Cloud Computing Poses Control Issues for IT

Few companies are putting critical data into public clouds

Though most U.S. companies still list customer and other corporate information as their most valuable assets, many keep pushing this data farther from safe lockdown in the data center--and are about to give it another strong shove in that direction.

Cloud computing and efforts to virtualize internal storage, servers, client hardware and even the movement of bits in and out of a server allows IT to design systems according to the needs of end users, rather than the location and limitations of on-site hardware.

One common fear about data in the cloud: What happens to it once it leaves building?

End-user companies probably won't completely lose track of data in the cloud, according to Chris Wolf, infrastructure and virtualization analyst at The Burton Group. They are likely to lose some level of control over not only who accesses the data, but also when and for what purpose, he says.

15 Cloud Companies to Watch

On a related note, companies must also be able to audit usage of sensitive data, keep restricted data in Europe or other places where regulations are tight, and comply with all the other requirements spreading out to define proper use of corporate data.

It's not a disaster waiting to happen, but the control issue will keep many companies from using cloud technology, or even advanced storage technology, to its best advantage, Wolf says.

Slideshow: 5 Things We Love/Hate About Cloud Management Tools

EMC, for example, is developing technology for its high-end storage products that goes far beyond current storage virtualization technology, which still associates storage volumes with specific spindles or storage arrays, according to Brian Gallagher, general manager of EMC's EMC Symmetrix and virtual products groups.

"Virtual Storage," would make it possible to make the most cost-effective use of storage hardware and move data around at need, or at whim, Gallagher says.

"Theoretically, you could shift terabytes or petabytes of data from New York to Alaska for batch-processing overnight because the power in the Alaska data center is so much cheaper than New York," Gallagher says. "You should be able to do that from one console, almost with a couple of mouse clicks or drag-and-drop."

One Company's Private Cloud Choice

Losing critical data in the cloud isn't a huge issue right now, mostly because companies that want to put data that's more critical than a Gmail account into the cloud keep that data on internal clouds, or keep the whole cloud within their own walls, according to Bill Gillis, eHealth technical director, Beth Israel Deaconess Medical Center in Boston.

"We went with a cloud approach because we weren't sure how big it was going to be, and it gave us an environment that could expand or contract as we needed it to," says Gillis, who built a virtual infrastructure designed to allow independent physicians' offices to plug into BIDMC's patient records and billing systems easily.

"Data goes from physician offices to our servers directly," he says. "Even though it's in a cloud, it doesn't leave our servers or the physicians', which is good for security and privacy."

Few companies are putting critical data into public clouds now, partly because they're nervous about doing it, partly because neither their structured nor unstructured data has yet been converted to function well in services-oriented environments such as the cloud, according to Mark Bowker, analyst of Enterprise Strategy Group.

The potential cost-savings of the cloud will add to the pressure for end-user companies to convert to more SOA-friendly formats, Bowker says.

A Solution for Tracking and Securing Data

Technology that does provide centralized control is not under development, however, Wolf says. Wolf and his Burton colleagues have proposed development of an infrastructure authority, or IA--a database, directory and security application all in one, designed to create security that can travel along with specific parts of data and help its owners keep control over it no matter where it resides.

In the cloud, data from several locations could 'reside' next to each other, sharing user access controls, audit and security policies, but actually be stored within a company's own data centers co-location facilities or publicly available data centers.

Without a set of metadata that can track the real and virtual location of that data, as well as its related security information, orchestration, federation and control of that data is, at best, extremely difficult, Wolf says.

"If a tool wants to place an object somewhere within a cloud infrastructure, there needs to be a central place where it can check to make sure the physical location offers the necessary resources (compute, memory, networking and storage I/O) and security policy isn't violated in the process, among other concerns. We don't need to re-invent the wheel. Instead, we need to take existing virtual infrastructure management databases and evolve them so that they can act as the central authority for all infrastructure decisions," Wolfe wrote in a blog on the topic.

Burton Group, and its new owner, Gartner Group, plan a series of reports explaining and promoting the idea of the IA later this spring, Wolf says. Industry organizations such as the DMTF, Cloud Security Alliance and Storage Networking Industry Association's Cloud Storage Initiative are working on various aspects of the problem, but haven't cracked it yet, Wolf says.

Follow everything from on Twitter @CIOonline.

Join the CSO newsletter!

Error: Please check your email address.

Tags SOAsecuritycloud securitycloud computingprivacy

More about BillBurton GroupEMC CorporationGartnerGartnerStorage Networking Industry AssociationSymmetrix

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Kevin Fogarty

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts