"Typically in this industry the adoption of any technology happens well before security considerations surrounding it are fully addressed," says Gary Loveland, a principal in PricewaterhouseCooper's advisory practice and head of the firm's global security practice.
With hybrid cloud, Loveland says, clients are being clearer about the security requirements up front and are forcing cloud service providers to be more prepared to have solid answers on topics ranging from defining and ensuring multi-tenant boundaries, PCI and FISMA compliance, and auditing capabilities.
Industry guidelines can help
The Cloud Security Alliance in 2011 established the CSA Security, Trust & Assurance Registry, a free, publicly accessible registry that documents the security controls provided by various cloud service providers. The registry, which vendors supply the information for about their own products, is designed to help users assess the security of cloud providers they currently use or are considering contracting with in the future. To date, the registry contains information about 20 providers.
The underlying problem, Loveland says, is that enterprises have to mature enough in their use of virtual technology and cloud services management to take advantage of the higher security offerings.
Jeff Spivey, international vice president of ISACA, an association of IS professionals dedicated to the audit, control, and security of information systems, and vice president of mobile security vendor RiskIQ, concurs. He sees all too often that enterprise IT assumes that once they hand off their operations to a cloud provider, that the latter then assumes sole responsibility for security.
"Not true, it's at that point that IT needs to become even more diligent about implementing sound security across their clouds," Spivey says.
He pointed to COBIT 5.0, the newest version of ISACA's framework for governance and management of enterprise IT which outlines IT control objectives for cloud computing in general, as a strong guideline for how to implement hybrid security.
As hype surrounding cloud computing continues to grow, IT departments are being pressured by management to seize some of the cloud's promised economical benefits. But it's IT's job to make sure they are not risking the farm in order to go into the cloud to see those benefits.
In fact, computer scientists at the University of Texas in Dallas have devised an algorithm that can help companies develop a risk-aware hybrid cloud strategy.
According to one of the researchers, Dr. Murat Kantarcioglu, the scheme is an efficient and secure mechanism to partition computations across public and private machines in a hybrid cloud setting (see the paper).
Kantarcioglu and his colleagues have set up a framework for distributing data and processing in a hybrid cloud that meets the conflicting goals of performance, sensitive data disclosure risk and resource allocation costs getting weighed and balanced.
The technology is implemented as an add-on tool for a Hadoop and Hive based cloud computing infrastructure and the team's experiments demonstrate that using it can lead to a major performance gain by exploiting hybrid cloud components without violating any pre-determined public cloud usage constraints.