How secure is cloud computing? And does it matter if a company outsources to more than one cloud provider?
CIOs have been asking these kinds of questions for months as they attempt to clean up their data centers by outsourcing some applications and virtualizing others. Forbes caught up with Art Coviello, president of RSA, the security division of EMC ( EMC - news - people ), to broach some of their concerns.
Forbes: What do companies need to consider when looking at clouds?
Art Coviello: Clouds could serve a division of a company or an individual application. But each one has to be looked at from a security perspective. And you have to look at compounding of risk if you have multiple clouds.
How many points of entry into a company's data are considered acceptable?
There's not even a rule of thumb on that, and that's a big part of the problem. That's why consolidation of data centers and virtualization of applications and servers are such good opportunities for companies to get more focus and control. The cost incentive is one element, but there's a big security element, as well.
As companies do regain control and outsource, doesn't that add new risk?
You have to think of that in the context of how firewalled off the application is from the rest of the environment, both literally and figuratively, and the security around access of the data and how generally available it is.
So the risk is multiple ways into the company and the security around the data?
Yes, or somehow infecting the data source, which then gets drawn into other applications.
Where do you start in cleaning up a data center? Do you start with the data or the security?
It always starts with the business requirement. That translates into an information infrastructure requirement, which includes the application and the data. Once you have that determined and once you've figured out the most efficient course, then you make sure you design the security commensurate with that. It's not like you do the project and add the security, though. This is an iterative process. You have security on the agenda all the way through. But it should never be the tail that wags the dog.
How secure are clouds?
If you're a systems integrator or a telco or a Google or Amazon that is offering some element of cloud services, you can bet that security and risk of loss of reputation will be high on the stack. That's one of the single biggest elements in cloud services. Now having said that, a large company has the wherewithal to make that evaluation and it's incumbent on them to make sure that security is in there.
Is there less risk in outsourcing than if a company does everything itself?
Most infrastructures are going to be outsourced because of the economies of scale, and that's less from a security standpoint than from an economic standpoint. This whole concept of utility computing and having an information infrastructure available at the flick of a switch is the future. The other aspect of all this is just how complex infrastructures have become. Within my industry the number of security controls that need a management platform to correlate all the risk and incidents is huge. It's much better to do it in a cloud.
Does virtualization add more risk because data is being moved around?
No, it's just the opposite, especially as it relates to the virtual desktop infrastructure. It's much easier to upgrade security controls and keep track of resources as it traverses a virtual machine. The security can be integrated into a virtual environment far better than a physical environment.
Because most physical environments were built without security embedded into them. You need data loss prevention, security information and management, access control and authentication, which are being built into virtual environments.
Is there a greater risk in the process of getting all of this done?
The risk has always been there. Most companies have done a spectacularly bad job of understanding and assessing the risk. The more you automate the controls and build security into the infrastructure, the more time it gives hackers time to evaluating risk. If you spend all your time reacting to incidents you don't have time to think about threats. A big part of security going forward is being able to focus on content. That's a big part of these new security technologies like data loss prevention and risk-based authentication and others. They give you a level of automation and dynamism that frees you up to think about it. If you can build those kinds of capabilities into a virtual environment, it's even easier.
The majority of security breaches start inside. Do virtualization or cloud computing affect that?
You've raised a good point about the sophistication of attacks. The historical perimeter defenses can't keep people out. You have to make the assumption that the bad guys, or the malware they develop, will find their way inside your environment. That's why you need security embedded to be able to react real-time to circumstances, and you have management that can be responsive as fast as possible. That's the way all of this is trending. Cloud and virtualization will become enablers for new technologies that are content- and behavior-based.
In five years, do you foresee breaches to be at the same level?
I think we're going to have a much better handle on security in five years. There used to be a tremendous number of bank robberies. We got more sophisticated about protecting banks, starting with the amount of cash tellers have, and then we added some sophisticated techniques for tracking robbers and better law enforcement. That said, we still have bank robberies. We'll never eliminate crime completely but we will get to a point where it's reasonably under control. It can be a lot better and more cost effective.
Some companies abide by compliance standards for security. Is that enough?
Our advice is that if we get a company to compliance it's not as secure as they need to be. If you have good governance practices and a good assessment of risk and the ability to mitigate that risk, then compliance should be a by-product. If you use just the compliance framework then you will end up with a problem. But the number of small businesses today just cannot keep up with the level of threats.
If you add more than one service provider for cloud services does risk increase?
You add to the complexity, but you can't blame companies because they can't get everything they need from one provider. Then it becomes incumbent on the companies to manage the risk from the multiple providers, but even that can be more efficient than doing it yourself.