360°IT Blog

I have long argued public cloud providers have set a new benchmark for IT security which in-house IT and traditional managed service providers will struggle to meet. But that's not to say there will be no new operational risks and challenges for consumers and providers of cloud services. Working with Andy Hodgson and Emma Webb-Hobson of QinetiQ recently, we realised we could learn from other, more traditional 'utility' models - in order to identify vulnerabilities and protect ourselves against them.

Electricity, phone and cable TV providers have long known that unauthorised 'tapping' into their wired networks (or cloned phones on mobile systems) give some people a free ride at their neighbour's or the network's expense. So far this has not been a significant threat to most corporate IT servers, although trojans and peer-to-peer file-sharing applications have often stolen processing and storage resources by infecting desktop systems.

Corporate access to cloud provision, often with monthly billing in arrears, presents a new challenge: how to ensure no one is launching virtual servers, running up bills or performing potentially illicit activities in a client's name (and on their bill). The very ease of online access to cloud facilities - which providers pride themselves on - could give rise to large liabilities if massive processing and storage power is acquired fraudulently for weeks on end before the next bill arrives.

Relying on simple usernames and passwords (often administered via a single email identity) is not sufficient protection when it comes to authorising the use of these facilities, and organisations should move to multi-factor authentication. Implementing pre-defined limits and real-time alerts for cloud consumption is also a great idea we can borrow from mobile phone operators - and already some SaaS vendors and managed service IaaS providers are adding these facilities to their billing platforms.

To quote those well-known IT strategy experts the Rolling Stones, shouting 'Hey! You! Get off my cloud' is the last resort. In an ideal world, we would keep our corporate clouds as very private, gated communities - with no surprising bills at the end of our stay.

Richard Hall is founder of independent cloud computing consultancy CloudOrigin.

Tags:

cloud computing security, SaaS, IaaS, utility computing, authentication, cloud-jacking, cloud surfing

The 360°IT Blog is part of the new 360°IT event, taking place on 22-23 September 2010, Earls Court, London. Tackling the business issues that drive the implementation of IT infrastructure, register now for free entry to 360°IT