June 1, 2011

SC Magazine: Safety in the Cloud

Can cloud providers be trusted with your most sensitive data? Deb Radcliff finds out. A spate of recent high-profile outages and intrusions into cloud networks demonstrates the real risk of using these services for critical operations. In April, a problem in Amazon's data center caused outages for its Web Services customers. Also that month, Epsilon, the world's largest “permission-based” email marketing provider, announced that the address lists belonging to its customers had been exposed through a successful hack of its systems. And the highly advanced breach into security company RSA announced in March led to the compromise of information about its SecurID products, which include hardware token authenticators, software authenticators, authentication agents and appliances supported over the web. All these cases impacted the customers who used web services to run their business or support network operations. The RSA breach potentially blew the security out of millions of multifactor authentication applications. The Epsilon case ultimately eroded customer trust in their email from Citi, Chase and numerous other affected retail and financial outlets. And the Amazon outage highlighted how a physical data center problem can impact multiple web services customers hosted there (including, in this case, HootSuite, Reddit, Foursquare and others). Before these events, technology research firm IDC predicted that public and private clouds will drive 15 percent of IT spending in 2011, while Gartner forecasted that cloud computing will grow to become nearly a $150 billion market in 2014. However, these recent cases have experts questioning more than ever the ability of cloud providers to protect their data. “If you put your critical data in public clouds and anything happens in the cloud—whether an attack from outside or system failure or any type of disaster—you no longer have control of that data,” says Joe Wulffenstein, department chair at Northwood University in Midland, Mich. “That's what I think is the biggest threat to cloud computing.” Standardizing in the cloud Despite the latest setbacks for some highly public cloud providers, Jim Cavalieri, chief trust officer of salesforce.com, contends that cloud providers are maturing into what he believes will be bellwethers of security and compliance. For example, he points to the security and compliance guidelines for public clouds put out by the National Institute of Standards (NIST). These guidelines tout several security benefits that public clouds can provide, including having specialized staff that agencies can't usually afford on their own, and providing and maintaining stronger platforms, better availability of resources, more robust backup and recovery, and more. The Force.com platform from salesforce.com encourages organizations to build auditable processes, which enable faster spin-up of more reliable, trustworthy clouds for organizations putting together their applications. Cavalieri explains how using standardized applications properly managed by the cloud services provider can give better overall security for all customers of that cloud provider. “When running a single copy of the application for multiple tenants, any single security update is immediately in place for all customers in the multi-tenancy,” he says. “Security is democratized – all security features and fixes are available to all customers and users when they are implemented.” Instead of enterprises trying to get this right on their own by building their own clouds and porting them to a provider, Cavalieri predicts that new applications will be easier to create in this well-run cloud, where all these services are offered. Others concur.

“This is where the cloud model presents its strengths,” says Chris Stark, founding CEO of Cetrom IT, a cloud services provider in Vienna, Va. “Partner with a provider and let them worry about the configuration, compliance and security problems. Access and security requirements should be plug and play.”

Cetrom IT has standardized about 150 commonly used customer relationship management (CRM), accounting, office, database and other applications commonly used in today's enterprises. New security layers required Cloud.com is another example of a web-based software and IT company that offers cloud builds with security policies and control options that buyers can choose as part of their configurations. “As customers build their applications, we build in security policies around user access, application controls and data isolation,” says Peder Ulander, chief product officer at the Cupertino, Calif.-based company. “What we can't do is help with multicloud access. So far, however, not many of our customers are using multiple clouds at this time.” When moving to public clouds, most organizations will need to layer on additional cross-platform access control management capability that preferably integrates with existing access control dashboards and user directories, such as Active Directory or LDAP (lightweight directory access protocol). The setup will also need to  support federated identity models. Like other leading cloud vendors, salesforce.com provides these access management options for its applications. Contracting out To support multicloud and internal authentication management that goes beyond its boundaries, Cloud.com refers customers to management platforms RightScale or enStratus, the latter of which supports 17 separate public and private clouds through management and scaling. Fortunately, there is no shortage of federated-type unified access vendors that also can integrate with consumers' existing identity infrastructures to manage them together with access to cloud applications. Along with the vendors mentioned above, companies like Symplified, Ping Identity, ActivIdentity, SecureAuth and Accenture showed up en mass at the RSA Conference in San Francisco last February. The other cloud issue, the one of visibility, is a little harder to manage, many say. Mature providers offer customers dashboards to see into their own systems. These dashboards also can be made to hook into existing management dashboards if desired. What they can't do is show the organization that the cloud vendor itself is compliant, reliable and secure enough to prevent breaches and outages, such as what occurred at Amazon, Epsilon and RSA. “The number one issue IT security professionals have with the public cloud is they can't see into it,” says Peter Schlampp, VP of product management for South Jordan, Utah-based Solera Networks, a vendor of network forensic tools and services. “You literally have no idea what's going on between the hosts running within the cloud or with the provider at large, so threats are beginning to take advantage of that.” Vet your provider So, experts say, use diligence vetting the provider. Look for vendors with evidence of strong information security practices – such as ISO 27001 and SysTrust certification, regular SAS 70 Type II reports, and others – which leading providers, including Verizon (see bottom), offer annually to customers. An example of controls to audit would be those presented by salesforce.com's Cavalieri during a cloud summit at the RSA Conference. He discussed the main risk management pillars embedded in the company's internal culture, including physical, network, application, access and mobile security policies. During this time of market transition, consuming organizations should move forward with their plans carefully, say experts. Another consideration is that security responsibilities vary across different cloud computing models, says Carson Sweet, CEO of CloudPassage, a software-as-a-service (SaaS) provider. “Customers move to the cloud for flexibility and control,” he says. “Just remember that with more flexibility comes more responsibility for security.”


To cloud: Or not to cloud

When developing cloud strategies, decide first what data will be interacting in the cloud and whether it should even be out there, experts say. Also, consider the connection. For example, rather than risk going over the web to their applications and infrastructures, Verizon's most risk-adverse users are asking for access into their cloud applications over dedicated connections, says Michael Clark, Verizon's cloud computing security strategist. Verizon provides several types of services, its most popular being Verizon Computing as a Service (CaaS) Enterprise (above), an infrastructure-as-a-service offering launched in June 2009. The bottom line, say experts, is not to stampede to the cloud just because it is the new trend in technology. “I tell people at this stage of cloud computing, ‘If it ain't broke, don't cloud it,'” says Michael Cote, founding senior analyst with RedMonk, a cloud analyst firm based in Austin, Texas. “Cloud your new applications or some part of IT that's problematic. Then build those from the ground up, securely.” – DR This article originally appeared at scmagazineus.com Copyright © SC Magazine, US edition

CPA Firm’s Guide to Choosing a Cloud Provider

Why Are CPA Firms Opting for Cloud Providers? CPA firms continue to shift toward using cloud providers for their IT needs. The number of firms ..
July 22,2021

Cetrom Support fixed all of my problems, their engineers are very professional, courteous, friendly and very efficient. If all customer service out there was like this, it would be a better world...

- Mid-sized
View All

One of the things we appreciate wholeheartedly about working with Cetrom is how great the people in the service area are and the high-level of responsiveness we have received. I’ve been very pleased..

- Mid-sized
View All

Cetrom’s services and support really stood out against the other cloud vendors. We thought their Citrix delivery platform would have a higher level of adoption because our employees would have the..

- Mid-sized
View All

Our accounting services users working in the field have greatly benefited from our migration to the cloud. They’re now able to be much more efficient while working in a client’s office because they..

- Mid-sized
View All

The decision to migrate to the cloud was one of the best business decisions Rub & Brillhart has made. It required an investment, but we have determined that our year two IT costs will be reduced by..

- Midwest
View All

Our migration process with Cetrom was very smooth and we had an excellent experience with their support during the demo process. We have 24/7 monitoring on our onsite equipment and they have the..

- Small
View All

We are extremely happy with the service and support we receive from Cetrom. Our staff is more efficient overall in our day-to-day activities and we don’t have any downtime. It’s a good feeling..

- Mid-sized
View All

Cetrom is an extremely cost-effective option for IT services. Not only do we receive significantly improved customer service, but we were also able to add a new VoIP system, better internet service,..

- Mid-sized
View All

Because we use specialized software for CPAs, we were concerned about the migration process. Cetrom’s CEO reassured us that there’s no concern because they understand how the software operates in the..

- Mid-sized
View All

We use two programs that often posed a challenge for our previous IT providers. Cetrom handled the situation professionally, coordinated with the software vendors, did all the backend testing, and..

- Mid-sized
View All

After interviewing and reviewing the proposals from various IT providers, it was really a night and day comparison about price, service, and performance—Cetrom was just outshining the others on every..

- Mid-sized
View All

I just want to drop you a line and let you know how pleased we are with our move to Cetrom. Your people knocked it out of the park for us and are doing a great job getting us up and working. On our..

- Small-sized
View All

Because we use specialized software for CPAs, we were concerned about the migration process. Cetrom’s CEO reassured us that there’s no concern because they understand how the software operates in the..

- 97%
View All

Cetrom’s Cloud Computing offers a high-quality, reliable and secure alternative to traditional IT management and provides immediate access to all my IT resources whether I’m in the office, at home or..

- High-quality,
View All

News Archives

See all

CPA Firm’s Guide to Choosing a Cloud Provider

Why Are CPA Firms Opting for Cloud Providers? CPA firms continue to shift toward using cloud providers for their IT needs. The number of firms ..
July 22,2021

Cetrom Support fixed all of my problems, their engineers are very professional, courteous, friendly and very efficient. If all customer service out there was like...

- Mid-sized
View All

News Archives

See all
Is Cetrom Your Cloud Services Solution?