NATIONAL HARBOR, Md. – Despite plenty of vendor hype, most enterprises use cloud computing services sparingly. However, Gartner analysts say crucial steps must be taken today to avoid serious cloud computing security problems
During a presentation at the 2011 Gartner Security & Risk Management summit, Gartner Vice President and Distinguished Analyst John Pescatore told attendees that even though most industry observers believe enterprise cloud computing adoption is on the rise, Gartner’s research has found public cloud computing use is limited to Software as a Service (SaaS) offerings.
Proving his point, Pescatore informally polled the audience of several hundred attendees, and roughly half acknowledged use of commercial cloud services like Salesforce.com, but only a few hands went up when asked whether their organizations used platform or infrastructure services, or other hybrid models.
But, Pescatore cautioned, that doesn’t mean security pros can sit on their hands. Enterprise infosec teams must put security plans in place not only to prepare for the adoption of those cloud computing services in the coming years, but also to stave off the security risks posed by consumer cloud computing services.
“Today we have a lot of players, like Google and Amazon, who are starting from the consumer space, but are now offering enterprise services, and cloud-based services like Twitter that are starting to get used for business,” Pescatore said. Companies are adopting theses services because not only are they easy to use and easily, but they’re also often much cheaper to use than similar traditional on-premise alternatives, he added.
“So from the user perspective there are a lot of rewards, and from the CIO’s perspective it’s saving a lot of money, but from the attacker’s perspective it’s opening up new paths to go after users,” Pescatore said. “There’s a lot of new risk.”
To illustrate that risk, Pescatore pointed to consumer cloud storage service Dropbox. Use of Dropbox in the enterprise “kind of exploded this year,” he said. However, its security practices have been questioned in recent months: In April, the company was criticized for misleading statements about its encryption practices and whether Dropbox employees could access users’ files, and on June 19 a configuration error enabled virtually unchecked access to all users’ accounts for several hours.
Pescatore said too often enterprises fail to consider the potential for these sorts of incidents when deciding whether to adopt cloud computing formally or allow staff to use cloud services ad hoc.
“This is a big part of the change in dealing with security” for cloud computing, Pescatore said. “In a consumerized world, we don’t sit down and make TCO and risk-based decisions all the time.”
In the next few years, Pescatore added, use of cloud computing will only increase, raising the stakes for enterprise security teams. He said Gartner forecasts that by 2015, most private or limited cloud computing use will evolve into hybrid cloud computing featuring a mix of cloud software, platforms and infrastructure, much of which will be virtualized in a public cloud. Enterprises are speeding toward a day when cloud bursting -- using third-party cloud systems ubiquitously alongside their own infrastructures – will be a commonplace method for increasing computing capacity on demand.
Pescatore urged enterprise security teams to prepare now for the security implications of the coming cloud computing evolution. He said security should put a rapid-response system in place that can quickly evaluate a cloud computing request from another part of the organization, and assess how it can be secured.
“We can’t think we’re going to have two and a half years to make decisions on these cloud-based services,” Pescatore said. “We have to plow some of those savings back into the security piece.
“The decisions you’re making today are very key in how you’re going to be able to extend security out to hybrid and public clouds.”
In a separate presentation on cloud computing security, Dan Blum, a vice president and distinguished analyst with Gartner IT1, said one way to facilitate the secure use of cloud computing is for security teams to define approved patterns of use.
This process, Blum said, involves assigning a risk level to various types of cloud-based services. For designated low-risk uses, business units would be permitted to contract their own services or use a list of approved vendors with IT serving as the cloud services broker. For services designated medium- or high-risk, business units might be required to conduct a self-assessment of the potential cloud services, or a full risk assessment of the usage scenario.
“It might be that if they use the vendor we’ve already used, that’s OK, but if they want to create a new vendor relationship, they’re going to have to undergo the risk management process and for a medium-trust use case, maybe that can’t happen without some sort of on-site audit or review process,” Blum said.
The idea, Blum said, is for security to have a flexible response plan in place when the organizational need for various cloud services arises in the future.
“In the world of cloud computing,” he said, “it’s good to have as much of that as you can set up in advance, so you don’t have to repeat the process too many times.”
Attendee Scott Kramer, a network security specialist at Anne Arundel Community College in Arnold Md., attended Pescatore’s presentation and said his organization’s users love cloud computing services, but he tends not to, largely because of the security challenges presented by services like Dropbox.
However, he said he believes security pros in the industry at large are trying to triage cloud computing risks. “Truly, a lot of us are just to contain and minimize the risks, because ultimately we can’t stop the usage,” Kramer said.”