Why Are Some Cloud Vendors Acting As Security Bystanders?

End-users that want to leverage the many benefits of moving to the cloud must also understand the security controls deployed within their cloud providers to ensure they are not another corporate victim of cyber criminals. They need to comprehend the dedicated security devices that are defending their data, applications and unique architecture. For vendors in the cloud, they must step-up and help their customers to understand the benefits, dangers, pitfalls, of cloud security.

This is especially true for:

• Cloud brokers and Connectors:  Dell , Cisco Systems , Cloud Compare, and Cloud Sherpas
• Cloud Infrastructure Providers:  Alibaba Cloud Services, Amazon.com Web Services, Calligo, Microsoft Azure, Hewlett-Packard Helion, Rackspace Hosting , Oracle   and IBM Softlayer
• Private/Hybrid Cloud Consulting/Service Providers: Cognizant, Dell Services, HCL, Hewlett-Packard (service provider business), Infosys , Ingram Micro , and Tata Consulting Services (TCS).

Vendors in this space have both a challenge and an opportunity to do better and become thought leaders in intrusion prevention and preventative cyber security – most, unfortunately, are sitting on the sidelines, reacting to threats rather than being proactive.

Recent attacks within the U.S. Government personnel systems have brought to light how securing electronic devices, networks, proprietary data and information from incursions by hackers and spies is of paramount concern to organizations public or private.  This attack hits home as my classified personnel and background files may have been compromised.  The US Government attacks should have been prevented by limiting contractors direct access to data systems by foreign nationals - Argentina and China in this case.

Below are several factors cloud and applications vendors should consider when helping end-users move to the cloud:

1. Not all applications need to go to the cloud. When architecting a customer's cloud solution, it is important to understand where value resides based on each unique situation. Many companies have on premise client server applications that simply will not work in a cloud environment.  Large companies are much more hesitant to move mission critical, ERP or CRM solutions to the cloud because they believe it is too risky to let other organizations handle their business critical and personally identifiable information (PII). Based on major intrusions within enterprise IT organizations at large enterprises, including Home Depot , Target and Sony , this is becoming an even bigger issue. Smaller and mid-sized firms, however, appear to be more willing to turn to service providers because they cannot find (and in some cases can’t afford) top security talent to run their own IT organizations.
2. Bring Your Own Device (BYOD) and The Internet of Things (IoT) brings additional complexities.  BYOD and IoT have been forced on network administrators and they have struggled to stay on top. New architecture, provisioning, and especially security considerations have forced companies to invest heavily in network automation and provisioning tools. Considerable complexity and security vulnerabilities are causing companies to design their networks to accommodate "corporate" and "personal" modes each having separate data-access requirements.  Cloud providers can help their clients adapt to these new forces by using virtual machines, hypervisors or containers to manage access and relevant data apart from the corporate network.
3. The Cloud does not offer many of the same security features as on premise servers.  Because many cloud apps leverage virtualization, they do have the same advantages as on premise servers and systems.  Specifically, with hardware performance, location, encryption and entropy.  Because of this, many organizations are hesitant to move mission critical applications. They instead will move to a hybrid model of cloud workloads combined with on premise bare-metal servers to protect data and applications.  Cloud service providers should help their customer’s road-map multiple scenarios for a successful cloud migration from Pubic, Private, and Hybrid models.
4. Virtualization vs. Entropy. Virtualization makes it difficult to achieve entropy from an encryption perspective. Further, accidental key sharing amongst Virtual Machines (VM) templates makes it difficult to ensure encryption. Side-channel attacks have targeted many virtual machine environments and pose a threat to cloud environments. Side channel is an attack that creates data leaks that exposes memory and data caches within virtual machines. These leakages enable hackers to steal data and cryptographic keys.  Cloud providers need to ensure they are transparent with their security specs at all levels of the stack - from software, firewalls, user rights, and even physical security.
5. Be transparent about Service Level Agreements (SLAs). Network, Application, and Security guarantees are impossible to prove. BYOD and IoT are making it even harder to assure performance and security.  While SLAs have traditionally been a contract between a service provider and its customers, the expanding use of third parties to augment functionality and the emergence of cloud brokers has more complex relationships between providers. While it is impossible to prove guarantees, cloud providers need to establish performance metrics to ensure the highest availability and performance.  Finally, cloud providers need to manage service failure, remedies, and liability limitations.  Each of these pieces need to be integrated into the disaster recovery plan to determine how to react to unexpected incidents.

There is no doubt that cloud is driving business strategy and business value. However, there are many security concerns with cloud migration that need to be considered with both vendors and end-users. Big Data, IoT, and BYOD create opportunities for those looking to exploit security weaknesses so vendors wishing to capitalize on these opportunities need to consider multiple facets of security practices.

Vendors and brokers who choose to be cloud agnostic like; Alibaba Cloud Services, Dell Computers, Cisco Systems needs to put security up front and drive real value and thought leadership to its customers. Proprietary platforms and cloud providers like; Codero Inc., IBM Softlayer, Hewlett-Packard Helion, Oracle Corporation, and Microsoft Azure need to demonstrate that security is not just an afterthought and put security as the long pole in the tent. There is no doubt, criminals will find and exploit weakness in the future, but as cloud computing becomes more pervasive and integrated in our lives, companies will need to understand, plan, and respond to the inherent security risks at all levels.

Disclosure: Moor Insights & Strategy, like all research and analyst firms, provides or has provided research, analysis, advising, and/or consulting to many high-tech companies in the industry, including Cisco Systems, Hewlett-Packard, IBM, Microsoft, cited in this article. No employees at the firm hold any equity positions with any companies cited in this column.