Cloud computing security and the changing role of IT

The importance of cloud computing security was discussed by a number of security and privacy experts at two press events in London last week, including how it may change the role of the IT department, and what needs to be done to facilitate its safe use.

There were calls at Symantec's Security of the Future event for a new international kitemark system to allow organisations to judge the security competence of a cloud computing provider.

John Carr, secretary of the UK Children's Charities' Coalition on Internet Safety, argued that regulatory measures alone would not effectively deal with the potential risks of allowing third-party cloud providers to handle sensitive data.

"I am convinced that no institution is capable of formulating and delivering an enforceable regulatory solution dealing with the myriad issues," he argued. "Our best hope is a standards body we have confidence in developing some sort of kitemark."

Others at the event said that a mixture of regulations and other measures would be more suitable.

Steve Purser, head of the technical competence department at the European Network and Information Security Agency, argued that, while "regulation is powerful [it is] slow moving and not alone effective".

Purser said that measures such as the sharing of good practice are equally important in the fight to help ensure cloud computing security, and warned that security teams need to start thinking about moving from old models of centralised security towards distributed environments.

Dave Evans, senior data protection practice manager at the Information Commissioner's Office, agreed that a mix of regulation, education and other technical measures are required for cloud computing security.

"We will never have, or want to have, a global internet law," he added.

Guy Bunker, an independent security consultant and former chief scientist at Symantec, argued that the cloud is likely to force IT departments and their security functions to change.

"IT administrators will have to do due diligence on service providers, ask for compliance reports, and then put them into their company's audit report. The IT administrator's role will significantly change in order to balance out the risks of cloud computing," he said.

Purser agreed, saying that "whoever runs these things will have to have the expertise", and that clear service level agreements between organisations and their cloud computing provider will be vital.

Nick Frost, senior research consultant at the Information Security Forum (ISF), argued at a separate event to discuss the organisation's Threat Horizon 2011 report that ISF members are already seeing criminals exploiting cloud computing, just as businesses are looking to exploit its opportunities.

"While there is a lot of interest from a business perspective to utilise the cloud, organised gangs are also using the same thing to launch denial of service and brute force attacks," he explained.

Frost added that a lot of evidence points to many information security operations working in silos.

"While they have a good intention of doing the right thing, there is often still a gap when it comes to alignment with the business," he said. "A complete mind change is needed, so that they can highlight the opportunities against the business strategy."

William Beer, a director in the information security practice at consultancy PricewaterhouseCoopers, agreed that security professionals need to speak the language of business more fluently.

"Most information security people talk in fairly technical terms and aren't engaging more with the business executives," he said.