Growing confidence in cloud security

Cloud computing is blowing into 2013 on the winds of confidence, with IT professionals increasingly convinced that the security controls are adequate, but still very, very leery.

Take Len Peters, CIO at Yale University, who has undertaken a cost-benefit analysis of cloud-based services in comparison to on-premises software purchases, finding that not only are unit costs less for the kind of software-as-a-service (SaaS) he's most interested in, but that SaaS can also further the compliance and security goals the IT department has long espoused.

A LOOK AHEAD: Read through Network World's entire Outlook 2013 package

2013, year of the hybrid cloud


2013 IT outlook: Innovation trumps cost-cutting

Best IT resolutions of 2013

Windows Server 2012 cannot be ignored

Outlook 2013: Gigabit Wi-Fi

The cloud will make BYOD a non-issue - eventually

Cisco products, more maturity for SDNs in 2013

OpenStack cloud backers hope 2013 is the year of user adoption

Last spring, Yale elected to migrate from an on-premises IT management application to the cloud-based ServiceNow. The economic analysis indicated a positive cost advantage within 13 months. But security and compliance considerations were and always are going to be critical factors in cloud-computing decisions, Peters says. Like many IT pros, he found himself asking the questions, "Is the cloud safe? What are the potential risks?"

The answer, he says, is yes, there are risks, but not necessarily any more than in your own environment if the proper security and contractual arrangements can be put in place with the cloud provider. What's more, use of cloud services can help speed the adoption of best practices that would further safeguard the university.

Yale is using ServiceNow to further its support of IT service management practices that are codified in the Information Technology Infrastructure Library. ITIL spells out IT baselines that organizations can use in planning and implementation of IT services, and also to measure themselves against.

"With ServiceNow, we can rapidly stand up ITIL processes," says Peters, noting these involve everything from incident-request to change management, which influences the daily workflow for IT support staff and have a baring on integrity of the university's entire IT environment. The ServiceNow cloud service also impacts Yale's Tivoli Endpoint Management software distribution used to manage computers Yale owns.

Yale is going to be looking at more cloud-computing options in the future for things such as human resources and ERP, Peters says. But not all cloud-based services are the same, either in how flexible they are in terms of contractual demands or security. For instance, Peters remains skeptical about cloud-based e-mail services, concerned about security and availability risks. But he notes that throughout higher education, the interest in cloud services runs high and everyone wants cloud providers to more quickly tackle risk-management issues.

Of course, not everyone agrees on where the cloud security issues lie. Some organizations, for example, are more than happy to leave e-mail management to the cloud.

Bernie McCormick, director of technology at the Mary McDowell Friends School in Brooklyn, says the school migrated to Google Apps for Education in part so it would no longer have to maintain an e-mail server (which turned out to be an advantage when the superstorm Sandy hit the New York area). The cloud-based Backupify service also played a critical role in that decision.

The Backupify client software, which is used on the faculty's Apple iOS and Google Android personal mobile devices in a "Bring Your Own Device" (BYOD) arrangement, gives the school's IT department the ability to wipe Google Apps folders if a smartphone or tablet is lost or stolen. McCormick, who says the school also uses the Barracuda Networks cloud-replication service for storage backup, foresees use of other cloud-based services in the future.

With security concerns abating, many others have turned that corner as well.

"We have strategically made a shift toward the cloud," says Osh O'Crowley, the CIO at AAA Northern California, Nevada and Utah (AAA NCNU), the regional part of the AAA that offers roadside assistance, insurance and travel amenities to its members. The enthusiasm for the cloud is not so much because of cost savings as it is the speed of obtaining applications and the benefit of not needing an army of IT staff to support it all, he says.

Within the last 18 months the AAA NCNU adopted ServiceNow as well as for customer data and Workday for business-process applications. And it has also adopted Microsoft Office 365 cloud-based office apps Word and Excel for employees. AAA NCNU does retain a number of internal business applications, some mainframe-based.

To unify the authentication and provisioning process for both cloud and on premises applications, this AAA regional club is now going to move to the OneLogin cloud service. That way the 2,300 employees in its 100 offices can gain authorized single sign-on access to any of these applications, whether cloud or on premises. O'Crowley says he anticipates this shift to cloud-based single sign-on service being completed by April.

The way forward

Many other companies, as well as federal and local governments in the U.S. and around the world, are going through similar evaluations of secure, cloud-based computing options. In fact, according to Gartner, growth in cloud computing is the driving force that will shape 2013 security trends.

Gartner predicts that by 2015, 10% of overall IT security enterprise capabilities will be delivered in the cloud. While the focus today is clearly on messaging, Web security and remote vulnerability assessment, Gartner contends there will be more cloud-based security-focused services on the way, such as data-loss prevention, encryption, and authentication.

Gartner points out that the U.S. government will make progress in 2013 with its so-called FedRAMP Program that is defining security and compliance guidelines that are expected to drive adoption of cloud services by federal agencies.

The goal of FedRAMP is to get cloud-service providers that serve government agencies accredited for specific security practices over the next two years. These practices would include incident response in the cloud, forensics in a highly dynamic environment, threat detection and analysis in a multi-tenant environment and continuous monitoring for remediation, among other things. The idea is that service providers must be prepared to report security incidents of many types to the U.S. Computer Emergency Readiness Team (U.S-CERT) and the government agency that might be impacted. Cloud service providers that can't meet these requirements in theory won't be allowed to provide services to government agencies.

John Streufert, director of the National Cybersecurity Division of the Department of Homeland Security, recently spoke at the Cloud Security Alliance meeting in Orlando on how the government plans to deploy a so-called "Continuous Monitoring" capability that would include "Continuous Diagnostics and Mitigation" to protect civilian federal agencies' data from stealthy attacks. The contract solicitation, which is expected to be put out for bid soon, could extend to an estimated 25 million seats and will include cloud-based services as well as on-premises tools. Streufert says it will likely take a few years to complete.

The federal government's initiatives are drawing interest from organizations such as PricewaterhouseCoopers (PwC) that harbor aspirations of becoming a government-certified cloud-services security assessor in the future.

Cara Beston, cloud-assurance partner with the PwC risk-assurance practice, says enterprise customers still have reservations about putting sensitive data in the cloud, but the conversation has clearly changed. For example, CIOs that adopted cloud-based services for what were considered less-sensitive data are now weighing how they might use cloud-services to manage data regulated under the PCI payment card rules or Health Insurance Portability and Accountability Act healthcare regulation. However, sensitive information concerning things like source code and engineering designs are still generally considered off limits to the cloud today, she notes.

She points out that the cloud has sometimes put internal IT, security and compliance managers on the defensive because line of business managers may have gone around them entirely to select cloud services without asking their advice. This can be tough to fight, but Beston says one way IT can nip it in the bud is to make the IT service acquisition process more collaborative.

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail:

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags SaaSoutlook 2013CompanieseducationschoolsSoftware as a servicecloud computingindustry verticalsCIOinternetgovernment chart course into cloud securitysecurityCloudYale University

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place