Last year, Forrester predicted that cloud computing would top $240 billion in 2020. Market Research Media came up with a more aggressive forecast of $270 billion in 2020. And with tons of other market research studies pegging high numbers for the future of cloud computing, it looks like cloud computing is here to stay. However, even as companies are adapting to this new paradigm, there are growing concerns about the safety of their data in the cloud. Incidents at cloud service providers like Dropbox, where a security glitch let visitors use any password to log into customer accounts for about 4 hours, highlight dangers of storing information in the cloud.
I recently sat down with Jasmine Noel, Senior Product Marketing Manager here at Veracode to discuss cloud security and how this impacts companies offering cloud based solutions. Read on to view the highlights of our discussion. Q: Why is security in the cloud becoming a fast growing concern for enterprises today? JN (Jasmine Noel): There are three parts to the answer. First is that security breach reporting is skyrocketing, in part because hackivists love the publicity and partly because crime occurs where the value is, and in our digital economy the value is in various forms of intellectual property. Second is that cloud computing distributes corporate intellectual property to many different infrastructures while promising authorized users ready access to that information. Third is that companies rarely only use one cloud-based service. I think if someone were to count all the Salesforce.com customers that have integrated it with cloud-based marketing automation solutions and/or cloud-based accounting solutions it would be a high percentage. What this means is that corporate information resides in many places in the cloud, those places are interconnected and hackers are actively looking for any weaknesses to abuse those connections. So it’s not surprising that cloud security is a growing concern. Q: What are some of the major concerns around cloud security? JN: I think what most companies are looking for from prospective cloud-based solution providers is transparency in terms of the provider’s security mechanisms and IT processes. Companies want to know what security mechanisms are being used to keep their information confidential and secure, while it is in transit to and from the provider’s datacenter, while it is in use or at rest in the provider’s datacenter, while it is copied or at rest in a disaster recovery site, and how the information is finally deleted. They are also concerned about the security mechanisms used to authenticate company users that will be accessing and updating the information. Remember the goal of most cloud-delivered services is to provide ready access to corporate information – but only to the right people. In terms of process transparency, companies want to know that the provider’s IT procedures does not expose corporate information to provider’s staff while performing routine maintenance or updating to the infrastructure or service software. They also want to know whether the service infrastructure and software is continually being hardened against attack and that the incident handling procedures are well known and are actually followed. Q: How are companies that offer cloud based solutions being impacted by these concerns? JN: Customers are asking many questions but increasingly they are also expecting independent proof of the answers. For example, one of our recent RFP’s asked us to answer the checklist questions in Gartner’s research note “Critical Security Questions to Ask a Cloud Service Provider”. So we provided those answers. However, they also asked for our SysTrust report and proof that SunGard (our hosting provider) was certified as an SSAE 16 facility. What the SysTrust certification means is that every January and February Ernst & Young audits our review process documentation, conducts interviews and crawls through activity logs to see whether we had effective controls over our platform to protect information during the previous year. SunGard goes through a similar process with their auditors. It’s really not that different from the advice we give our customers about application security – trust is good but independent verification is better.