Is your cloud provider secure?

TechSec panelists urge due diligence but say risk still resides with the customer
 - 
Wednesday, February 15, 2012

DELRAY BEACH, Fla.—Security companies questioning the safety of moving their data to the cloud can greatly reduce the risks by doing their homework about service providers and “practicing what they preach” about encrypting, a panel of experts told attendees Feb. 8 at the eighth annual TechSec conference.

Chris Peckham, senior VP and chief technology officer for Kratos/HBE, moderated the session, titled “Is Your Cloud Provider Secure?” Panelists were Morgan Hertel, VP and general manager for Mace CS; Brian McIlravey, co-CEO of PPM 2000, a manufacturer of incident reporting and investigation management software; and Yong-Gon Chon, VP and chief technology officer for SecureInfo Corp., a provider of cybersecurity services.

McIlravey said there was a lot of distrust in the security industry about the cloud, much of it unfounded.

“The security is far greater than open data systems,” he said. “The enterprise-class cloud is very secure. Third parties that hold data take it very seriously—we don’t want it accessed any more than you do.”

The three panelists said that anyone moving data to the cloud should ask their provider for certification and make sure they know what is covered in the service-level agreement, or SLA.

 “You need to know what your provider is going to do for you and what you do on your own,” Chon said. “Know what your responsibilities are and what your cloud provider’s responsibilities are. If something goes wrong and my provider is not responsible, shame on me for not knowing.”

McIlravey agreed, saying the same scrutiny of cloud providers should occur internally in the company that is moving data off-site.

“The cloud provider must have certification, but you should be asking the same questions of your IT group,” he said, referring to data access and security.

At Mace, Hertel said that every year the company goes through “the same process, the same testing for our local server as we do with the cloud—logs, controls have to documented. [The cloud] should be no different than if the server was in your closet down the hallway.”

That internal scrutiny should also extend to classifying the data that goes to a third-party site, Chon said.

“You need to differentiate between types of information, which is often overlooked when people move out to the cloud,” he said. “(Companies) need to practice what they preach when it comes to encrypting and protecting. It comes down to classifying the information and practicing that well.”

Chon said the reality is that “you can’t transfer your risk to a cloud provider; it’s still yours. You have to look at it as ‘my body is my temple’—what I put into it is what I get out of it. Ultimately, the risk still resides with you.”

Regardless of industry concerns about the cloud, Hertel said it is here to stay largely because of the savings it can provide.

“When you look at the cost to deploy large-scale enterprise systems compared to the cloud, you can’t not look at it,” he said. “For a few dollars a month, you can avoid investing a half-million in infrastructure. It’s not for everybody, but if you look at the cost to deploy versus using the cloud, it’s almost the only way for some people to go.”