The recent Amazon EC2 outage and the Sony PlayStation Network data breach have served to renew concerns in enterprises that cloud computing is inherently less secure than private, self-contained data centers.
Amazon’s Elastic Compute Cloud and Elastic Block Storage platforms were both affected during an April 21 outage that had major Websites unavailable for three days. The cause of the outage remains unknown. Meanwhile, entertainment giant Sony shut down two of its cloud services, the PlayStation Network for games and Qriocity for music and video, on April 19 after “an external intrusion” that resulted in the theft of personal information belonging to 77 million customers.
The problems, while significant, are not unique to cloud services. Amazon’s outage focused a lot of attention on availability issues and reliability, but those concerns exist in traditional data center environments as well.
“It happened all the time,” Chris Drake, founder and CEO of Firehost, told eWEEK. People generally didn’t hear about outages in the data center because they affected only one organization and were smaller scale, but they often added up to far more lost time, money and business, Drake said.
The Amazon EC2 outage “pointed to the elephant in the living room that availability is a real issue,” Paul Roberts, a security evangelist at Kaspersky Lab, told eWEEK. Redundancy is critical, whether it’s having additional backups, having redundant servers in another location or creating a failover system with another cloud provider, Roberts said.
“In this age of customer uptime, we’ve forgotten that it used to happen all the time,” Roberts said.
For organizations that have moved security applications to the cloud, this kind of an outage may seem a little nerve-wracking. However, the severity of downtime affecting cloud-based security services depends entirely on how “paranoid” the organization is and on its tolerance for downtime, Roberts said.
The most common cloud-based security applications are Web and spam filtering, hosted email, malware scanning and hosted application firewalls. If any of these services were unavailable for a stretch of time, it would be inconvenient and leave the organization vulnerable, but it wouldn’t bring business to a standstill, according to Roberts.
“An outage of 36 hours wouldn’t stop attorneys at a law firm from being productive,” Roberts said.
Vigilance Is Everybodys Business
It would mean that employees would have to be more vigilant during the outage to not click on links, surf to only recognized sites and not open attachments. IT managers can decide to restrict certain activities to prevent any threats from entering the network, according to Roberts. “It’s a calculated risk,” he said.
As for Sony, recent events have shown that companies can be hacked and have sensitive customer data stolen even when the data was stored in corporate data centers. Epsilon, the email marketing firm that disclosed its data breach a month ago, has yet to say how many consumers were affected.
“The ultimate lesson here is that all businesses are vulnerable to hackers, regardless of size or industry,” Mandeep Khera, CMO at Cenzic, told eWEEK.
It’s not clear what went wrong at Sony, but information was stolen because there was a flaw somewhere in Sony’s environment. Cloud security is not inferior to data center security, according to Andres Kohn, vice president of technology and product management of Proofpoint.
Kohn addressed the commonly held belief that unimportant data and applications could be moved to the cloud while critical and sensitive applications remain in the corporate data center during his “Can Data Be More Secure in the Cloud?” talk on April 19 at the Infosecurity Europe conference in London. In general, data is actually more secure in the cloud, and there is no reason why enterprises shouldn’t store critical data in the cloud, Kohn said.
Enterprises, especially midsize ones, would be far more secure with a cloud provider with the resources to provide higher-level security expertise than they can otherwise afford themselves, according to Randy Abrams, director of technical education at ESET.
“There is no perfect security. If the net result of outsourcing your security is an improvement in security, then it is a good thing, but there is no perfect security, only risk management,” Abrams told eWEEK.
A security-conscious cloud provider would be continuously auditing and monitoring its environment, have higher levels of automation for repetitive tasks, strict access controls against malicious insiders, and more skilled technicians maintaining the network, Kohn said. There are some additional considerations, such as sifting through the logs for intrusions, closing any SQL injection or cross-site scripting flaws in Web applications, and regularly patching the environment to ensure all vulnerabilities are closed.
Cloud IT security is not intended to replace conventional in-house IT security, but it’s supposed to be “an addition,” Yevgeny Kaspersky, CEO of Kaspersky Lab said at Infosecurity Europe.