NSA surveillance program adds new wrinkle to cloud security issue

SUMMARY:

Security has been one issue inhibiting cloud adoption, and the hubbub about PRISM only seems to have made it a bigger concern. That’s why we’ll talk about cloud security at Structure:Europe in September.

Use of public clouds can lower capital expenditures, lessen technical complexity and help the cause of scalability — well, at least vendors say so. The security of that model is less widely agreed on, even years after Amazon came out with EC2 and S3 and got the public cloud moving.

The conversation about cloud security got more interesting following revelations on the National Security Agency’s PRISM program, even if many people figured that such government snooping was possible if not already happening. After talking with executives at a few cloud providers, it sounds like the PRISM news hasn’t necessarily lowered inquiries about public cloud services. What it is has done is prompt more questions about security.

“I think it might make some people think twice about where they locate a service and where the service they use is,” said Joe Baguley, chief technology officer for Europe, Middle East and Africa at VMware.

And cloud providers have got answers. They’re coming out with services that could make businesses small and large think more seriously about public- or at least hybrid-cloud deployments. At the same time, there’s evidence that the cloud isn’t as lacking on security as some companies might have thought.

Going down the networking route

More robust networking systems could bolster adoption. In VMware’s view, one way to make companies feel better about the cloud is to let them keep using the same strong networking configurations that run on premises — load balancers, firewalls and other components — and easily change them through existing VMware management software. This capability is among the selling points for VMware’s Infrastructure-as-a-Service (IaaS) product, the vCloud Hybrid Service. Now VMware’s $1.26 billionacquisition of Nicira makes more sense, this time from a security standpoint.

Some telcos providing cloud services focus on the network as a security enabler, too. Verizon’s Terremark can keep data encrypted at rest and offer isolated physical resources to its customers, and it can also supply a more secure pipe to the cloud. “We provide both the network and the cloud — the entire length, from your customers’ data center premises (that are) secure and highly available, into our cloud, which is also secure and highly available,” said Gavan Egan, vice president of sales at Verizon Terremark Europe.

Smart configurations and permissions, too, can make sure employees only have access to data in the cloud that their bosses have previously signed off on. Perhaps the PRISM news might not have hit if Edward Snowden had lacked the permission to see all the NSA documents he did. To help companies control employees’ access, Hila Meller, head of security strategy for EMEA at CA Technologies, points to identity and access management (IAM) software for restricting the use of cloud services. While it could be that cloud adoption happens faster where economic conditions are poorer, because companies want to spend less on IT, IAM software could let companies save while also tamping down unwanted access. And stronger security could help companies in richer countries move a bit more into the cloud.

Location, location, location

There’s also a wrinkle about location. Post-PRISM, it’s possible demand will increase for IaaS clouds that are physically located in specific countries that meet national standards and that are owned by local companies. Examples are Zurich-based CloudSigma and ProfitBricks, with headquarters in Cambridge, Mass., and Berlin. Executives from those two cloud providers and ElasticHosts and UpCloud will talk about their opportunities and challenges with my colleague David Meyer at our Structure:Europe conference in London on Sept. 18-19. As GigaOM’s Barb Darrowput it, “The various cloud contenders from the E.U. would have to be brain-dead not to try to turn concerns about massive U.S. data gathering into a commercial advantage.”

Meanwhile, there are options for Platform as a Service (PaaS) that don’t even touch external infrastructure, such as the new private PaaS that Berlin-based CloudControljust served up. Such services could gain steam because of cloud fears, even if private PaaS isn’t necessarily more secure that public PaaS.

It’s clear that not every type of data is getting beamed up to the cloud for many companies that have wandered onto the public cloud so far. What is? Sensor data is one category many European companies are interested in processing and storing in the cloud, Baguley said, just so long as it can be handled in accord with all applicable regulations. Indeed, we’ll talk about machine-to-machine data at Structure:Europe, with leaders of LogMeIn, Libelium and Good Night Lamp. But while internet-of-things data can pile up, there’s nothing to stop a sensor-rich and paranoid company from bringing data into the server closet.

Perception might not be reality, even in Europe

Despite the issues companies raise and the concerns some people have about the cloud and what might happen to data sitting on it, some fear of the cloud seems to be allayed when companies actually start making the move. At least recent surveys of small and medium-sized businesses in multiple countries suggests as much. A studyMicrosoft commissioned shows that many respondents benefited from having a cloud provider make sure security systems stay up to date. It’s a matter of not having to spend as much time on security, and having to do less to stay in compliance with regulations.

Of the businesses surveyed in Germany that don’t use the cloud, 55 percent said data-security issues are keeping them from adopting it. But of those that did adopt the cloud in that country, 96 percent found security benefits they didn’t have on premise, and 47 percent said data security had improved. Views on data security and security benefits were not too different among small and medium-sized businesses in France, the U.K. and the U.S.

“There is a big gap between perception and reality with the cloud,” said Adrienne Hall, general manager of trustworthy computing at Microsoft. That company is pushing hard to make Windows Azure home to security-conscious applications, so it’s worth taking the study results with a grain of salt. But even if those findings are generally true, it’s not like every company is on board with the cloud mantra. And as the survey showed, security is one of the stated issues companies have. (Reliability is another.) So what’s a cloud provider to do in order to ease concerns and get more business?

Hall said Microsoft and other companies are working on initiatives that could simplify regulatory compliance. For example, she said a common place for companies to see vendors’ compliance certifications is helpful, and toward that end Microsoft participates in the Cloud Security Alliance’s registry of certifications. Case studies showing benefits of the cloud are good, too. But Hall knows that’s not enough. “I think we’ve got work to do there, and I think our competitors do, too,” she said.

And there will continue to be a lot to talk about — which is why I’m excited about my panel on cloud security with Hall, Egan, Meller and Baguley at Structure:Europe.