Cloud computing, a popular new trend in technology, provides an opportunity for organizations to reduce the costs associated with an information technology system. However, a central concern among professionals is the security (or perceived lack of it) in cloud applications.
This may be a misperception, according to two researchers who presented their findings at the Ninth Workshop on the Economics of Information Security (WEIS 2010).
“Standing in the way of the potential saving achievable through cloud-hosting are concerns about security,” the researcher said. However, most of these concerns “are already endemic to existing hosting offerings [or] are already endemic to content distribution networks,” they said.
David Molnar and Stuart Schechter of Microsoft Research presented their findings regarding security in the cloud titled “Self Hosting vs. Cloud Hosting: Account for the security impact of hosting in the cloud.” The security concerns regarding the cloud all have solutions that still make the cloud a more effective environment than self hosting, they said.
In their presentation, Molnar and Schechter outlined several threats posed by cloud hosting. These include threats to the infrastructure, contract threats, legal and juridical threats, threats from other tenants, cost and response capabilities.
“When infrastructure is shared, tenants must be confident that mechanisms are in place to protect tenants from one another,” they said. “Sharing resources may negatively impact availability and, when tenants may be identified by the resources they share, reputation as well.”
However, each of these concerns does have an answer, according to the researchers.
“For leasing-induced threats, it should come as no surprise that countermeasures focus on auditing mechanisms and, where possible, restoration of policy control to tenants,” they said. “For sharing-induced threats, technology issues are more prevalent but policy issues remain pervasive.”
Threats to infrastructure assembly can be addressed by allowing audits of software and hardware via remote attestation, the researchers said. This capability is already imbedded in Trusted Platform Modules (TPMs).
The human infrastructure of a cloud provider can also be audited, with employees undergoing background checks. Also, insider malice or incompetence can be counteracted by limiting administrator access to tenant data or requiring administrative actions to be approved by multiple admins.
Threats of cost overruns can be addressed in several ways as well, according to the researchers.
“One way to address cost-overrun attacks is to allow tenants to set quotas to bound the rate at which an application or tenant can consume billable resources,” they said. “Another redress to tenants’ concerns of cost-overrun attacks is for cloud-providers to absorb the bulk of the resource costs incurred by attacks.”
Another concern of organizations moving to the cloud is how bankruptcy at the cloud provider would impact the organizations data. Cloud providers can address this concern by structuring tenant agreements differently or providing insurance contracts, the researchers said.
Cloud providers can also help to keep systems online in the event of malicious actions by one tenant by having a record of cooperation with law enforcement.
“A record of compliance with search warrants, providing law enforcement access to audit logs and data snapshots which can be obtained without disrupting tenants, will reduce the likelihood that law enforcement will attempt to take infrastructure offline,” the researchers said.
There are also security benefits of moving to the cloud, which are often overlooked during cloud security debates, according to the researchers.
“Staff in cloud hosting providers can become more specialized than their counterparts administering self-hosted infrastructure, allowing them to develop expertise that increases productivity while receiving lower per-employee training,” they said.
Cloud providers can also leverage the wide base of tenants and the relationships established with law enforcement to enhance security. Perhaps most importantly, many of the security services currently provided by managed solutions will eventually be provided by cloud providers, according to the researchers.
“Economics will likely drive cloud-infrastructure operators to provide many of the solutions offered by managed security solutions today,” they said.
In the end, cloud-hosting services are just as viable as self-hosting services and actually are able to take advantage of the economies of scale available to cloud providers.
“Achieving the benefits of cloud infrastructure by transferring infrastructure control to a third party needn’t necessarily result in a net loss of security,” the researchers said. “Security may also benefit from scale economies. Cloud providers can afford security measures with up-front costs that would be unaffordable in self-hosting environments.”