There's a lot of fear, uncertainty, and doubt around cloud security. According to the 2012 Cisco Global Cloud Networking Survey, 72 percent of IT professionals cite data protection security as a major obstacle to cloud deployments.
According to Gartner, a leading IT analyst firm, less than 1 percent of enterprise email deployments in 2008 were cloud based, but by 2020, 50 percent are expected to be. It'd be a shame if misconceptions and sloppy thinking slow this down. Little differs between cloud and traditional applications:
• Resource outsourcing. At least some computing resources are controlled by someone else, and those resources live somewhere else. Infrastructure, operations, and physical security are a concern.
• Multi-tenancy. While not a strict prerequisite for the cloud by most people's definition, it's still one of the things that makes many cloud deployments special.
• Scale. Because cloud applications often host many tenants, they sometimes scale far beyond what traditional applications require in terms of data and request rates, depending on the technologies under the hood.
The first two have obvious security implications. In fact, multi-tenancy is widely cited as a big security concern: people are afraid the boundaries between application and data might break down and lead to a breach in confidentiality or integrity.
With outsourcing, the primary difference in the cloud model is that most customers don't control the key resources they might if they were hosting the application themselves. But all the same security approaches we've been developing for decades apply here. For instance, we can make sure the right controls are in place for reducing attack surface, ensuring adequate authentication and authorization, and detecting and responding to breaches.
If cloud customers want to understand the security posture of the applications they're using, they must rely on their cloud vendor to provide visibility into its controls and practices. Many vendors are starting to provide that transparency by publishing controls to their customers, but this varies on a case-by-case basis.
As for multi-tenancy, probably the biggest technical problem centers on data security—data needs to be as secure as possible while still being easy to use and access. The obvious answer to this problem is encryption, but this presents a few practical challenges.
How do we perform effective key management? Do we escrow keys in the cloud, even if they're encrypted? If so, that just moves the problem without solving it. The cloud trend seems to be toward two-factor authentication with passwords and mobile phones. But there's still a disappointing lack of pervasive, strong authentication.
How can we encrypt data while still keeping it usable? For example, an important requirement for email archiving solutions is search. Using traditional encryption, data must be decrypted before it can be searched. Many customers won't want the keys kept server side alongside the application. And in reality, performance needs could result in caching significant data in memory, unencrypted. Another alternative is to ship the encrypted data to the customer for decryption and search, which is a huge bandwidth and latency issue.
Both academics and industry have been working on server-side private search, in which search can be performed without decrypting the data. This comes with some missing functionality (such as efficient wildcard search), but this technical challenge is largely solved.
It doesn't make sense to compare cloud security to noncloud security, especially from a technical perspective. The bottom line is that we can only make valid comparisons for a specific cloud and a specific noncloud deployment. The answer to all cloud security and resilience questions ends up being "it depends"—based on the relative qualities of physical security, workforce security, infrastructure security, and application security.