Three Steps to Secure Cloud Computing

You can close your eyes and pretend it is not happening—many CIOs are doing exactly that—but face this reality: “Cloud computing is with us to stay. Everybody will soon be using it.”

At least this is the prediction of Jim Haskin, CIO at Websense, a San Diego-based data security provider, and others.

A scary thought? For many CIOs, yes. “They are panicking about this,” said Kirill Sheynkman, CEO of San Francisco-based Elastra, a developer of applications currently deployed in association with Amazon’s cloud computing offering. The panic is well-founded, isn’t it? Because of the security concerns that come with jumping the firewall?

Sheynkman snorts: “Security is not the issue. Do you think your IT department knows more about data security than Amazon does?“

Reality check: “Data security in the cloud is no different than data security at a remote data center,” said John Lytle, a senior consultant with IT consulting firm Compass in Chicago.

In many cases, data at most companies “are more at risk in their own environment than in a well-managed cloud,” said Mike Eaton, CEO of Cloudworks, a Thousand Oaks, CA-based provider of cloud-based services, primarily to small and mid-sized businesses.

Capable Hands?

The big cloud players—Amazon, Google, Sun Microsystems, Salesforce.com—know more than a little about maintaining online security and, considered in that context, worries about outsiders knocking down the security walls and having their way with your data indeed seem over-wrought. “There’s been a lot of over-reaction,” said Sheynkman.

“The question should not be about data security in the cloud,” elaborates Haskin. We need to be asking other questions that probe exactly why we are afraid of cloud computing and certainly, as a group, CIOs are resisting it. But just maybe that has to end because time to dither may be running out for CIOs.

Bill Appleton, chief technical officer at Mountain View, CA-based Dreamfactory, a developer of cloud-based applications, ominously warns: “The cloud may skip IT and sell directly to end users. It might simply bypass the command and control system of IT.”

And that may be the legitimate worry. That’s because a CIO nightmare revolves around unauthorized use of public cloud resources by employees who may be putting sensitive internal data online at Web-based spreadsheets or into slide shows.

“Most CIOs worry a lot about employees putting data that shouldn’t be public in public places,” said Christopher Day, senior vice president of security servicesat Terremark Worldwide, a global provider of IT infrastructure. That fear is justified. What would the board of directors say if it discovered the company’s strategic plan was accessible in a public cloud? But Day also suggests that CIOs can snuff out this potential firestorm simply by taking a direct approach.

“Just put into place clear policies, then educate employees about them,” said Day.

Pull your head out of sand (or clouds as the case may be) and directly attack this concern. That is how to make it vanish. Understand too that employees who upload sensitive data usually mean well. They are just looking for better ways to work. So, also look for other, more secure ways to let them do exactly that, adds Day. Take those two steps and most likely cloud-based shadow IT will diminish in your organization.

Securing the Logon

Another, lingering worry about cloud computing is that – with many providers – log-ons are too primitive. “Large enterprise will not embrace the cloud until security significantly improves,” flatly predicts John Gunn, general manager at Chicago-based Aladdin, a developer of digital security tools. The worry here is that when barebones log-ons are in use, old-fashioned social engineering techniques will let hackers learn employee log-ons and, watch out, data leakage will be at flood stage.