Trust in the cloud

Cloud computing keyboard button

Nothing is ever 100 per cent secure. Now that we've got that piece of truth out of the way, we can focus on how businesses can make their infrastructure, applications and services ultimately, their data as secure as possible.

There has been much debate as to just how secure the cloud is. For many organisations, it ranks as the number one concern when thinking about moving all or even part of their business off premise.

Indeed, a Cloud Industry Forum (CIF) survey published in early 2012 found that almost two-thirds (62 per cent) of respondents were being held back from embracing the cloud by security concerns.

Misplaced concern?

Such genuine fear for the safety of their most precious assets in the cloud is absolutely understandable, but at the same time it's also largely unnecessary.

The cloud story has moved on from the early days. As with any technology or delivery model, the embryonic stages bring fear, uncertainty and doubt. It's not until early adopters have done their thing and experience some pain that the majority feel comfortable to make a move in the same direction.

The same is true of cloud, according to Martin Borrett, director of the IBM Institute for Advanced Security in Europe. He believes times have most certainly changed when it comes to cloud security and associated fears.

"Three or four years ago I would have agreed that security is the big issue for those migrating to cloud. I wonder whether we'd get that answer if we polled people today though. I don't think security is the biggest concern anymore it has given way to concerns around availability, performance, SLAs and other non functional aspects," he said.

"In recent times, organisations have become more focused on cyber security and that has become one of the top-of-mind issues for clients. This shift away from cloud security concerns is partly due to the natural maturity cycle we have experienced with other technologies in the past. Transformational technologies such as cloud come along and, over time, we overcome the security concerns, develop new solutions and mitigations and adoption grows and becomes widespread."

He added: "Cloud was one of these newer technological paradigms that led to lots of questions and for a time that did lead to many concerns. However, slowly, trust and confidence has been built and we have improved visibility into the key issues.

graphic of clouds made out of padlocks

Security landscape has changed

Borrett is definitely well placed to talk with authority on this matter. He oversees an international team of IBM experts all dedicated to moving the security story forward, addressing fears and offering advice and guidance.

The IBM Institute for Advanced Security first opened its doors in March 2011. Its main focus is to make cyber space a safer and more trusted environment in which businesses can trade and grow with maximum benefit and minimum exposure to risk.

"Our European clients rely upon vast amounts of information stored on distributed computer systems and openly shared across public and private networks - yet they are struggling to effectively secure this critical information," Borrett said when the institute launched.

"The Institute for Advanced Security will link these organisations with IBM's broad array of security scientists, researchers and experts to help them understand the complex issues associated with addressing their cyber security challenges."

The benefits

Once businesses understand that, in reality, the security that many cloud providers can offer is better than the levels of protection they could offer themselves, the conversation starts to move away from the down sides to the many plus points.

Businesses benefit from economies of scale across the board and access to a wider pool of knowledge, assets and dedicated computing resources way beyond the capabilities they could ever hope to offer in-house as IT budgets stagnate and the demand to do more with less increases. In addition to benefiting from the infrastructure and associated security and support of a cloud vendor, organisations can turn their attention to day-to-day business and adding value to their bottom line.

There's also an added bonus, according to Borrett. By asking sensible questions prior to adopting cloud, businesses can get a better handle on their existing assets and improve governance across the board.

"Previously many users were procuring cloud services off their own backs. This has forced organisations to improve the governance around the way they procure," he said.

"It's all about the application and its data. You need to understand much better who is using it and what for. Looking at procedures and governance in this way doesn't just improve cloud security, it improves capability across the organisation as they have improve their asset register."

Borrett added: "I do try to make clients feel confident they can adopt cloud securely and safely. If they follow a pragmatic approach, ask some of the key questions and follow sensible steps they can do that."

Although he adds that cloud won't be appropriate for every industry or every type of application, and that businesses must understand this from the off.

"It starts with the workload. What is it you want to do? You also need to understanding there is a spectrum of cloud environments, it's not one size fits all. Can that environment provide the level of security you need for this application? If not can you augment it or look at anther provider?" Borrett said.

"The basic principles of security still apply. You can still apply the CIA of security - confidentiality, integrity and availability. Those tried and tested principles still hold true... Cloud is an evolution of many things we've seen over time. In a way, it's just an evolution of outsourcing and hosting but with some additional characteristics around elasticity and flexibility, being able to scale up rapidly and scale down, move workloads to different providers, standardisation of services and so on. Therefore if you apply those first principles you will be on solid ground."

Security is at the core of everything IBM does. At the end of 2013, its researchers patented a technique to help protect sensitive information before moving it to the cloud. By removing any remaining security barriers, it is hoped US Patent #8,539,597: Securing sensitive data for cloud computing will help alleviate fears and boost cloud adoption.

"Patents like this help to solve real-world security challenges that are inhibiting cloud computing growth," said Josyula Rao, IBM's director of security research in October when the patent award was announced. "IBM's investment in research and development is producing innovations that will advance the company's cloud computing and security leadership."

Add to that IBM's status as a cloud giant (cloud revenue grew by 80 per cent in 2012 and it expects to generate $7 billion a year from cloud by the end of 2015) and the capabilities it gained as a result of the SoftLayer acquisition last year, and the company is uniquely positioned to feed organisations' hunger for cloud computing and alleviate associated security fears.

In the wake of the NSA's PRISM monitoring programme which has arguably at the very least dented cloud's credibility with many IBM opted to be transparent about exactly how it treats customer data.

In an open letter, Robert Weber, IBM's General Counsel and senior vice president of legal and regulatory affairs, sought to answers many questions and set the record straight about what has happened and what will happen going forward.

"For decades, clients around the world have trusted IBM with their data. We believe we have earned that trust," the letter (published here) stated.

"Technology often challenges us as a society. This is one instance in which both business and government must respond. Data is the next great natural resource, with the potential to improve lives and transform institutions for the better. However, establishing and maintaining the public's trust in new technologies is essential. IBM is committed to being a responsible participant in this discussion and a strong advocate for our clients."

On the horizon

Cloud is a destination and the journey to get there for some will be smoother than for others. It's essential to plan properly before setting out and make sure you stick to roads that are well travelled rather than venturing into completely unknown and potentially unsafe territory. Furthermore, it's also important to ask for directions if you need to there's absolutely no shame in asking for help.

"I think cloud, and mobile for that matter gives us tremendous opportunities to do security better and to bake it in," Borrett said.

"I think in five to 10 years we will just take it for granted. The way things are tracking and progressing, security will just be baked into the system in the same way that we see airbags in cars. That safety part will just be there."

ITPro

ITPro is a global business technology website providing the latest news, analysis, and business insight for IT decision-makers. Whether it's cyber security, cloud computing, IT infrastructure, or business strategy, we aim to equip leaders with the data they need to make informed IT investments.

For regular updates delivered to your inbox and social feeds, be sure to sign up to our daily newsletter and follow on us LinkedIn and Twitter.