​

MANY ORGANIZATIONS are racing to take advantage of cloud-based services in which resources, such as applications and server space, are provided by a vendor over the Internet. But such offerings are generating a whirlwind of security and compliance questions. How much can companies trust vendors with their data? Where will it be stored? Is it now out of the organization’s control?

These were some of the issues discussed at a recent RSA Conference panel, “In the Cloud or on the Desktop?”

Especially in this economy, cloud services can provide speed, efficiencies, and cost savings, according to the London-based Jericho Forum, which recently published a paper on cloud risks. But with data privacy and other concerns, it can open a “potential Pandora’s Box of security nightmares.”

Organizations remain responsible for their data whether it is sent to the cloud or not, the panelists agreed. “You can’t outsource risk,” says Mary Ann Davidson, chief security officer at Oracle. “Either you handle the security or you do a good job vetting the [third-party] service.”

Cloud services lack security standards and agreed-on methods of gauging vendor security. The lack of standards is partly the result of the varying methods and architectures in cloud offerings as well as the industry’s lack of maturity, said moderator Larry Ponemon, president of the Michigan-based Ponemon Institute.

It is left to the purchaser of the service to estimate the risks of cloud services. To do that, companies should first assess the value of the data they will be putting in the cloud, states the Jericho Forum paper, called A Cloud Cube Model.

In addition, the paper advised organizations to be mindful of regulatory and compliance restrictions regarding the handling of data. They should consult attorneys on subjects such as geographic locations of stored data, for example.

Companies should conduct thorough due diligence of cloud providers, said Davidson. It is important to know the data center locations and to speak with current and former customers, she said.

Drafting a contract is important, she added, but only part of the process. Having a contract with an untrustworthy party is not going to provide protection against liability if data is damaged, lost, or mishandled.

Another security concern is data retention and deletion. Customers should know that data will be deleted at the close of a business relationship and on other occasions as agreed.

Cloud services should not do anything with data that customers have not sanctioned, said Steve Moyle, founder and chief technology officer for the database security company Secerno.

Jericho outlined some basic differences in the various cloud services. One key differentiator is whether the service uses proprietary or open-source software. Proprietary offerings will likely be more innovative and cutting-edge, according to Jericho, but they may also make it hard for companies to switch to other services. Open source architecture may be a better choice because it is more likely to provide flexibility and interoperability, traits that can be particularly important for smaller organizations.  The group also distinguished between external and internal cloud domains. Internal cloud computing usually refers to the dynamic scaling of resources, such as servers, within a company’s own data center, which would clearly not carry the same risks.

Some companies might want to consider a hybrid cloud model that builds on the strengths of both the internal and external approach, Jericho suggested. Companies could benefit from the efficiencies, resources, and greater knowledge base of the external domain but also maintain control of their data. Organizations could integrate their own access control system, for example, into the new architecture.

Some in the industry believe that one of cloud services’ top security selling points is the ability to quickly gather disparate IT threat data and then push it back to individual customers. The threat landscape is evolving so rapidly, companies could use cloud offerings’ additional computational power and “community watch” capabilities to their advantage, said Eva Chen, CEO of Trend Micro.

Last year, for example, Trend introduced a cloud-based Web scanning service that protects customers with multiple real-time threat databases.

Cisco Systems, which provides a range of cloud services, announced several new cloud security upgrades and services at RSA. One, called Global Correlation, is similar to a security information and event management tool, according to the company. It tracks event and log data among customers across the cloud. The company’s new Botnet Traffic Filters aim to provide customers with an early warning about infected clients.

Renee Guttmann, vice president and information security and privacy officer at Time Warner, said that each time cloud services arose in the past few years, she and other colleagues would hold discussions on risk. She noted that every organization needs to assess its individual business model, risk-tolerance, and assets. Certain data isn’t difficult to send to the cloud, Guttman said, “but as a media company, we’re not about to send out the next iteration of [the popular 2008 film] The Dark Knight.