In the Cloud We Trust

This interview is the second in my series of talking with our partners to discuss the challenges posed by physical, virtual and cloud environments. In early March Trend Micro entered into a partnership with Qualys to sell the QualysGuard IT Security and Compliance Suite along with Trend Micro Enterprise Security compliance offerings with the goal of providing a more comprehensive solution for customers worldwide. This partnership delivers on Trend’s vision of “security that fits” by addressing both security and compliance needs.

Recently I sat down with Philippe Courtot, Chairman and CEO of Qualys. As the CEO of Qualys and a founding member of the Cloud Security Alliance, Philippe understands both the potential of cloud computing and the challenges to implementation. With thousands of customers worldwide relying on Qualys’s on-demand IT security risk and compliance management solutions, Qualys is at the forefront of IT’s move to the cloud. Here’s what Philippe had to say.

Wael: There’s a lot of interest in cloud computing these days. What’s your take on it, and why is Qualys looking to the cloud?

Philippe: Today, cloud computing has gained great momentum among enterprises with a variety of vendors providing higher service levels and offering platforms to deliver business critical applications. The concept of cloud computing, quite simply, means that vast computing resources including hardware, critical business data and applications, reside somewhere outside the enterprise, “in the cloud” and can be easily accessed from a web browser. This delivers a range of benefits, from lower capital expenditures on hardware, software and services, to cost savings on utility bills, to enabling staff to access a broad range of applications remotely from a variety of devices.

At Qualys, we were early adopters of cloud computing where we pioneered the Software-as-a-Service (SaaS) model to deliver highly scalable IT security and compliance solution to enterprises. Over the past few years the SaaS model has proven to be the right delivery mechanism for such complex and distributed IT applications as it eases on customers the deployment complexities and provides unprecedented security and scalability capabilities, which will be very hard to attain using any other enterprise software-based solutions without significant additional cost to fund the onsite deployment and ongoing maintenance of hardware and software.

Wael: The benefits of cloud computing are numerous. However, before rushing into the cloud, are there any areas where enterprises should pay careful attention to make sure they get it right?

Philippe: As companies increasingly store data in the cloud, concerns about information security will be at the forefront of most IT professionals’ minds. The idea of storing critical business data on a third-party server to which multiple ‘tenants’ have access could be fraught with danger if not properly planned and executed. In fact, security of data is one of the key concerns for organizations considering adopting a cloud infrastructure.

Wael: Before moving to the cloud, what should organizations do to address these security issues?

Philippe: An organization must assess the specific security risks that storing sensitive data outside the enterprise entails. Data stored on a third party cloud service will bypass the physical, logical and personnel controls of the organization’s in-house IT team, meaning it is crucial to demand transparency from the cloud vendor to be confident that every precaution is being taken to secure data in the cloud.

Questions must be asked about the security policies in place, that include such areas as data classification, identity access, privacy, where the data is being stored and who is managing the data. Also, the service level agreements (SLAs) are more important then ever to ensure that the data is safeguarded and that service and control processes are running as intended. IT Professionals need to be confident that their cloud vendor will meet the organization’s stringent security requirements and be able to provide the metadata and logs needed for forensics in case a security breach ever occurs. This becomes particularly important in a cloud environment and the cloud vendor needs to be prepared to demonstrate these capabilities and provide the required audits such as SAS70 to back it up.

Wael: Why is data location of concern with cloud computing?

Philippe: When handing data over to a cloud vendor, an organization might not know where it is being hosted, or even in which country the cloud server is located. Data location needs to be part of the contractual agreement where the cloud vendor will commit to obey local privacy requirements within the country that the customer is headquartered. The location of data can have significant legal implications. In some sectors, such as the UK financial sector, it is crucial that the data is stored in the UK to comply with strict regulations.

Wael: Who is ultimately responsible for compliance?

Philippe: An organization is still ultimately responsible for the security and integrity of its own data, even when it is being held by a cloud provider. Service providers have traditionally been subjected to external audits and security certifications. Those cloud providers who are unable or unwilling to allow such auditing of its physical or network security measures should be avoided. It is important that data placed in the cloud does not violate global regulatory compliance requirements, such as the US government's HIPAA or Sarbanes-Oxley, the European Union's Data Protection Directive, or the credit card industry's PCI DSS. In fact, in the UK, the PCI DSS standard requests that the cloud computing vendor must be PCI DSS compliant in order that the merchant can qualify for compliance.

Another issue to consider is that of data prioritization - what should be kept on-site and what should be placed in the cloud as data in the cloud is typically in a shared environment and will sit alongside another organization’s data. It is crucial to find out what the cloud vendor is doing to segregate data that sits in storage. The cloud provider should also offer evidence that encryption schemes are in place and tested.

Wael: What considerations or factors would you advise organizations to look carefully at, before proceeding with an infrastructure-as-a-service (IAAS) cloud computing provider?

Philippe: The continuity and availability of data is a must for most organizations and it is important that the user can be confident that its cloud provider offers a guaranteed level of availability and business continuity. There should also be a ‘get-out’ clause, meaning that if a cloud provider has gone out of business or got acquired, the organization can easily remove its data.

Long-term viability of the cloud vendor is something that should be explored along with how an organization would recover its data, should a provider be acquired or go into receivership. With an increasing amount of cloud vendors entering the market, the data should also be provided in a format that would allow it to be easily replicated and transferred to an alternative service provider.

Contingency planning of all components is crucial to the success of moving data into the cloud to ensure peace of mind for future security. Some enterprises adopt a hybrid cloud environment that consists of both in-house and cloud based services. This enables them to decide what data should be placed within the cloud and which sensitive data they want to keep within the walls of the enterprise. As they gain confidence in the security of the cloud, they can move more data into the cloud to gain its benefits.

Wael: Philippe, it’s been a pleasure speaking with you, as always. Any last words regarding cloud computing?

Philippe: Yes, of course. The increasing popularity of cloud computing has driven more and more cloud vendors to enter the market. It shifts the power back to the customer, providing them with more choices and flexibility. One of the advantages of the cloud model is that it releases an organization from the shackles of its legacy infrastructure. If another cloud vendor offers a more appealing alternative for an organization, it should be relatively easy for customers to migrate its data to the new provider.

However, the key part to remember when entering a contract with a new cloud supplier is that although an organization may physically remove the data from its immediate control, it does not relinquish the responsibility to ensure that the data remains safe. So to reiterate ‘in the cloud we trust’ – it is our duty to make sure that all security measures are firmly in place when moving to the cloud to protect our data.