Staying secure in the cloud

What are the security challenges and issues that enterprises face with cloud computing? These were discussed at length during a recent CIO roundtable.

Like the wider marketplace, the security landscape is ever-changing, with new nasties popping up every minute. According to some analysts, digital threats have increased up to fivefold. Not surprisingly, security is a top-of-mind issue for CIOs and their C-suite colleagues. A recently concluded CIO Asia survey on IT security in the Asia Pacific found that, despite the quieter economic conditions, enterprises here spent up to 10 per cent more safeguarding themselves in 2009 than in the year before.

New technological innovations and usage models present security challenges, too. One example is cloud computing, where providers deliver common business applications that are delivered through the internet and accessed by users via a Web browser, with software and data stored on the providers’ servers. While the use of cloud services can help simplify physical IT infrastructure and cut costs, staying secure within a cloud is a concern. Still, the uptake for cloud computing is likely to be enthusiastic in 2010 and beyond. A recent survey of enterprises in the Asia Pacific by research house IDC found that 41 per cent were already evaluating or already piloting cloud solutions; 11 per cent were already into cloud computing.

Not quite everything

One company that has taken to cloud services is Adval Tech, a global provider of technology and processes for metal stamping and forming and plastic injection moulding. “We’ve just moved spam protection service into a cloud. Email resides predominantly in a cloud anyway so I may as well have my security services out there at the same time. But there are certain things – one example is ERP – that I wouldn’t put in a cloud,” said Paul Sharp, head, IT and supply chain, consumer good division, at a recent CIOAsia roundtable held in Singapore, sponsored by RSA, the security division of EMC.

Agreeing that ERP is too enmeshed with critical business processes to be outsourced to a cloud service provider, George Wang, director of infrastructure technology, Neptune Orient Lines (NOL) said commoditised ‘utilities’ such as e-mail make for better candidates.

“We do a lot of other types of outsourcing. I agree that cloud computing will come but the big question is what’s the right and reasonable thing to do at the moment,” said Wang, who is also a vice-president of the Association of Information Security Professionals in Singapore.

This sentiment was shared by some of the other roundtable participants. Likening the current state of cloud computing to how people used to keep their money at home before the advent of banks, Tan Ai Tong, director, global information security, Celestica Electronics, said a cross-industry regulatory framework would help raise uptake. There is now no international legislation governing cloud computing and this acts as a disincentive for those thinking of moving to cloud services.

The hesitance is especially pronounced in heavily-regulated industries, said Tay Beng Hwee, regional IT director, Asia Pacific and Japan, Becton Dickinson & Company. His company, a leading manufacturer of medical devices, instrument systems and reagents, is piloting some cloud services in the United States, although it is too early to tell if cloud computing will work for the company in this part of the world, he added.

Leap of faith

Agreeing that there is no ‘silver bullet’ when it comes to the adoption of cloud services, Vincent Goh, managing director, Southeast Asia, RSA, said the first thing enterprises wanting to enter the cloud space need to do is ask themselves what exactly they wish to outsource.

“First, you need to know what you have. That itself is a feat. Also, bear in mind that while you can outsource the job, you cannot farm out the responsibility. Security and usability is a very fine balancing act and every organisation has a different approach. Recognise that it’s a journey; what you have now will change a year later because the technology is going to change and the market is going to change.”

Some enterprises see security as an unavoidable pain, a brake on their operations. The more enlightened ones, Goh said, first go about protecting themselves and then proactively use security as an enabler of new business areas.

Sharp, of Adval Tech, offered further advice. “The thing is to avoid the buzzwords. We look at the various services. We look at what we can put out there with relatively low risk to us as a business. We look at the vendors and do an in-depth analysis of each one. And we look at how we can bring an outsourced service back in-house if we want to.

“At the end of the day, it’s about whether it’s more cost-effective to put it in the cloud than to run it ourselves. It’s always a leap of faith. The key thing is when you leap off the ledge, the vendor leaps with you and you’re holding each other.”

Service auditability is important, too, though service providers seem to have the upper hand here. Said Tan of Celestica Electronics: “We do outsource to cloud service providers but most of them do not like annual reviews or audits.”

The lack of legislation on audit requirements for cloud service providers does not help, added Mark Lim, head of IT and infrastructure at Tiger Airways. For instance, he said, auditors sometimes ask the IT organisation for SAS 70 (Statement on Auditing Standards No. 70) reports that verify that a service organisation (in this case, a cloud service provider) has had its control objectives and activities examined by an independent accounting and auditing firm, and cloud service providers may not be able to provide these.

“The onus [to provide such reports] should be on cloud vendors, not their corporate clients,” said Lim.

“If something goes wrong, who does the client go after?” Paul Loke, senior assistant director, computing and information systems, National Heritage Board, asked rhetorically. “Right now, there’s no clarity.”

Still, there was wide agreement that there’s no ‘running away’ from cloud computing.

Boon or bane?

The sentiment is likewise for social networks such as Twitter, Facebook and Linked. While they enhance collaboration and make it easier for enterprises to reach out to customers, these also make it easier for employees to share data and to take it outside the corporate perimeter.

For the National Heritage Board, though, social networks are a way of reaching out to would-be visitors to its museums.

“We need social media. I need staff to be playing on Facebook, MySpace, Flicker etc. It’s a real business need but on the other hand, I don’t want staff spending too much time on them. We have a very standardised environment so a security flaw in one machine might affect all 500 machines,” said Loke.

The board does not impose heavy controls on the use of social networks. Instead, it adopts a light touch and trusts its staff to be responsible users of such networks.

At the other end of the tolerance spectrum is Tan, of Celestica Electronics. “My position is we should not allow these as there’s very little value to the enterprise. Staff have other means to do what they want [on social networks] but on a device that doesn’t connect to the corporate network.”

Unsurprisingly, there was broad agreement among the roundtable participants that making staff more aware of their individual and collective roles in security is important. StarHub does this through quarterly security awareness presentations. David Skinner, vice president of IS, shared how the company constantly reminds its users that the desktops and laptop PCs they use in the office are company assets: the machines all use one standardised wallpaper and personalised ones are disallowed.

Need for CISO?

The need, or not, for a chief information security officer (CISO), and whether this person should have an IT background, also came up for discussion. While recent research shows that 85 per cent of big corporations in the United States have a CISO who is not also the CIO, a number of the roundtable participants did not see the need for such a role.

But one company that has a CISO is StarHub. “We formed a security committee not so long ago because we didn’t want the focus to be on IT only. We’ve got a corporate security officer now and he’s not an IT person and his role is to spread knowledge throughout the organisation and increase awareness,” said Skinner.

And while Integrated Health Information Systems (IHiS), which consolidates the IT resources of the different restructured healthcare entities in Singapore, does not have a single person looking after corporate security, it does have a risk management unit. Its auditors also play a part in identifying gaps, said Robert Poh, director of security services.

Delegates at the roundtable

  • Paul Sharp, head, IT and supply chain, consumer good division, Adval Tech
  • Tan Ai Tong, director, global information security, Celestica Electronics
  • George Wang, director of infrastructure technology, Neptune Orient Lines
  • Tay Beng Hwee, regional IT director, Asia Pacific and Japan, Becton Dickinson & Co
  • Mark Lim, head of IT and infrastructure, Tiger Airways
  • Paul Loke, senior assistant director, computing and information systems, National Heritage Board
  • David Skinner, vice president of IS, StarHub
  • Robert Poh, director of security services, Integrated Health Information Systems
  • Sebastian Sim, director, business services and operations, Colliers International
  • Vincent Goh, managing director, Southeast Asia, RSA

Moderator: Ross O. Storey, editor of CIO Asia