Security from the cloud for the cloud

More flexibility, better scalability and especially, lower costs: the arguments for cloud computing are hard to refute. The pioneering outsourcing concept promises high sales potential. However, the half-baked security technology often proves to be a stumbling block. But even here the cloud offers an appropriate solution.

Security issues are often a central problem with Software or Platform as a Service solutions. A study conducted by the University of Darmstadt , reveals that 22 percent of the respondents see security issues as the main obstacle for the implementation of cloud computing. Confidentiality and legal and compliance issues came in at a second and third place with 19.8 and 11.9 percent respectively.

Surprisingly, technical problems are far less seen as an obstacle: only 7.9 percent have doubts about the reliability of the solution and a very small percentage (3.4 percent) refer to potential performance costs as an argument against cloud computing.

Principal worries are that data or identity falls into the wrong hands. This was confirmed by a study done by IBM concluding that 80 percent of companies have security concerns about the introduction of cloud computing.

Cost savings main motivation

Despite existing security concerns, the triumph of Cloud Computing will barely be halted. Cost aspects still play a central role in the decision making process for selecting the right solution. Here, the Cloud is far ahead: you only pay for the services you actually use.

If the number of users increases, capacity can simply be added to meet increased demands; if the number of online users dwindles, capacity can be easily reduced without leaving an expensive in-house IT infrastructure unused. Instead of facing high upfront investments, companies choose for tax deductible flexible operational costs.

The study conducted by Darmstadt university concludes that 22.4 percent of respondents indicate cost reduction as the main argument to choose for a Cloud solution. Scalability (20.4 percent) and increased flexibility (19,9 percent) are second and third runner-up.

The lovely world of apps

But not only companies appreciate the increasing Cloud. The consumer market can no longer exist without the Cloud. For the “Public IT cloud,” as well as for publicly accessible and non-customized cloud applications, the IDC expects a cumulative annual growth of 27.6 percent in the next few years. IT expenditures alone are expected to rise from 21.5 billion U.S. dollars in 2010 to 72.9 billion U.S. dollars in 2015. In addition, there are enormous opportunities for infrastructure and terminals.

“Cloud services are accompanied and driven by other revolutionary technologies, for example, mobile or wireless devices and social networks,” said Frank Gens, Senior Vice President and Chief Analyst at IDC. In all of these trends and technologies, Gens sees “a third pillar for a long-term growth”.

This growth is also very clearly reflected in recent sales figures: in the second quarter of 2011 alone more than 107 million smart phones were sold, reports Gartner Inc . A staggering increase of 74 percent. This hype may have been made possible by the public Cloud: from apps stores to online navigations, shop searching and Facebook on the go. IDC estimates that more than 182 billion apps will be downloaded in 2015.

Security as a quality feature

The numbers speak for themselves. No matter whether you think it’s a good or bad thing and despite all the security concerns: Cloud Computing is the IT trend for the coming years. With this trend it is of utmost importance now and in the future to gain companies’ trust and to hold on to it.

The Darmstadt study reveals that availability and response time are perceived as the most important qualitative characteristics of a cloud computing solution, with respectively 34 and 18 percent. These features are rarely indicated as an impediment.

However, there is still room for improvement in terms of security. Compliancy with privacy requirements are deemed critical by 24 percent of the respondents. An equal amount perceives offered security mechanisms as a vital criterion. But the study also reveals that the customer is not satisfied with the current offering: more than 50 percent cites security, compliancy and privacy concerns as a reason NOT to choose for cloud computing.

Anyone who wants to stand out in the Cloud will score with a sophisticated security concept. The same principle applies to the Cloud as for traditional IT: a combination of user name and static password isn’t sufficient as security concept.

Even if the user is imposed to choose monstrous passwords that include numbers and special characters, the password in itself doesn’t offer adequate protection. Static passwords have been proven to be weak time and time again and are unsuited as sole security mechanism – especially in the Cloud.

To know and to have

Adequate security is only provided by multi-factor authentication. It requires the user to know something – a pin code for example – and to have something, such as a hardware authenticator or application to calculate a one-time password. This one-time password will be calculated at every log-on and is only valid for a few seconds.

Intercepting these passwords is hence useless to hackers. Furthermore, transactions or messages cannot be falsified as the content of the transaction is included in the calculation of the one-time password. Any change will render the password or signature invalid. Such digital signatures are already standard in the banking world for a long time.

The question then remains why multi-factor authentication isn’t already an integral part of any cloud-computing application. This is probably due to cost considerations. Cost reduction is once again the main argument for Cloud Computing.

This is also the reason why so many customers shy away from the additional investment in a security concept that brings no immediate return on investment. An attitude which quickly changes when the company concerned is making headlines because of a data breach.

This probably plays an all too concise cost considerations play a role. Cost reduction is now once again the main argument for cloud computing. This is why so many customers shy away from the additional investment in a security concept that brings with it no immediate return on investment. This attitude is changing experience, but very quickly, if that company is making headlines with a data breach.

Authentication as a calling card

Many cloud computing providers shy away from the move to multi-factor authentication because it makes their offerings more expensive and using non-sustained damage as a selling point, is simply not easy. Additionally, technical effective security architecture is anything but trivial.

And last but not least, the security server should act as a so called gatekeeper for any cloud computing application. Who is allowed in and who not, should be quickly decided as to avoid long queues. In contrast however to prestigious night clubs, the Internet user doesn’t perceive such a ‘waiting community’ as an enticement. If it takes too long to establish the identity of the user – no problem, the competition is just a mouse-click away.

To determine on, and certainly correctly deploy a powerful access control solution for a cloud-computing service is a science in itself, as the hacker community continuously evolves. Therefore it is very important to keep an eye on these trends and to adapt security technology accordingly. And let’s not forget the efforts required for the deployment and maintenance of hardware or software authenticators.

Outsourcing security

All of these problems that arise with securing cloud-computing applications are best met with a cloud-computing application. Each login request is then simply redirected to a hosted security service that takes care of the authentication process. As a customer you hence no longer need to worry about availability and scalability.

Cloud computing will fundamentally change the IT landscape over the next few years. In the era of Internet that is universally available for all, it no longer matters where data are physically hosted or processed. This creates new opportunities for the division of labor and outsourcing.

In the future, everyone will do what he does best and leave everything else to a specialist who can do it better. Customers accept the new concept and at best concerns only arise in terms of safety. Cloud computing is a matter of trust. Therefore one should not hesitate to leave the important matter of multi-factor authentication in the hands of experienced specialists.

SHARETweet about this on TwitterShare on LinkedInShare on FacebookShare on Google+Pin on PinterestDigg thisShare on RedditShare on TumblrShare on StumbleUponEmail this to someone

Jan Valcke is VASCO’s President & Chief Operating Officer and has held this position since 2002. Jan has been an officer of the company since 1996. From 1992 to 1996, he was VP of Sales and Marketing at Digipass NV/SA, a member of Digiline group. He co-founded Digiline in 1988 and was a member of the Board of Directors. He received a degree in Science from St. Amands College in Kortrijk, Belgium.