Monday 4 November 2013

PRISM: NSA spying was a wake-up call that may strengthen cloud security

V3's Dan Robinson
The fallout from the scandal surrounding the US National Security Agency (NSA) internet surveillance programme was still dragging on when cloud and virtualisation specialist VMware announced an expansion of its vCloud Hybrid Service during its VMworld conference in Barcelona.
While VMware has a large presence inside corporate data centres, the firm is currently playing catch-up with rivals in the public cloud arena, especially Amazon Web Services. With the vCloud Hybrid service, the firm is seeking to build out a public cloud infrastructure-as-a-service (IaaS) presence based on its vSphere platform by working with partners.
The UK is one of the first territories outside the US to get access to this service, which is currently operating in beta out of a third-party partner data centre in Slough, with full availability coming next year.
Among the areas VMware was keen to address are the security and privacy concerns of European customers, which have been heightened by the ongoing revelations regarding the sheer scale of the internet spying operation that the NSA has been carrying out.
However, concerns about US government snooping should have already been on the radar for businesses. A couple of years ago, V3's Cloud Summit raised the issue of the Patriot Act, which allows US authorities to request access to any data held by American firms – even if that data belongs to European customers and is stored in a data centre in Europe.
So we can be thankful that the NSA scandal has raised the profile of data security, which may actually make companies think more carefully about where they keep their data and how they protect it.
This is a big issue with public cloud services, since you are effectively entrusting your data to a third party, whether you are just using the cloud for storage or operating virtual machines in the cloud to process information.
Experts were already questioning whether UK and European businesses should avoid using cloud services operated by US companies, but this is easier said than done; many firms that appear to be native turn out to be subsidiaries of US operations, or could easily end up being acquired by a US company in future.
The end result of all this could be a chilling effect on the uptake of cloud services outside the US, with customers unsure of whom to trust. This would be a shame, since the cloud holds out the promise of a more cost-effective and flexible approach to IT provisioning, with customers paying only for the IT resources they require to meet their immediate needs, but able to turn on additional resources if and when they need them.
Solutions to this problem are available, but perhaps are not being employed as widely as they could be. The first is full encryption of data stored anywhere in the cloud, as well as the use of an encrypted link such as a VPN between your company network and any cloud service you make use of.
Amazon offers a feature called CloudHSM that gives customers the ability to securely manage their own encryption keys for data on its cloud, for example, although this only applies to users of its Virtual Private Cloud (Amazon VPC) service, which is isolated from the rest of AWS.
The second is the careful use of policies to ensure that really sensitive data stays safely on your own network. Information such as financial data may be just too risky to entrust to anyone outside the company, and so some on-premise IT infrastructure is likely to be required by most firms for some time to come

No comments:

Post a Comment