Cloud computing could fundamentally change the way businesses adopt new applications and computing power but it also introduces new threats from a security perspective

Melbourne and Amsterdam, 15 September 2010. Cloud computing has been widely heralded as the “next big thing” in technology circles. At the same time it has arguably been overcomplicated in terms of the way it has been described.

Peter Cameron, Managing Director of AVG (AU/NZ), says: “What if I told you that Hotmail was a good example of cloud computing, would that make it more straightforward? The concept really is as fundamental as a user tapping into a data centre via his or her Internet connection to get access to an online service, which in this example would be Hotmail email.

“Let’s expand this definition while still keeping it simple. As our web usage has become more sophisticated and web pages themselves have become more dynamic, the definition of an online service has progressed.

“Where we once used the web to find information, we now interact with the web as its services have evolved to become applications in their own right. These services now exhibit computer functionality in the same form that you would expect to get from your own PC,” Cameron says.

Did You Know:

• Cloud computing is bound by the same trust issues as any other technical service, but with the additional complexity of adding another layer of abstraction.
• If architected and deployed correctly, cloud computing can bring new, more scalable streams of computing power.
• Security thought-leadership association, the Jericho Forum, has outlined steps companies should take before signing up to cloud services in its Cloud Cube Model.
• AVG LinkScanner® safe search and surf technology can apply more than 100 different potential threat indicators to a web page.

So cloud computing power begins life in a centralised data centre and is then delivered to users as individuals, or on an aggregated level to an entire company. This so-called enterprise level rung of the computing ladder is where we would use the term Software-as-a-Service or SaaS.  

Cloud Computing Without Trust is Just Low-Hanging Fog 

If cloud computing is delivered (and quite crucially, also deployed) intelligently, it is a positive game changer as it has the potential to deliver real cost savings through the sharing of hardware and software resources that its operation naturally dictates. Compound this fact with the efficiencies that can be brought about in terms of flexibility when demand for IT escalates (or equally declines) and it is clear to see that this cloud computing paradigm has an important place to play in modern data centres everywhere.

The caveat here though is that cloud computing requires trust in the service provider who hosts the data centre and without trust we have no guarantee of security.

So how do we move forward? Well, while cloud computing is still in its adolescence (comparatively speaking) we need to examine how much data the business will expose to externally outsourced computing power.
Security guru Bruce Schneier recommends a closer examination of the security issues related to moving more resources to the cloud. “IT security is about trust. You have to trust your CPU manufacturer, your hardware, operating system and software vendors – and your ISP,” Schneier states on his blog ‘Be Careful When You Come to Put Your Trust in the Clouds’. “Any one of these can undermine your security: crash your systems, corrupt data, allow an attacker to get access to systems.

“When a computer is within your network, you can protect it with other security systems such as firewalls and Intrusion Detection Systems (IDS). You can build a resilient system that works even if those vendors you have to trust may not be as trustworthy as you like,” says Schneier. “With any outsourcing model, whether it be cloud computing or something else, you can’t. You have to trust your outsourcer completely. You not only have to trust the outsourcer’s security, but its reliability, its availability and its business continuity.”

How Do We Get Inside the Cloud? 

The Jericho Forum has developed a series of strategies that it believes companies should adopt when dealing with cloud computing providers. These strategies are encapsulated in what is known as the Jericho Forum’s Cloud Cube Model, which discusses the key factors that companies should consider before entering into an agreement with a vendor or service provider.

Adrian Secombe, Jericho Forum board member and chief information security officer for the pharmaceutical company Eli Lilly, says: “The cloud approach to organising business can be both more secure and more efficient than the old-style silo structure.

“Viewed from a different perspective it opens a potential Pandora’s Box of security nightmares… not least of which is loss of data confidentiality and integrity.

“A carefully analysed and chosen approach to implementing cloud computing can bring those security issues back under control,” says Secombe. “It’s essential to get the foundations right and for each business to develop a cloud model that enables consumerisation, drives down cost and reduces risk.”

Apart from the potential trust concerns associated with migrating email to a hosted managed service provider, there do not appear to be any specific security threats posed by such online applications themselves.

However, up to date anti-malware software such as AVG Internet Security Business Edition can provide an invaluable protection layer for mission critical systems.

AVG’s LinkScanner free software for Windows and Mac also helps to prevent web-based attacks, which could ‘potentially’ be integrated into cloud-based applications and associated websites. LinkScanner actually uses a cloud-based database for part of its assessment as to whether a particular website is hosting malicious code.

“AVG LinkScanner can apply more than 100 different potential threat indicators to a page. If the result is inconclusive, LinkScanner then makes a call to the cloud to check a multitude of phishing feeds plugged into the AVG research network to make a final determination regarding threat potential,” Cameron says.

While cloud computing may not ultimately live up to all the hype that has surrounded it, it appears to be the logical way for the next generation of computing to develop. It’s safe to say that most businesses will eventually adopt at least some aspects of the model – especially if it proves to be more economical and flexible.

“The need to trust whoever is providing the cloud service appears to be an inescapable reality but it is also apparent that there are some steps that companies can take to mitigate risk – from high-level modelling to more tried-and-tested approaches to Internet and hardware security,” Cameron concludes.

What To Do

• Check out the Jericho Forum cloud computing cube model before entering into an agreement with a vendor or an ISP.
• Analyse how much data you will be exposing to outsourced computers and how much risk this puts your business at.
• Use up to date anti-malware software such as AVG Internet Security Business Edition to protect mission critical systems.

See also AVG Technologies’ CEO, J.R. Smith’s blog – Security must be a key consideration when considering cloud computing.

AVG (AU/NZ) has a comprehensive range of security tips for home and business users on its web site at www.avg.com.au/resources/security-tips/.

About AVG (AU/NZ) Pty Ltd — www.avg.com.au

Based in Melbourne, AVG (AU/NZ) Pty Ltd distributes the AVG range of Anti-Virus and Internet Security products in Australia, New Zealand and the South Pacific. AVG software solutions provide complete real-time protection against the malware, viruses, spam, spyware, adware, worms, Trojans, phishing and exploits used by cyber-criminals, hackers, scammers and identity thieves. AVG protects everything important and personal inside computers — documents, account details and passwords, music, photos and more — all while allowing users to work, bank, shop and play games online in safety.

AVG provides outstanding technical solutions and exceptional value for consumers, small to medium business and enterprise clients. AVG delivers always-on, always up-to-date protection across desktop, and notebook PCs, plus file and e-mail servers in the home and at work in SMBs, corporations, government agencies and educational institutions.