Getting Cloud security right

While most service providers have started to realise the enormous potential of the cloud services market, many must overcome the hurdle of allaying customers’ security concerns.

Whether it is fears over data protection, access control, data integrity or authentication, many customers harbour degrees of trepidation and confusion when it comes to Cloud security.

Security, a leading barrier to Cloud Computing adoption

A recent study carried out by Harris Interactive of 200 IT leaders at large enterprises found that security is viewed as a leading barrier to cloud computing adoption, and that 91 percent of those surveyed are concerned about security issues in the public cloud. Additionally, 50 percent of respondents cited security as the primary barrier to adoption. The majority of them believed that public Cloud Computing adoption will occur alongside of company-owned data centres, with public Cloud being used as current IT platforms are replaced. While acknowledging the huge growth opportunity for service providers, it also highlights the huge need to help their customers feel secure about adopting the Cloud.

So, what can service providers do to allay these concerns and accelerate customer adoption of cloud-based services? Well, quite a bit as it turns out. It’s up to the service provider to build platforms that meet the specific needs of individual industries and create flexible infrastructures that allow policy-based customisation. Putting these structures in place will help make organisations feel more at ease about conducting business— and moving parts of their most critical data—to the Cloud.

How to overcome barriers to adoption – Facing the issues

In order to alleviate the security concerns that are either deterring customers away from Cloud Computing or causing hesitancy, service providers need to tackle the following issues:

Multitenancy: There will always be a concern about security breaches when many different companies are sharing the same physical resources. The fear is that other ‘tenants’ of the shared infrastructure would be able to access confidential data belonging to fellow tenants. Application workloads, based on priority and purpose, must be carefully separated on a tenant-by-tenant basis with strong security measures put in place to ensure privacy and data protection.

Authentication and access control: The key takeaway here is for service providers to work closely with their customers to establish access controls based on each of their specific business policies and procedures. Access controls and authorisation must be set according to user type, job function and the type of service or application being accessed, as well as on other considerations determined by the customer. The service provider's goal should be to open up access control and federate information in a joint control model.

Providers who can create a strategy for a secure, single sign-on capability – a personal digital identity (PDI) that moves with the user from device to device – will be offering their customers some serious value add. This level of identity management makes it much easier to access data securely. When customers enter the service provider customer portal, they are able to log into all applications and services for which they are authorised with a single logon from any authorised device.

Protection and trust: The requirements for a trusted computing environment are compliance, governance and risk management, availability, integrity and confidentiality. All cloud-resident, customer data needs to be available or recoverable regardless of where it resides, be it internal (private) or external (service provider delivered). Data encryption at two levels must be supported to ensure that data is protected 'in flight' and 'at rest'. It falls on the providers to inform their customers what levels and types of protection are available and at what cost, in terms of performance.

Pre-building secure, industry-focused platforms

 Security and compliance issues affect nearly ever customer, whether mandated by government, industry, or their own corporate policies. But certain industries may have more urgent security requirements, such as financial services companies, and therefore warrant industry-specific frameworks to address their business demands. Service providers need to be familiar with their customers' industry segments well enough to understand applicable regulatory requirements and to advise clients on how best to comply if necessary.

Here are a few examples of the types of issues across different industries:

In the healthcare industry, compliance with government-mandated regulations is critical. Electronic health records must be secure to prevent privacy violations. It is imperative work management platforms for medical imaging—connecting radiologists to hospitals to drive increased efficiencies and cost reductions—are protected from unauthorised access.
The financial services and retail sectors are likewise not immune to the call for stronger protection rules. Merchants and bank card issuers must keep customer payment card data and any information that can be used to uniquely identify, contact, or locate a single person secure.
Media companies have an altogether different concern around IP rights and data loss prevention, given the need to ensure that information related to talent, scripts, music, actors and digital media are managed according to rights usage and are safe from hackers, unauthorised distribution, and industrial espionage.

Enabling customer governance policies  Although providers don't set policy, they should advise their customers on the use of cloud services to address the needs of the business, industry segment, or end user. By providing an easily customisable platform that reflects the customer's business policies and the regulatory mandates of the industry segment in which the customer operates, service providers can differentiate their offerings.

The key to success As service providers address these barriers to adoption for targeted industries and implement customised solutions, they'll open the door to new revenue opportunities and quickly gain share in the fast-growing Cloud services market. Differentiating their services is paramount through strategic and practical advice and providing an industry-optimised, secure cloud offering. That will be the critical success factor separating the service providers who merely survive from those who will thrive in the increasingly competitive Cloud market.

Sandra Hamilton is EMC Consulting regional Vice president