A start-up that began operations in 2006, the Toronto-based life reinsurance management firm could not afford to build and staff a data center from scratch, according to David Westgate, Logiq³'s vice president of technology. So Logiq³ instead chose cloud computing and managed IT services provider BlueLock LLC to handle its data needs in the cloud.

How much responsibility lies with the cloud-based service provider largely depends on the type of service.

With an IaaS setup, for example, the customer is usually responsible for protecting everything above the middleware and APIs, including the applications and operating system, says Todd Thiemann, senior director of security vendor Trend Micro 's Data Protection group. The terms of service for Amazon's IaaS offering, for example, state that the customer is responsible for protecting the data it puts into the public cloud, he adds.

In contrast to IaaS arrangements, a software-as-a-service provider is usually responsible for protecting whatever customer applications and data reside on its cloud. That setup often works well for budget-challenged businesses, because it gives them access to advanced security technologies and resources that they might not be able to afford in-house.

IBM's LotusLive SaaS offering, for example, which was launched January 2009, utilizes "the same standards, security, compliance and governance we use to run major business systems for some very large and important companies," says Sean Poulley, IBM's vice president of online collaboration services. For example, LotusLive data centers are protected by environmental and biometric controls, including closed-circuit TV. Access control is handled by IBM's enterprise-scale Tivoli software.

However, many cloud-based service providers -- and SaaS providers in particular -- feel that their security practices and technologies give them a competitive advantage, so they don't like to reveal details about how they approach security. This means companies have to take the vendor's word that its systems are indeed secure and compliant. "Vendors have done little to accommodate security risk evaluation," says Gartner's Heiser. "They may have incredibly secure and robust systems, but there's no sensible way to ensure this." Security accreditation standards such as ISO 27001 and SAS 70 Type 2 provide some assurance, he adds, noting that "27001 is more relevant to cloud security issues, but weak when applied to new forms of technology."

Playing nicely with the cloud

Many SaaS vendors are understandably reluctant to have a customer insert third-party security products into their proprietary platforms, even if it's just an agent that would permit a customer's security system to interact with theirs.

For example, Pfizer  had outsourced some security services to D3 Security Management Systems  and was interested in using Oracle 's Access Manager in D3's incident management applications. But D3 expressed concerns about installing Oracle agents on its systems, says Kurt Anderson, the pharmaceutical company's manager of global operations business technology.

Anderson solved the problem by using Symplified 's SinglePoint Cloud Access Manager, which does not use an agent, but rather interacts with D3's published APIs, he says.

Since IaaS customers technically own their virtualized slice of a vendor's infrastructure, they can install security software and controls. However, only a few vendors provide products that can protect both private and public cloud-based environments.

One such product is Trend Micro's Deep Security 7. Once its agent is installed in a private or public cloud infrastructure, it can perform deep packet inspection, monitor event logs and monitor system activity such as file changes for unauthorized activities, Thiemann says.

Shavlik, a cloud-based vendor that provides systems management for private cloud installations, tackles public cloud security from a different angle. It licenses its patch and configuration management and compliance-monitoring software to cloud-based service providers -- including its own IaaS provider, says Mark Shavlik, the company's CEO.

Cloud-based service providers are catching on to the fact that using an established commercial security product can attract customers. For Logiq³'s Westgate, BlueLock's use of Shavlik's software was a definite selling point. "I am very familiar with Shavlik: I've been using it for patch and configuration management for years," he says.

Access control in the cloud

The dynamic, flexible resource provisioning that makes virtualization and cloud services so attractive to cost-challenged IT executives also makes it difficult to track where data is located at any given time, and who is accessing it. This is true in private clouds, and even more so in public cloud-based systems, where access control has to be correlated between the customer and the service provider -- and often several service providers.

Pfizer uses Symplified's Single Point Cloud Access Manager to provide single sign-on (SSO) functionality across different SaaS providers and applications. When the end user moves between an Oracle- and a Symplified-managed domain, for example, he still has to log on again but he can use the same set of credentials, Anderson says.

Symplified and Ping Identity  are two vendors that currently provide SSO systems for both internal and SaaS cloud-based applications, using federated identity technology that coordinates user identity and access management across multiple systems. However, Anderson feels that it's up to the SaaS vendors to adopt a more holistic and standardized form of access management, so the customer would no longer have to bear that burden.

Another access management concern when dealing with a cloud-based service -- or any outsourced service for that matter -- is how to ensure that the service provider's system administrators don't abuse their access privileges. Again, SaaS customers don't have a lot of control or oversight of how the service provider addresses that issue. IaaS providers, in contrast, will often allow a customer to install event log monitoring software on their virtualized portion of the infrastructure.

Logiq³, for instance, uses Sentry Metrics 's security event management service, which monitors event logs, does trend analysis and reports on anomalies. So the Sentry Metrics system could, for example, alert Logiq³ when a BlueLock administrator logs on without being given a specific job to do, Westgate says.

Checking bona fides

Customer control and monitoring of a carrier's cloud can only go so far, however, no matter what the type of service. So how do you ensure that sensitive data is adequately secured and protected?

Service level agreements with monetary penalties don't cut it, says Pfizer's Anderson, especially for a Fortune 50 company, since "the small amount they get back is a pittance" compared to the cost of a major security breach.

Therefore, due diligence is critical, Anderson says. Pfizer uses SAS 70 Type 2 certification, in which an independent third party audits the service provider's internal and data security controls. Anderson also verifies the vendor's level of Safe Harbor compliance and checks Dun & Bradstreet research to make sure it's legitimate, he adds.

Another standard by which to evaluate a service provider is ISO 27001, which defines best practices for designing and implementing secure and compliant IT systems.

While such standards provide a useful starting point, their criteria tend to be generic, says Gartner's Heiser. Companies still need to match a service provider's specific controls to their specific requirements, he adds.

For example, after checking out BlueLock's SAS 70 Type 2 accreditation, Logiq³'s IT staff did a further evaluation to "make sure the controls we require are supported by the controls they have in place," Westgate says. His team then followed up on discrepancies, identifying missing controls and working with the vendor on solutions. The company plans to repeat the process at least once a year, he says.

Cautioning users doesn't work

Many companies that want the cost benefits of cloud-based services but still have security concerns tell their end users not to put sensitive data on the cloud. But this is generally an exercise in futility, according to Heiser. "The problem is that users often don't know what's sensitive, and probably won't follow the rules anyway," he says. "You can assume that any application or data service end users can pump with data will get sensitive data eventually."

Pfizer is in the process of establishing a SaaS center of excellence to educate users about the correct way to deal with SaaS activities, Anderson says. In addition, his group is establishing best practices for procurement of SaaS services. Among other things, those best practices forbid applications that involve competitive or personally identifiable information from being included in a SaaS setup.

Basic security tasks such as access control and rights management become even more complicated when, as often happens, a SaaS provider outsources its infrastructure or development platform to another cloud-based service provider -- adding yet another party to the equation.

Take the case of Cloud Compliance , which provides access-control monitoring services for private cloud environments. The company entrusted its infrastructure to Amazon because it's the most proven service provider, according to founder Robbie Forkish. However, he acknowledges that the arrangement introduces potential security problems. "There are certain areas where we, as a consumer of their services, need to fill in security capabilities they lack" in order to meet Cloud Compliance's internal security requirements and to reassure its customers.

For example, Cloud Compliance encrypts data in transit and gives customers the option of either encrypting data at rest -- on Cloud Compliance's Amazon-hosted servers -- or not putting any data in the cloud. The latter option involves a performance hit, since customers have to re-upload data into the cloud every time an application is run, but some customers accept that trade-off in return for a higher level of security, Forkish notes.

Cloud Compliance's external customers do ask about Amazon's security, Forkish says. The concerns they raise change from month to month, depending on what vulnerabilities the press has been writing about, he adds. Cloud Computing will either address their concerns or, if it can't, pass them on to Amazon.

"In some cases, we don't get a response, and we figure this is a real issue, but they're working on it," Forkish says. But the recent Zeus botnet incident on Amazon, he says, "as far as we can tell, was not a threat over and above what we would expect for an Internet service, cloud-based or not."
Compliance in the cloud

Public clouds add a whole new set of issues to regulatory compliance -- issues that providers, users and regulators themselves are just starting to look at. HIPAA and Sarbanes-Oxley privacy and data-retention requirements weren't designed with cloud-based services in mind. "IT staffs have to figure out new ways to analyze and assess risk, and how to meet compliance requirements," Forkish notes. "Many compliance standards require being able to point where data is, which is impossible with a cloud. And there's legal discovery, getting access to data when required. Can discovery be done by a third party without your knowledge because it resides on cloud storage? These are examples of things I think will be worked out over course of next couple years."

In the meantime, Forkish suggests, many businesses, especially those in highly regulated industries, will entrust their sensitive data to private clouds or traditional managed services "and maintain the status quo."

And then there are the pioneers like Logiq³'s Westgate, who says he sees cloud computing as "a natural evolution of how we are managing systems in this industry" and adds that the key question about this evolution "is not why, but why not?"