Forrester Analyst: Don't Fear the Cloud, Prepare for It
A distinct message about cloud services emerged from a keynote panel discussion held at Forrester's Security Forum 2010: Don't fear them.
During the panel, hosts Chenxi Wang of Forrester, Eran Feigenbaum, Google Apps director of security, and Archie Reed, HP cloud security chief technologist found that despite security concerns, businesses are using cloud services more and more.
The Cambridge, Mass., firm compiled findings from the panel discussion and recent surveys into a new report, "Q&A: Demystifying Cloud Security."
According to the report, IT decision makers and influencers say cloud services are a critical or high priority, with 49% of North American companies and 45% of European companies making them a priority over the next year.
In another key finding, security professionals don't have the power to block the use of "empowered" technologies such as cloud, mobile and social, the report said. Out of 85 surveyed security professionals, only 12 said they had veto power over empowered technologies and just 28 said their company did not use a form of cloud computing.
"Since business and IT leaders are moving full steam ahead with cloud services, and since you no longer have the power to stop them, it's probably best to stop dwelling on cloud security and to start preparing for the move to the cloud," Wang said.
One common concern companies have about cloud services, Forrester researchers said they found, is that maintaining identity and access control with multiple cloud providers is a challenge. Another fear is that cloud services do not keep data secure across all of its stages: in flight, at rest, in use and at disposition.
"What we need are services capable of secure life-cycle management of data, from the data's first appearance in the cloud infrastructure to its permanent erasure," Wang said. "The cloud industry, as a whole, is still not at that level of maturity."
While these concerns are valid, Forrester researchers said, a move to the cloud could mean a security improvement in comparison to a business's internal capabilities.
Choosing the right provider is key, and Forrester recommends businesses look for four characteristics when selecting a service: a homogenous IT environment, industry certifications to prove its security strength, advanced threat intelligence and management capabilities, and a highly qualified security staff.
"Cloud computing in itself doesn't necessarily lead to more or less security," Wang said. "You need to evaluate the security maturity of the cloud provider, just as you would in a traditional outsourcing scenario."
It's critical for businesses to determine their security and risk requirements and assess a provider to see if it's a match before adoption takes place, researchers said.
Forrester suggested three areas to consider. First, the type of cloud service that will best suit the business' needs. Types of cloud services include software-as-a-service, infrastructure-as-a-service and platform-as-a-service, each of which gives users a different level of control. Second, companies should consider how critical their data are. Stricter security is required for data that are regulated or highly sensitive, for example. And third, they should think about where the service is located. If the servers hosting a business's data are in a region with restrictive privacy laws, data movement restriction could be at stake.
"It's ultimately incumbent on security and risk professionals, together with their counterparts in sourcing and vendor management, to assess each cloud provider against a list of security, compliance, privacy and other legal and contractual requirements," Wang said.
Forrester researchers also list a few cloud options, which tie into a prominent cloud trend among businesses-carefully choosing the right type of cloud to suit their needs.
One cloud option for businesses is to build their own private cloud, which gives them the most control but requires an initial investment. Another option is to ask a provider to build a private cloud for them, which offers less control but the advantage of lower ongoing administrative and operational costs. A third option is a community cloud, which involves building or hosting a cloud with other entities or companies that have needs similar to theirs.
"People are investigating options across public, private, and hosted clouds to balance their functional, security, and cost requirements," Wang said.
The report also addresses the issue of whether a set of security-related standards are in the works for cloud services. Researchers say more than 78 industry groups claim to be working on cloud security standards.
Out of these groups, Forrester gives the most credit to Cloud Security Alliance because it takes a "holistic view of cloud security" and has the highest number of participating users and cloud vendors.
However, Forrester researchers believe there is no single solution for setting cloud security standards. Said Wang, "It's impossible to define one all-encompassing standard that will apply to different types of clouds."