As cloud computing becomes the hot new market for IT vendors, observers have been quick to seize on the security risks of hosting data and applications outside the enterprise network.
That’s not surprising to Craig Balding.
“With any new technology, it’s easy for people to get excited about the risk,” he says. But Balding, a security practioner with a Fortune 500 company, blogger, and co-author of Maximum Security: A Hacker’s Guide to Protecting Your Internet Site and Network, believes there are also security benefits to cloud computing.
Most significant is the centralization of data, he says. “Large corporations have a problem with asset protection,” Balding says. That’s because there can be instances of the data in a number of places, including employee laptops.
“People with thick clients are bound to download files,” he says. And all too often, those thick-client laptops hold unencrypted data.
“If you combine cloud computing with thin clients,” which only hold small amounts of data in cache, there is less physical exposure to data leakage.
“I think the cloud providers have got an argument there,” Balding says.
Centralization means the potential for better monitoring, too. “I think you can do more sensitive monitoring (on a centralized data store),” Balding says. Whether the cloud provider will or not is another matter.
James Quin, research analyst with Info-Tech Research Group in London, Ont., agrees cloud computing offers some security advantages.
“The primary one is, you don’t have to do it yourself,” Quin says. Many companies, especially smaller ones, don’t have the wherewithal for a comprehensive security regimen. Who can afford 24-by-seven IT security staffing?
“(Cloud computing) offers security where you might not have had it before,” he says.
Quin says comparing how much inhouse security and what it costs for a company to the cloud model often reveals economies of scale for the provider model. “That definitely brings value,” he says.
Other security benefits of cloud computing stem from its virtualized nature, Balding says.
For example, logging often gets short shrift in terms of the data storage allotted to it. Cloud providers can automatically add as much memory as needed for standard or extended logging.
“It comes down to the on-demand nature of it, that elasticity of supply,” Balding says.
Another benefit to this dynamic scaling of computing and storage resources is felt in the incident response field, Balding says. A forensic server can be built online, costing next to nothing until it comes into use. And virtual machines can be easily cloned for offline analysis.
Many companies don’t have an inhouse incident response team, he notes. “Who’s going to do the incident response? The customer? The provider?”
Sloan says it’s important to get a service level agreement specifically regarding incident awareness and security responsiveness from the cloud provider.
Security vendors are re-architecting their products to reach inside the virtual machine, Balding says. Their long-term survival depends on watching developments in the cloud arena, he believes.
Since it’s easy to account for CPU cycles used when you’re paying for each one, the most efficient security software will have the advantage in the market, he says.
He also says that there’s an opportunity for new business models in cloud-specific security products and services.
“If someone really sat down and thought about it, there are huge opportunities for security,” he says.