Building Security Into the Cloud

By Samuel Greengard

Over the past few years, businesses have steadily marched into the cloud in pursuit of greater productivity and IT efficiency. Many have discovered that cloud computing unlocks gains that wouldn’t have been imaginable only a few years ago.

Yet, for all the progress—nearly 97 percent of organizations use some form of clouds, according to the Open Data Center Alliance (ODCA)—huge questions and concerns about securing this data remain.

“Cloud computing and software as a service are rapidly emerging as mission-critical functions,” states Jack Sepple, global managing director of cloud computing for consulting firm Accenture. “The technology and tools provide new opportunities for businesses, but also create new concerns and risks related to security.”

Although clouds require many of the same protections that IT departments have used over the years—patching, encryption, malware protection, endpoint security and data loss prevention, to name a few—they also need a more “comprehensive and overarching approach,” he notes.

Navigating this new cloudscape isn’t an option. ODCA predicts that half of all its member firms (mostly larger companies such as BMW, China Unicom, Deutsche Bank and Lockheed Martin) will have 40 percent or more of their IT operations in private clouds by 2015, and a quarter will run more than 40 percent of their operations in public clouds.

Gary Loveland, principal at PwC, says that companies must move beyond a fear of clouds. “We have moved into a new era of computing and the cloud is an important part of the picture,” he points out.

Into the Clouds

One thing that makes cloud security so challenging is how rapidly the technology and overall cloud environment is evolving. An infrastructure that’s state of the art today may be obsolete several months down the line.

What’s more, cloud technology may force an organization to re-examine long-existing policies and strategies. Although much of the fear of clouds is rooted in the fact that the data often resides outside the four walls of the enterprise, there are real-world risks associated with cloud computing.

In reality, cloud security, like all enterprise security, involves more than technology and technical acumen. It encompasses legal issues, regulatory and compliance requirements, and internal training, as well as addressing the persistent threat of outside attack.

As businesses move into clouds, including software as a service and infrastructure as a service, it’s crucial to build a broad security framework that unleashes the potential of clouds, while protecting against intrusions, data leakage and other risks.

It’s a concept that Clayton Holdings has made a core part of its business and IT practices. The company, which has about 650 employees located in five U.S. offices, provides consulting, loan review and credit risk management services for banks, mortgage lenders, investors and insurers.

“The cloud was a very scary concept to a lot of people working at Clayton Holdings,” notes John Cowles, vice president of intelligent business operations. Nevertheless, in September 2008, the company migrated to an Appian business process management (BPM) system running in the cloud. This approach helped the firm gain key functionality quickly, while decreasing its capital investment.

The project was the company’s first major foray into cloud computing and, with highly sensitive data such as names, street addresses, loan balances, social security numbers and other details residing in its IT systems, “we had to make sure we didn’t wind up in the news,” Cowles acknowledges.

In addition to using conventional security tools such as authentication, malware protection and data loss prevention (DLP), Clayton decided not to store any personal identifiable information (PII) in the cloud. Instead, he built a system that could connect any or all data on an on-demand basis once a user is authenticated through the internal network. A system separates PII about customers from their records using an internal ID. Clayton also relies on a VPN to ensure that all communication remains encrypted.

Employees use a special form that retrieves the cloud-based data and generates a full record from the BPM system. “We conducted a detailed analysis up front, and included input from our security and legal teams, so we knew that we had a high comfort level with the cloud,” Cowles says.

“It’s critical to put the right controls, as well as checks and balances, in place. Yet, it’s also important to get past the notion that you don’t have control if the data doesn’t reside within the systems in your enterprise.”