Cloud security still needs a lot more work, say European experts
Security and privacy remain a stumbling block for cloud computing, according to information experts at the Trust in the Digital World conference
Security and privacy remain a stumbling block for cloud computing, according to information experts speaking at the Trust in the Digital World conference in Madrid.
Cloud computing is secure in general, agreed a panel of experts, but there are gaps and there is no such thing as 100% security, said Raul Granadino, cyber security excellence programme manager at Spain’s national cyber security institute, Incibe.
“Cloud computing is secure enough for what it is currently being used, such as e-commerce, but a lot more work will be needed to make it secure enough for critical applications and infrastructure,” said European Union Agency for Network and Information Security Agency (Enisa) head of operations Steve Purser.
“Cloud computing for critical infrastructure is a whole new ball game and the industry will have to do a lot more work before that could happen,” he said.
Enisa believes cloud service providers will have to solve some of the risks of cloud computing, but Purser points out that not all of them are security and privacy-related.
Read more about cloud security
- Although 60% of small businesses are using cloud computing services, the remaining 40% are put off by security fears about cloud
- Security is the main factor limiting the use of cloud computing, research from Eurostat has found
- Many public cloud providers offer tools to test security, but they can't do it all. Penetration testing can help detect cloud app security gaps.
- What can IT teams do to ensure users are not synchronising sensitive corporate data to insecure cloud services?
“Availability is key to critical infrastructure and applications, yet that is often overlooked as a stumbling block for cloud computing, with the focus tending to be on security and privacy,” he said.
“Cloud computing is also just one element, but providers of critical infrastructure should be looking at the whole set of components in terms of availability, including things like electricity supplies.”
In the context of security, Enisa believes cryptography and key management is the key challenge when it comes to using cloud computing for critical applications and infrastructure.
“There is a need for strong cryptographic controls in the cloud, but key management in the cloud is still very difficult to do and more research has to be done to find a way forward,” said Purser.
In general, the panel said cloud service providers should seek to build trust through being completely open about their security processes and making it easy for customers to run independent assessments.
“There is a need for greater transparency, particularly for things like processes for incident response, log management and security audits,” said Telefonica chief technology officer David Barroso.
However, the panel said not all consumers of cloud services will be able to make meaningful assessments of their service providers.
Cloud security certification scheme
To get around this problem and make it easier for consumers of cloud services to choose providers that meet their particular security requirements, Enisa is proposing to introduce a certification scheme.
Enisa believes certification against a set of generally agreed security requirements for Europe will go a long way to creating trust and giving customers confidence in their cloud service providers.
NIS will help the whole cloud ecosystem and provide an opportunity for cloud service providers to help businesses that have less mature IT strategies
Raul Granandino, Incibe
“Comprehensive certification for cloud service providers that includes things like legal and service level requirements will make it easier for companies of all sizes make confident choices,” said Purser.
The panel said the public and private sector should work together to improve the security and privacy of cloud services and grow trust in cloud service providers through transparency.
“The role of the public sector is to raise issues to ensure public safety, while the private sector should seek to build the solutions to those problems as market differentiators,” said Purser.
Granadino, who co-chairs one of the working groups for the for the EU’s Network Information Security (NIS) platform, said the planned NIS directive will help set a common security baseline for cloud service providers.
“NIS will help the whole cloud ecosystem and provide an opportunity for cloud service providers to help businesses that have less mature IT strategies, which typically includes most small and medium businesses,” he said.
Enisa considers regulation to be good, but “in limited doses,” said Purser. The organisation believes best practice is important and often the best way forward when it comes to fast-moving technologies such as cloud computing, he said.
However, Purser said the good thing about the proposed NIS directive is that it is very abstract, allowing for plenty of opportunity for Enisa to work with the private sector to find the most “business-friendly” way of implementing the directive.
The ideal, he said, would be to ensure that the principles of the NIS directive are implemented in such a way that businesses are able to realise the full potential of cloud computing or any other new technology.
Security concerns often overlooked
Purser expressed concern that businesses may be getting too comfortable with technology and that security and privacy concerns are often overlooked in favour of functionality and cost savings.
However, Barroso said he is seeing a change in enterprise behaviour, with a growing number of businesses including security requirements as part of their procurement processes.
“Security is becoming increasingly important for enterprises and there is greater scope for CIOs to include security in purchasing decisions, but the final say still rests mostly with non-IT executives,” he said.
Security is becoming increasingly important for enterprises and there is greater scope for CIOs to include security in purchasing decisions, but the final say still rests mostly with non-IT executives
David Barroso, Telefonica
Barroso said another indication of this trend is an increasing demand from customers for datacentres in their own countries or regions. “And that is not limited to customers in Europe, we are getting similar requests from customers in other parts of the world too,” he said.
Looking to the future of cloud computing, most members of the panel were optimistic and said that cloud services would continue to evolve and grow.
But Purser said security, privacy and guaranteed availability are key obstacles to the further development of cloud services.
“The winners will be those who can find practical ways of solving these issues, but so far I can see very little progress in this regard,” he said.
Intel Security panel chair and chief technology officer for Europoe Raj Samani said he believes cloud service brokers will play an important role in the future of cloud computing.
Under this proposed model, a cloud broker would manage the use, performance and deliver of cloud services, and negotiate relationships between cloud service providers and consumers.
Advocates of this model believe it has the potential to eliminate many of the concerns businesses have over cloud computing as well as simplying the process of managing multiple cloud service providers.
“It is surprising that cloud brokers are not already a reality because this approach would help avoid the problem of getting locked into particular cloud service providers,” said Samani.
Barroso said companies with the greatest concerns about public cloud are currently focused on setting up private clouds to realise the benefits of cost reduction and scalability.
“Cloud brokers could be the next step in the evolution, but I think that will still take another five to ten years,” he said.
Granadino said that certification of cloud services is likely to be important, and that big data and data generated by the internet of things will be among the best use cases for cloud computing.
“The winners will be those cloud service providers that can create a secure technology stack for delivering services in these two areas,” he said.