Cloud technology has taken off in South Africa, although there are still those who believe that it is still early days. Perhaps the reluctance to move business into the cloud is because they are not convinced that sufficient security and safeguards are in place. This prompted us to ask four experts to share their experiences and views.
“Security is everyone’s concern and everyone’s responsibility. This has always been the case, but the cloud only emphasises this fact. Companies of every size need to build an understanding of the potential business risks associated with unsecured applications and data,” says Clive Brindley, HP Software country manager.
“Mobile applications represent a kind of gateway drug to the cloud. This is due to developers increasingly leveraging cloud-based services for tasks such as notifications, and billing and payments, allowing them to focus on the app client logic and leave the server-side features to the cloud. The result is faster delivery of a better app, and one that puts the richest available functionality into users’ hands.
“But what makes it faster and cheaper may also make it riskier. Mobile apps are increasingly dependent on cloud services that the apps team didn’t build, the organisation doesn’t own, and the ops team doesn’t even know about. Meaning that to create effective mobile apps, you must have confidence in the cloud.
“Given the increasing breadth of the mobile ecosystem, it’s crucial to understand where the weak security links exist. Essentially, there is a threat in every layer: the mobile client, the network and the server. When you use cloud services in a shared environment, you’re at risk from weaker adjacent apps. Many third-party components and web services aren’t secure and perhaps haven’t even been tested. Plus, you may be trusting highly sensitive data – customers’ PINs, passwords, messages, account numbers, photos and documents – to services that you don’t own.
“Apps teams can’t roll the dice on mobile security. As the developers continue to take advantage of cloud services for mobile apps, you might wonder how you can be certain that it’s OK to trust a particular cloud service. The answer is simple: You can’t be certain. That’s why you have to do what you can on your side.”
Jeff Fletcher, co-owner of Three6five agrees. “It is a contentious issue, given the recent privacy debates that have surrounded the online storage providers such as Dropbox. While they encrypt your data, they have a key that will let them gain access should there be a request from a legal authority. I think the question can be distilled down to a fundamental trust issue.
“The cloud offers several security advantages over the existing distributed systems model,” says Dr. Khomotso Kganyago, chief security advisor, Microsoft South Africa. He has a somewhat different view.
“First, cloud providers centralise security expertise in large data centres and adhere to emerging international standards of operational security, which means security may be increased dramatically over time.
Second, much of the code created for the cloud itself (e.g., Windows Azure, an operating system for the cloud, and virtualisation technologies) was created after the implementation of secure development practices like the SDL, thus helping to ensure better security code quality.
Third, in a world increasingly composed of sandboxed applications that are gated through “app stores,” more users may be downloading applications from known sources that have better security controls in place to respond if an application proves malicious.”
Cobus van den Berg; Huawei technical specialist at Mustek says that security is not just a cloud concern, it is on both sides of the spectrum. Cloud adopters and non-cloud adopters alike are scared of cloud security, including fears of leaks of customer and proprietary data.
“To add to this, governments are implementing various legislation and adopting initiatives such as, but not limited to, the ECT Act, FICA, RICA, King III and POPI Bill. Various organisations at ‘C’ level are still not ready or don’t understand these initiatives.”
Should service providers contractually specify what security measures they have in place??
“Yes, absolutely,” says Dr. Kganyago. Your SLA (service level agreement) must make it clear who is responsible for managing the security that relates to the services and data that tenants host in the cloud. SLAs must also make clear when and to what level of detail operations staff should have access to the tenants’ virtualised resources, including access to logged data. Responsibility for backup and restore processes, ownership of and access to the backed-up data, and storage of the backups must be explicitly spelled out.”
Van den Berg agrees with Kganyago. “In order to meet these SLAs the service provider will necessarily have to ensure that all data is managed in accordance with the users’ corporate governance policies and depending on the industry regulations that influenced the corporate governance, it will become necessary to contractually specify what security measures are in place and ensure that utmost care is taken to ensure that business risk is minimised – no matter if the business risk is in the shape of optimal uptime or ensuring that there is no harm to a corporate’s identity.”
Brindley does not believe that it is a given. He says: “It would depend on the cloud service that you are using. A social networking site may not be as specific about their security measures as say an online file storage service.
A cloud service provider may use their security features as a marketing tool to have a competitive edge over other service providers. It may be that the specific cloud service never requires personalised information, such as github, nullifying the need for security. I think as the cloud service provider market matures, there will be some providers that will specialise in securing your data (SpiderOak is an example) over other features to fill the trust gap in the market for the more cautious of customers.”
Fletcher, agrees. He added “a cloud service provider may use their security features as a marketing tool to have a competitive edge over other service providers.”
Should data to be stored in the cloud be encrypted before it leaves the sender?
Brindley: “An information-centric approach, rather than the usual focus on securing infrastructure, is what makes sense for today’s shared and open computing environments. Applying an information-centric security technique like encryption allows you to be more fluid with your information.
Dr. Kganyago: “Encryption is one of the fundamental required tools for protecting data in the cloud – but it must be used appropriately. Recognised encryption algorithms like AES have years of real-world exposure and testing, avoiding the classic mistake of attempting to ‘roll your own crypto’. The whole point of security, and especially cryptography, is to make your information and processes very hard to gain access to.”
Van den Berg: “Moving data into the cloud will force the user and/or business to give up control over private and confidential data and introduce data segregation risks. Cloud computing will force the end user and/or business to attend to issues such as security risks, boosting efficiencies, cost- savings and competitive advantage. Secure socket layer (SSL) certificates are one of the primary security standards within the internet for secure transferring of information between parties online.”
Fletcher: “Encryption should be required for all sensitive information. But as with good password management practices, unless it is enforced, most people won’t do it.”
What level of encryption does the panel recommend?
Fletcher: “A security standard that I always come back to is internet banking. If that level of encryption is good enough to safeguard my money, both from my, and the banks perspective, it is probably good enough to secure my data. Standard Bank’s internet banking is running 256 bit, AES encryption. Clearly both Standard Bank and I are happy with that, otherwise they would have implemented something else, or I would have moved banks.”
Dr. Kganyago: “It really all depends on the data and the application. There are several levels available, but before you just encrypt, it’s important to invest time in diagramming the flow of your data, both secure and unsecure. Take a look at where your data goes and how, where you store secrets, and especially where your data crosses boundaries such as public and private networks. This will give you a good idea of where your data is exposed, and allow you to target those risks with plans for mitigating them in a straightforward manner.
Brindley: “With today’s more open computing models, infrastructure-centric security isn’t sufficient. To take advantage of cloud computing, mobility and social media, your information needs to flow outside your facilities and beyond your enterprise, yet remain secure. So you can’t focus your security on the infrastructure and hardware alone.”
Are clients of the panellists currently using encryption?
Maybe this was an unfair question. The panellists varied in their replies from a qualified yes to a definite yes!
The panellist were asked to comment on the following security systems:
- Consumer key management as a service
- Deploying a key management server back in your data centre and integrating it with your cloud encryption software of choice
- Porticor – a patented virtual key management device.
Brindley: “In order to secure data in the cloud we require encryption. However, data is encrypted and decrypted using what’s known as encryption keys, which means whoever holds the keys holds the access to the encrypted data. Hence the need for a secure key management framework that not only stores the keys securely, but also manages access to the keys securely, whether it be for user’s application, third party providers, consumers or cloud.”
Porticor is only one of many encryption and key management technologies available. They are fairly new to the market, which raises the question: How secure are their cloud offerings?
Dr. Kganyago added that the need for a secure key management framework that not only stores the keys securely, but also manages access to the keys securely – whether it be for user’s application, third party providers, consumers or cloud – is essential.
When it comes to encryption and high level security, all four panellists recommend that a security specialist should be consulted.