- Poison in the Well: APTs threaten basic Internet trustworthiness
- Head for the cloud (services), but look for open standards to avoid vendor lock-in
Network-centric cloud services are emerging as the new computing paradigm for performance-hungry, cost-conscious business customers. Recent surveys show that businesses are looking at the full span of private, hybrid and public cloud services in their adoption plans. Yet, most IT security professionals express serious and legitimate concerns about the security of cloud services, as well as how cloud adoption can adhere to corporate governance, risk and compliance (GRC) policies. IT security professionals are also increasingly alarmed by advanced persistent threats (APTs) that are undermining the very structure of the public Internet.
The publicity around APTs casts doubt on the ability of Fortune 500 companies and government agencies to secure their networks against a rising tide of well-funded hackers, some sponsored by nation states or organized crime gangs, perpetrating large-scale malware attacks, stealing seed certificates from authentication providers, launching DDoS attacks on Internet DNS sites, etc. Certainly, if governments covertly condone the subversion of the very basic functions of the public Internet, then enterprises will have to start thinking about building their own communities.
Can cloud-based solutions actually improve network security in the face of fundamental security flaws in the Internet, flaws which Internet governing bodies seem unable to fix? Given the immaturity of cloud architectures, the best answer we can get is: Maybe.
As cloud architectures solidify and early adopters report on cloud performance, interesting security observations have emerged that are restructuring the relationship between telcos and IT service providers. As is the case with any early phase in a new paradigm, all potential providers want to supply as much of the total deliverable as possible; however, competition and pricing pressures force major players to concentrate on what they do best.
Right now, this means telcos are focusing more attention on ‘cloud-agnostic access orchestration,’ providing user-friendly, secure, flexible access to the wide variety of cloud environments that their enterprise customers need and toning down their own hosted cloud solutions (or providing them under a different brand). IT service providers, with their DNA in data centres and application integration, are exploring cloud infrastructures, platform services and cloud solutions for developers, ISVs and businesses of all sizes, while remaining agnostic as to what networks customers choose for access.
So, what are the options for enterprise IT planners? In many respects it is the same trade-off that technologists have always faced when focusing on security: Remain flexible and seek open standards that will accommodate different types of users and cloud services, hopefully securely; or opt for single-source solutions and bet that your provider can stay ahead of the bad guys. Either way, the fundamental security questions remain, regardless of whether you are in or out of the cloud.
What’s your take? Are you confident in cloud providers’ ability to meet your security requirements? What does a cloud provider need to do to prove they have implemented adequate security measures?