If you entrust a cloud provider with your data, how is encryption handled, if at all? What about user authentication? What about data breach liability?
Those were some of the issues raised during a panel discussion on the security challenges with cloud computing services at last week's Bay Area SecureWorld in Santa Clara, Calif. "We're not saying the cloud is bad. There is a lot of good there, but we want to bring the challenges to your attention," said panelist Tim Mather, a security advisor and a founding member of the Cloud Security Alliance (CSA).
One of the major cloud security issues is encryption, he said. If data is processed in the cloud it needs to be decrypted, while some providers don't even offer encryption. And if encryption is used, key management becomes a big issue, he said: "Who manages the keys?"
The role of network security decreases when moving into the cloud, making user-based controls more critical, said Subra Kumaraswamy, senior security manager at Sun Microsystems Inc.
"A key area to focus on is federation, which allows SSO [single sign-on]. … Not every cloud is equal. A majority of providers don't support SAML [Security Assertion Markup Language]," he said. "Emphasize SAML and force them to support it."
Man-in-the-middle attacks and Trojans will pose problems in cloud computing, making it important that organizations understand their strong authentication options with a cloud provider, said Kumaraswamy, also a CSA founding member. And if a company uses two-factor authentication, there's the question of how that transfers to the cloud, he said.
Another focus for cloud computing services customers should be authorization -- what users can do in the cloud. "Not all providers support that role-based access control," he said.
"There are different kinds of clouds. Some are more secure than others," said panelist Izak Mutlu, CISO of Software as a Service (SaaS) provider Salesforce.com.
Early on, his company implemented security, he said. The company engages third-party security firms to audit its security and performs internal security audits. "We are very transparent," he said.
Security improvements at Salesforce.com have widespread benefits, Mutlu noted: "Every enhancement we make for security affects all our customers."
The panel also addressed the issue of liability in the event of a security breach involving a service provider with a shared, multitenant application. Mutlu said liability depends on how the customer negotiates its contract with the service provider.
In a keynote at the conference, Nils Puhlmann, co-founder of the Cloud Security Alliance, said cloud computing presents risks but also opportunities to security pros.
With the SaaS model of cloud computing, it's incumbent on the customer to ensure the provider has enough security functionality, he said. However, if a large customer, for example, asks a SaaS provider for a particular security control, the provider will undoubtedly implement the control, which will benefit the providers' other customers, Puhlmann said.
"We can actually raise the bar from a security perspective," he said.
Cloud vendors are often non-committal about security, but sometimes that might be because they are startups and don't understand it, he said, adding, "In most cases, you can educate them."
The nonprofit CSA formally launched in April with a goal of sharing best practices on cloud computing security. The group, which has more than 4,000 members, released a paper outlining more than a dozen areas it says must be addressed to better secure cloud computing environments. Puhlmann said CSA expects to release the second version of the document in October.