A recent interview with Gartner analyst John Pescatore describes the key security aspects data center managers should know before adding cloud-based services to their offerings. Pescatore has 32 years of experience in computer, network and information security. He also worked at the National Security Agency and the U.S. Secret Service.
Q) What are the primary differences between cloud computing and Software as a Service (SaaS)?
A) SaaS is when you consume and pay for an application on a monthly basis. Cloud computing represents the “infrastructure” that SaaS is built upon. Salesforce.com is an example of SaaS, whereas Flickr.com [an online photo management and sharing application] is an example of Storage as a Service. Flickr operates by using Amazon’s storage cloud and buying storage and capacity from Amazon as the demand arises. Google’s services [Google apps or Gmail] are examples of Software as a Service that are also implemented through cloud computing. Rather than using MS Office—software you can buy on a CDROM and own rights to—you can consume word processing or e-mail as a service through Google apps. Both businesses use cloud computing to implement their services and therefore do not really have their own data centers.
Q) How does cloud computing make an organization more vulnerable to attacks?
A) One of the major issues is loss of control of where your data is stored. Cloud-based information can be stored in any data center around the world that supplies capacity. The second issue is that you don't necessarily get service-level agreements that guarantee perpetual access to your information. This means that if the data center were to crash, you don’t know if you will have access to your information. When you use cloud-based computing, you don’t know if the security of all the servers out there equals yours, you don’t know if one of the global data centers you’re using has been compromised or if a sniffer has been installed. With security cloud-based services, you have to give up a certain level of control.
Q) How can enterprises save money with security technologies and techniques by using cloud computing? Today, using cloud-based security services is not necessarily cheaper than doing it yourself.
A) If you looked at the software licensing costs, and so on, you might pay the same amount as you did [for] email security in a cloud. You could save data center space and personnel time; however, it’s really more about reducing the total cost of ownership than strictly reducing the line item that says “email filtering.” You could put hundreds of dollars of security software on every laptop and spend lots of time trying to manage these laptops, or you could pay half that per user per year by using cloud computing. The information would flow through a cloud based security service and threats could be filtered before they reach the machine. That's what we look for in the future: that cloud-based security services will enable less expensive ways of dealing with future threats