360°IT Blog

Any mention of cloud computing quickly turns into a discussion on security. But recent, real-world achievements of cloud users and vendors show the cloud is actually raising the bar for industry best practice in application and data security.

After decades performing forensic and preventative IT security reviews within banking and government it was already clear to me that the bulk of security breaches and data losses occur because of a weakness of internal controls. They're rarely driven by deliberate malfeasance, but rather by carelessness - errors of omission and mistakes arising from manual procedures in complex environments, where each application or server requires different treatment.

The complete automation by public cloud providers means the dynamic provision, use and re-purposing of a virtual server occurs continuously within encrypted sub-nets - unobserved by operations staff and without any of the manual interventions that might introduce unintended weaknesses. That's why solutions built on commodity infrastructure provided by the likes of Amazon Web Services have already achieved the highest standards of operational compliance and audit possible - for example in healthcare (HIPAA), credit cards (PCI DSS) and audit (SOX, SAS70).

Now enterprise customers such as EasyJet have shown that the application integration security benefits of Windows Azure at the platform as a service (PaaS) tier have encouraged them to move critical pieces of their airline management systems onto the cloud.

Speaking at The Cloud Circle user forum in April, EasyJet Enterprise Architect Bert Craven remarked on their surprise to find that the cloud platform actually provided additional insulation for their web service integration interfaces, only requiring a one-way outbound connection through their internal firewall. The reduced security exposure combined with the dynamic scaling and resilience of the PaaS environment was the ‘game changer’ needed to migrate their flight departure control system to the cloud. As a key piece of their regulated operations as an airline this is a significant milestone.

This benefit was also echoed by the RNLI presentation of their lifesaving new MOB Guardian service – initially used for fishing fleets in the UK but with the prospect of international adoption to protect sailors on other commercial and leisure craft.

Meanwhile organisations such as the Cloud Security Alliance are bringing together users, vendors and consultants to formulate and share best practice. As CSA Executive Director Jim Reavis announced to a packed room of ITSEC experts in London last week, work is under way on cloud security controls and governance, metrics, interoperability standards and audit guidance with individual  accreditation for practitioners coming in the near future. Expect to see more high-profile cloud solutions as a result.

Richard Hall is founder of independent cloud computing consultancy CloudOrigin.

Tags:

cloud computing, security, risk and compliance, governance, accreditation, PaaS, SaaS
 
The 360°IT Blog is part of the new 360°IT event, taking place on 22-23 September 2010, Earls Court, London. Tackling the business issues that drive the implementation of IT infrastructure, register now for free entry to 360°IT