The migration of enterprise applications to cloud infrastructure is becoming more and more of an inevitability. But whilst private cloud and hybrid implementations in the Middle East are picking up, views towards the public cloud remain somewhat apathetic. How much of that is to do with security? Ben Rossi reports.
There is no doubt that cloud computing poses unique security challenges – but whether or not that should be a barrier in a company’s decision of whether to implement it is another question.
Many vendors and analysts are adamant that it shouldn’t. However, they do not make the decisions for enterprises and the fact remains that implementation of the public cloud in the Middle East remains very low.
In an IDC report published in August 2011, only one third of organisations surveyed believed that a public cloud provider’s architecture would be more secure than their own.
In a different report, 85% of IT decision makers believe that cloud remains an immature and developing technology, whilst a study of financial institutions in the Middle East found that 50% of decision makers believe cloud computing is difficult to implement.
Furthermore, government organisations in the Middle East have a low inclination to adopt cloud technology until they develop great confidence in it.
Girish Bhat, VP of MEA sales and operations at Tech Mahindra, believes that whilst security is a factor in the lack of adoption, it is not the biggest influencer.
“From the cloud perspective I think there a couple of things that bother a lot of the enterprise customers. Security is definitely one of then. The major issue that people think about with cloud is the stability and response times. Performance is probably at the top of the mind of many people and then people start looking at security,” Bhat says.
Nick Black, senior technical manager at Trend Micro, agrees, adding:  “I think security is certainly a part of the decision process that C-level executives consider when looking at cloud technologies, however the decision to move to cloud is a major infrastructure change and as such I would suggest that this is more likely to be the delay in adoption rather than security on its own.”
The concerns
So what exactly are these security concerns that are inhibiting enterprises from fully embracing the cloud?
“Apart from the obvious encryption and data leakage concerns, the legal implications and who owns the jurisdiction is probably something that people often don’t consider. At this point it remains the responsibility of the end user to maintain data security and integrity – the cloud provider assumes no responsibility for this at all,” Black says.
“The concept of ‘bread crumbs’ (the data that is left behind when a customer moves from one provider to another) is also something that should be a concern. A proper Cloud security solution will protect from any and all of these threats if implemented and maintained correctly,” he adds.
Maher Jadallah, regional manager at Sourcefire MEA, also cites data loss and leakage as a common concern, as well as loss of governance and segmentation concerns from other parties in the cloud.
However, Jadallah does in fact believe that the cloud can be a tremendous security enabler and that this is something that has been largely ignored.
“There are three aspects of the cloud that can be leveraged to enhance and modernise today’s approach to security – massive computing power, vast amounts of storage capacity and shared infrastructure. In combination, these three aspects can work together to transform traditional security practices and create significant benefits for IT security professionals and technology vendors alike,” he says.
But, Florian Malecki, senior product marketing mager at Dell SonicWALL EMEA, emphasises that with cloud computing, application code and sensitive data are moved outside of the corporate boundary and no longer receive the benefit of perimeter and data centre defences that IT has implemented.
“A major implication of this migration is that it is not just your customers, but mobile and distributed employees too, that now have direct access to these resources. The only obstacle is whatever security mechanisms the cloud provider decides to put in place, which in many cases means little more than placing restrictions on the source IP range for inbound sessions, so that only the customer’s user can access,” Malecki says.
Losing control
The biggest risk in expanding existing storage into a public cloud is loss of control, according to Sebastien Pavie, regional sales director MEA at SafeNet.
“When you hand over data to the cloud provider, how to do you know who is able to access that information? Who ensures separation between your data and that of other tenants? Encrypting the data itself eliminates risks, and since you have the complete control of those encryption keys, you are the only one to have complete visibility and governance, even in the cloud,” Pavie says.
“You can ensure security throughout the lifecycle of the information – from its creation, through each transaction and change of hands, each snapshot, and its storage in the cloud,” he adds.
Vladmir Udalov, senior corporate product marketing manager at Kaspersky Lab, predicts an increase in the interest that hackers show in cloud services. He believes the more companies that store critical data and confidential information in the cloud, the bigger problem this will become.
“However, when storing data in a public cloud service a company is unable to check the level of security. Even if the cloud service provider allowed their client to audit its server security, it’s unlikely that many client companies would have the specialists with the relevant qualifications to do so,” Udalov says.
“That is why we expect that within the next few years companies will appear that specialise in independent testing of the IT security of public cloud services, and certificates confirming a high level of security will be a must-have item of any major cloud service,” he adds.
Alexander Zarovsky, head of business development at InfoWatch, believes it is the culture of Middle East enterprise that is acting as a further barrier in cloud adoption.
“In the Middle East the rule is to possess the entire spectrum from assets to data.  That’s why outsourcing has quite a low penetration here. Besides, confidentiality of information is highly valued in Gulf countries,” Zarovsky says.
“At the same time, most information security technologies have a Western origin and Western products are not perceived entirely trustworthy.  The bottom line is that security technologies are not as well adopted here. Companies prefer to use their own solutions, and that is why public cloud is not a commonly accepted technology,” he adds.
Difference of opinions
Ultimately, however, opinions differ in the industry when it comes to whether end-users should feel that their data is safe in the public cloud.
Nicolai Solling, director of technology services at help AG, believes they shouldn’t and puts the blame on privacy laws.
“Over the last couple of years we have seen a degradation of privacy laws both in the US, Europe and other places in the world which means that privacy is not something you should automatically expect as an end-user. When you transfer data onto cloud services you should always try to understand if this data is safe to put in the cloud and in which format you can do so,” Solling says.
“A good practice is to read the end-user agreement for the cloud service, understand the legislation for the country where the data or cloud provider resides and then make your decision if it is something you can use or not. Unfortunately this is not something that is being widely followed,” he adds.
Zarovsky, on the other hand, believes that the public cloud can in fact be quite a secure place and that people will begin to trust them when solutions guaranteeing security appear and compliance requirements force cloud service providers to adopt these solutions.
“We did not entirely trust internet-banking, but the largest and most respectable banks adopted advanced security measures to provide their customers with safe access. The same will be the case for the public cloud. Cloud-based systems fundamentally need different security measures than, for example, password-based security mechanisms,” he says.
Jadallah recommends organisations that are beginning to adopt cloud technologies to choose vendors that have deployed the latest security defences and disaster recovery systems to ensure their data is safe.
“Today’s threats are more sophisticated and evolving quickly than ever before. Maintaining security defences to ensure data is safe in the public cloud is a continuous process,” Jadallah says.
Providing the organisation is satisfied that the cloud service provider has fulfilled its own security process considerations, it’s pretty safe, according to Clare Porter, senior VP at SunGard’s Infinity programme.
“However this is not to say that the organisation’s IT team should see the process as a one-off box ticking exercise. There should be continued dialogue along the whole of the contract period to ensure the CSP holds and continues to hold the correct industry certifications, and that the clear SLAs that formed the original contact are being strictly adhered to,” Porter concludes.