Cloud computing promises many benefits, including reducing IT costs and downtime, while increasing storage and mobility. The cloud even provides a sort of insurance policy against a data breach: Cloud-based disaster recovery and business continuity solutions, for instance, can help organizations recover from a disruptive event.
The cloud offers great options to traditional backup and recovery.
founder and managing director, Neuralytix Inc.
But there are cloud computing security risks that come with these benefits, as well. Risk-based management approaches are common in most aspects of IT, and the cloud should be no different, said Eric Holmquist, managing director of enterprise risk management at Accume Partners.
"Co-tenancy is an issue, because we have to ask questions about 'where is my data, and how close is it to somebody else's?'" Holmquist said. "Data is harder to inventory, both physically and logically, because the fact is you've got data that could be in a lot of locations."
Holmquist was one of the speakers at the recent SearchCompliance.com/SearchSecurity.com virtual conference Cloud Security and Risk Management: Back to Basics. The conference was designed to provide attendees with best practices for developing a cloud security and risk management strategy.
Organizations -- or at least their IT departments -- are paying attention to cloud security risks: A survey of conference attendees found that 38% expected their spending on cloud security products to increase in the first half of 2013, with the majority (55%) of respondents reporting that this spending for cloud security and risk management products comes from the IT department's budget.
To improve return on cloud investment, organizations should consider reusing cloud data for other business applications, said Benjamin Woo, founder and managing director at Neuralytix Inc.
"The cloud offers great options to traditional backup and recovery," Woo said during his Disaster Recovery and Business Continuity in the Cloud presentation. "Rather than using a highly proprietary format, maybe you want to back up entire files and directories and folders into the cloud so that other applications can access [them] for other purposes."
The investments in cloud security will likely be money well spent. Because the very concept of virtualization is based on multi-tenant platform use, the cloud creates a need for new approaches to risk management, said Dave Shackleford, senior vice president of research and the chief technology officer at IANS, a Boston-based information security consultancy.
"[Cloud use] can be really difficult for intrusion detection because there is traffic in many cases that never leaves the platform," Shackleford said during his conference presentation, Preparing Your Network Security Controls for the Cloud.
"If you've got one virtual machine talking to another across a virtual switch, that data may not come out onto the physical virtual network. Your traditional sensors for intrusion detection and prevention don't work anymore," he said.
More on cloud security risks
Security and compliance cooperation needed during cloud deployment
Cloud computing data security: The questions you need to ask
It sounds simple, but's important to do your homework when choosing a cloud provider, Holmquist said. Any past data breaches, regulatory issues or legal problems should raise a red flag. A thorough review of cloud providers' controls documentation, such as SSAE16, is necessary as well.
"Assuming you can provide the suitable non-disclosures, they should be willing to provide those documents," Holmquist said. "In fact, if they are not, it should raise a concern."
Survey respondents provided a wide range of answers when asked about their biggest security priority or expenditure in the first half of 2013. Development of bring-your-own-device policies, regulatory compliance and overall data security all ranked high. The answers were similarly diverse when respondents were asked what their current biggest security pain-point was.
Woo suggested that organizations use cloud functions to offset some of these concerns.
"With mobile devices, there are a lot of opportunities for the mobile devices to simply be accessing data directly from the cloud, and not necessarily keeping it local," Woo said. "Keeping it local to the device could be a security risk."
When choosing a cloud provider, these security concerns and others unique to your organization need to be taken into consideration, Shackleford said. The services offered by cloud providers, and the security controls that come with [them], are definitely not one-size-fits-all.
"It's important to remember that different cloud providers have different capabilities, Shackleford said. "You need to do your homework here, and understand exactly what they'll offer you."