefits outweigh the potential risks. Gartner is recommending that its customers generally allow low sensitive data to be considered cloud services, but that risk assessment is critical if the data is in a "medium" sensitivity range. If the data is highly sensitive, it should not be considered to be a viable or permissible cloud service.

The program also means making sure that business managers know these things, that they "have" the data, and that they are up-to-date about the risks associated with cloud computing.

Even so, cloud service providers rarely provide compensation against hacker attacks. Even when customers are basically entering a supply chain cloud, SaaS retains more "mystique" than IaaS when it comes to understanding how they actually operate. Since a risk is that a cloud service provider may fail, it is necessary to ensure that the provider can return data or have contingency plans for data backup. When Mumboe SaaS went bankrupt two years ago, they gave clients two weeks to get their data back, Heiser mentioned. This is a wake-up call, and the cloud does sometimes disappear, and we need to plan ahead to prevent such "pouring rain".

Even the name of the current cloud is also known as Amazon, Google and Microsoft, there have been examples of the disappearance of data, at least once, or even failed to return. Heiser said, "Data recovery is not so simple procedures," the "loss of services and the loss of effectiveness in the forefront of the list", real-time service updates can lead to extensive data damage, Heiser finally pointed out.

For applications, services, servers, storage networks, and security, IT managers are accustomed to controlling what they should do within the enterprise. They need to be fully aware that flexibility is inherently not a part of the cloud.

The writer, Ellen Messmer, is a senior editor at Receptacle World, which covers the dynamic and technological trends in the field of information security.

(Responsible editor: Fumingli)