Security threats Toolkit

Security experts advise caution in the cloud

Tags:
Party,
Trust,
Third Party,
Experts

Tom Espiner ZDNet.co.uk

Published: 09 Dec 2008 16:44 GMT

Cloud-computing services are on the rise, but the security around them is not yet mature enough to trust, security experts have cautioned.

Identity-and-access control is one of the biggest factors in ensuring online services are secure, Adrian Seccombe, chief security officer with pharmaceutical company Eli Lilly, told ZDNet UK on Thursday. However, he was not convinced software-as-a-service (SaaS)-related online ID and access offerings had been in existence long enough for large customers to be able to trust them.

"You could use SaaS to enhance how you manage identity and authentication," Seccombe said, but added that "this is immature in most of the SaaS market".

In addition, Seccombe said the majority of cloud-based ERP (enterprise resource planning) services had insufficiently developed security models for him to recommend the use of those services.

Seccombe is a board member of the Jericho Forum, a group of corporate chief security officers who espouse 'deperimeterisation', or the putting in place of security regimes that allow the free flow of information. ZDNet UK spoke to Seccombe and other security experts at the CSO Interchange Forum in London last week.

Cloud computing in general and SaaS in particular present a challenge for companies, as they necessitate a complete change in security thinking, said analyst Jon Collins of Freeform Dynamics.

The trouble is that SaaS rides roughshod over basic principles of security

Jon Collins, Freeform Dynamics

"The trouble is that SaaS rides roughshod over basic principles of security," Collins said. "Traditionally, if you want to keep data safe you lock it away or keep it underground. Suddenly, you say I have to give it to a third party."

Companies planning to implement SaaS need to think about confidentiality, the integrity of the data and its availability, Collins added.

Confidentiality could be a potential problem for data-at-rest, or stored data, as IT professionals need to trust the security of the third-party storage. Interception of data-in-motion is a risk companies would also need to take into account.

"Is the information sufficiently encrypted as it passes over other people's servers?" he asked. "You, as a customer, have no idea where your data goes between the plug in the wall and the SaaS provider."

The integrity of the data as it passes over other people's systems also raises questions. "The fact that the information could be changed in some way is a risk," said Collins, who added that "the scary thing is the organisations that don't think about this stuff".

However, some of these security risks could also be mitigated by the use of SaaS. "It could be easier to lock down information if it's administered by a third party rather than in-house, if companies are worried about insider threats", Collins said.

In addition, it may be easier to enforce security via contracts with online services providers than via internal controls. "With a third-party company, you can architect it to say 'Encrypt here, decrypt here, only these people have access rights', as part of the contract," Collins said.

Philippe Courtot, chief executive of security SaaS company Qualys, agreed that contracts with third-party companies could help augment security.

"Technical issues become contractual issues," Courtot said. "You can secure data at the data level itself, so the data knows who can copy it and who can share it."

Courtot said there was a "clear trend" where companies in the EU and the US were turning to SaaS to cut costs in a time of economic gloom. "Essentially it's because of cost, with secondary drivers being ease of use, deployment and maintenance," said Courtot.