Securing the Cloud

Economic benefits, it is true, are the main drivers behind cloud adoption, as it promises reduction in capital expenditure (capex) and operational expenditure (opex).

Given the common refrain about lack of security surrounding the cloud, which is proving to be the greatest hurdle in the cloud movement; security vendors and service providers are trying their best to resolve the issues, while assuring risk free cloud-based delivery. IT managers, taking a cue from the security vendors, are laying the thrust on securing the cloud environment.

Customer Security
Daya Prakash, Head, IT, LG Electronics, India, says, Leakage of information due to technology, policies and procedures of the service provider, or even mischief by its human resources and the accessibility of data to others in such cases, can lead to a bankruptcy like situation.

For Mahindra & Mahindra, the manufacturing company, security issues around the cloud are a constraint, as it can compromise data security and give rise to compliance issues and legal issues. Girish Hadkar, Corporate IT, M&M Ltd, says, We have not considered migrating any critical applications on to the public cloud. But, we have moved some applications to the private cloud, as security issues can be addressed easily in this.

Similarly, Reliance Energy (BSES) Ltd, another cloud customer, says, The biggest challenge is data governance.

Data and information security is of prime importance. BSES VP, IT, Karan Singh, admits, We have hosted customer related applications on the private cloud.
Internally also, we have services hosted on private cloud, but not on public cloud. The data in power sector is critical in terms of billing and payments. Data security issues surrounding public clouds are a concern.

Srinivas Kishan Anapu, Executive Vice President, Enterprise Information Systems, Mahindra Satyam, admits that no secure standards are in place for the data on the cloud. Till such standards come into vogue, enterprises will need to seek assurance from service providers that they have implemented safeguards and maintain adequate security practices to mitigate risks to customers.

Anapu says that before moving to the cloud, it is critical to ensure that the service provider has relevant industry accreditations such as ISO 27001-2005, security plans, encryption, etc.

Some of the customers are finding ways to tackle the situation. For instance, Kapil Mehrotra, Head, Applications at iYogi, advocates adapting to a multitenancy capable delivery system that addresses security concerns: I am sure that all the cloud service providers are following data security guidelines given by the Cloud Security Alliance..

Arun Gupta, Group CIO at Shoppers Stop, and a business and IT leader, says, Depending on the need and the industry vertical, various certifications exist that can provide the framework for security which would work.

Best practices like ISO 27000 help to ensure that what is secure largely stays secure. For example, in retail, PCI-DSS and PA-DSS are standards that provide security guidelines, informs Gupta.

Vendors Want Security
The cloud environment and the market sentiments have put all the vendors on their toes to work out robust security frameworks, to enable the cloud to take off.

Ramco Systems, which offers BI (business intelligence) and analytics solutions on the cloud, finds it imperative to have a secure policy. Kamesh Ramamoorthy, COO, Ramco Systems, has evolved a three-pronged security strategy built around physical security, application security and data security.

To protect data, we have put in place a comprehensive information security management system, as mandated by ISO 27001 standards. Information security management system (ISMS) is a comprehensive set of policies and procedures designed and implemented to ensure very high levels of data and information security, says Ramamoorthy. Under the physical layer, Ramco ensured that entry is controlled through automatic access control systems linked to security alarms.

As part of the application security layer, a two dimensional access control measure is worked out. First, only authentic users can login. Second, they can login only to the relevant transaction screens for which they have permissions. Such access policies are administered through the deployment module of Ramco VirtualWorks platform. This mechanism prevents any unauthorised access to both transactions and data.

In the third data protection layer, the data transmission is protected through encryptions and transported over secure sockets layer. This prevents theft. Encryption renders data meaningless thus making the theft harmless.

Data security strategy must be clearly communicated to clients ensuring an adequate level of trust between the cloud provider and the organisation adopting cloud computing, maintains Ramamoorthy.

Sanjay Deshmukh, Area VP, Citrix Systems agrees: Enterprises moving to the cloud need to evaluate the providers data protection, access and identity management; application security and vulnerability management practices to ensure they meet security, compliance and regulatory needs.

However, not everyone agrees that there is lack of security on the cloud. PK Mishra, an independent consultant, says, The existing solutions from major vendors are adequately secure. By deploying additional software for compliance and verifiable security responses, the cloud options can be effectively harnessed for most types of applications hosted in public and hybrid clouds. In any case, private cloud is almost as secure as any other existing system and is acceptable.

RSA, the Security Division of EMC, in a RSA commissioned report titled, As Hyper-extended Enterprises Grow, So Do Security Risks, found two-thirds of the respondents who are running applications or business processes in the cloud admitted that they havent developed a security strategy for cloud computing. A majority of respondents werent sure how prospective cloud computing vendors would safeguard data or how corporate security teams would meet compliance requirements upon moving data on to the cloud.

Kartik Shahani, Country Manager, RSA, points out that as organisations begin to migrate to the cloud en masse, theres still considerable confusion about how best to handle information security in the cloud. The issue of protecting data becomes murkier when companies start moving critical information and processes to the cloud.

Customers top concerns, as the RSA survey reveals, are the lack of transparency in vendor security processes, and immature technology, followed by the concern around protecting data integrity, lack of security standards, risk of noncompliance, etc.

However, some of the vendors are optimistic that they have the security solutions for the cloud in place. Jaideep Billa, Adviser to Chief-Architect and CEO, Polaris Software Labs, says, Polaris has a number of banks on its client list, for whom we have provided adequate security coverage.
Our differentiating factor is the US Department of Defense grade identity authentication and encryption that we use for protecting data.

Santanu Ghosh, Country Manager, HP India, says that Converge Infrastructure Solutions have witnessed major growth in private cloud. There is control over the technology aspect and security also depends on the style of operation an organisation adopts. It has been observed that various vendors manage security in the cloud environment, says Ghosh.

Wipro Ltd has made its data centres secure along with the cloud management centres, which are also ISO 27001 certified. Anand Ramakrishnan, GM, Cloud Computing Services, Wipro Infotech, says, This ensures adherence to certain key aspects of information security. In addition, Wipro also follows various other security measures for network security; data security; physical security and human resources security.

Kobe 10 ELite PE