Businesses are turning to cloud computing in growing numbers for a variety of reasons. By "publishing" datacenter resources — such as servers, storage and network connectivity — cloud computing supplies a pay-by-consumption scalable service that's usually free of long-term contracts and is typically application- and OS-independent. Cloud computing also benefits adopters by eliminating the need to install any on-site hardware or software.
On the other hand, cloud computing remains a new and widely untested technology. Among all the critical issues potential cloud adopters face, security may be the most urgent. Today, most cloud providers are touting the technology's safety benefits while simultaneously working to patch its inherent weaknesses. To cut through the confusion, here's a quick look at cloud-computing security strengths and weaknesses.
Cloud computing provides an array of security advantages, including:
Better Data Security: By using the cloud as a thin client technology, businesses can limit exposure threats posed by data-crammed laptops and backup discs. Instead, they allow the cloud to provide small temporary data caches for mobile devices.
Enhanced Monitoring: Centralized storage on the cloud is easier to monitor and protect than data spread around a business on individual user machines.
More Efficient Security Software: It's possible, perhaps even likely, that cloud-computing customers (being billed on the basis of CPU cycles) will drive software vendors to fix inefficient security approaches that needlessly burn up resources.
Better Anti-Virus Detection: University of Michigan researchers recently discovered that if anti-virus software tools were moved from a PC to the cloud they could detect 35 percent more recent viruses than a single anti-virus program (88 percent versus 73 percent). Moreover, using distributed software, the researchers caught 98 percent of all malicious software, compared with 83 percent for a single anti-virus solution.
Infinite Logging Space: Cloud computing makes it much easier to create highly granular logs that can later provide concrete proof of suspicious activities. Cloud computing should also make it easier and more convenient for datacenters to embrace logging. In the cloud, it's no longer necessary to compute logging disk space in advance, since storage is always available on an as-needed basis.
Flexible, Cheaper Security Testing: With cloud computing, it's easy to create the extra temporary resources needed to pilot a new security technique within an exact copy of your everyday production environment.
It seems that every cloud, even a virtual one, must have its dark side:
User Access: With data sent off-site, it's easier for unauthorized people to gain access to critical business data. That's why you must press the cloud provider to give you information on who it hires and exactly how it restricts data access.
Regulatory Compliance: Cloud computing makes regulatory compliance far more complex by placing the responsibility into the hands of an outside provider. This fact can make it difficult, perhaps even impossible, to ensure information integrity and overall security.
Data Location: With cloud computing, business data can be sent literally anywhere, perhaps even split among different locations around the world. This means that critical company information may reside in places with loose — or nonexistent — privacy laws, leaving a business vulnerable to data leakage.
Forensics Threat: Cloud computing's data dispersion can make it difficult — and sometimes impossible — to track unauthorized activity, despite careful logging.
Recovery: Unless a provider supplies a rock-solid guarantee, a business may find itself experiencing great difficulty recovering lost services and/or data.
Provider Stability: Outsourcing data and other resources is generally a great idea. Yet, if a cloud provider suddenly folds up shop, it could essentially take your entire datacenter along with it.
The Bottom Line
Cloud security is both diffuse and evolving. Any business considering a move into the cloud needs to understand the approach's various security advantages and drawbacks. The next step should be to question individual providers on their security practices and guarantees and then judge how everything will fit into existing business protection strategies and policies.