Challenges of Tomorrow’s Data Center: Securing the Cloud
Concerns about safeguarding data in the cloud are keeping some from deploying the model more aggressively. But are security concerns overstated? Smart Enterprise Exchange contributor Bob Violino recently spoke with Nils Puhlmann, co-founder of the Cloud Security Alliance (CSA), a community of more than 9,000 security professionals. Puhlmann is also Chief Security Officer at online game producer Zynga Inc.
Q. We hear so much about the lack of security with cloud computing models. Are some of those concerns unwarrented?
A: I think some of the worries are unfounded and there are too many generalizations. I like to take a step back and say [cloud services] are a new way to deliver computing — and that doesn’t make it bad. We have to understand that cloud computing is the first major shift around technology models that we’ve had in the last five to seven years, and there is always a wave of concerns following change. I don’t like to speak in generalizations. Companies that use the cloud will need to ensure that there is a lot of [data] transparency in order to do proper risk assessment.
Q. What are some of the myths regarding security and the cloud?
A: One myth is that private clouds are more secure than public clouds. I’ve been hearing this a lot in the past six months, and this is probably why some companies are looking to private clouds. There’s this notion that if you’re in control over the assets yourself, then they are more secure. I disagree with that. Just because you’re in control doesn’t mean the internal cloud is more secure than the external cloud. The level of security depends on what you’re doing and the type of data you’re processing in the cloud. Obviously, using the public cloud is very easy and fast to implement. We use it for some applications at Zynga.
Q. What are the biggest risks that technology executives need to guard against in public or private cloud computing?
A: One of the most critical risks is the lack of transparency. We’ve always had transparency in traditional IT environments because everyone in IT was reporting to the CIO; people knew who was working on what systems, and where all data was stored. With some cloud models, that’s much harder — and even impossible — to do. In virtual environments, the architecture and data storage are not as clearly identified as in physical operations. Security practitioners must understand what’s being done from a security standpoint and what controls are in place, so they can really do proper risk management. For example, there are certain threats that are unique to the cloud as outlined in CSA’s “Top Threats to Cloud Computing” document.
Q. How can companies take advantage of SaaS models and maintain strong safeguards?
A: The biggest advantage of software-as-a-service models is that you can utilize the security knowledge and expertise of the SaaS vendor. More vendors are looking to encrypt data by default, and they’re also supporting things like identity and access management in the cloud. Therefore, you can use many SaaS vendors and tie them into an enterprisewide identity management system and maintain centralized control over who has access to what and at what time, or who has accessed something and when. It’s good to use the advantages SaaS provides and at the same time put a layer of protection in the middle. Zynga is always concerned about risk management and utilizing different security controls, depending on the computing model and what is technically feasible. We look at what controls are needed and how to deploy them.
Q. Can you offer any examples of organizations that chose not to use the cloud for particular applications because they were too business-critical?
A: I know companies in a few industry sectors that have chosen not to use public clouds because they need to protect regulated data. We’re still at a stage where public clouds have not been proven to be secure for certain types of regulated data. That will change over time. Some companies, such as banks and pharmaceuticals, have used the public cloud for rapid application development and for complex computing models, but not for production environments. However, every company today can find a cloud model that will prove to be very useful. That doesn’t mean you do everything in the cloud, however. I’d suggest that companies take a look at what they’re hoping to achieve and then consider which cloud model is best.
Q. Are there specific criteria to use when deciding which applications to host in the cloud?
A: I recommend doing a business needs assessment. There are some key advantages of the cloud. One is agility. It’s also easy to provision, it’s cheaper for the most part, and it’s faster to deploy for certain areas of the business, such as application development. A lot of SaaS providers have applications to solve certain unique problems, for example, in human resources and payroll processing. Also, it’s a matter of size. If you’re a small or medium business and can achieve something quickly and don’t have the knowledge and staff, the cloud might be a good way to gain a certain capability that you might not be able to achieve otherwise.
ASK THE EXPERT
Puhlmann is the CSO of Zynga Inc., the largest social game provider. At Zynga, Puhlmann is leading a converged security department, managing all security risks for the company and chairing the Security Risk Committee. Puhlmann is also the co-founder and a member of the board of the Cloud Security Alliance, a community of more than 9,000 security professionals that promotes the use of best practices for providing security assurance within cloud computing. It also offers education on secure cloud computing.