Safety & Service in the Skies
Three SaaS providers talk about why cloud computing is more secure than you think.
AS COLLEGES AND UNIVERSITIES rely more heavily on software as a service (SaaS), they're putting morecritical data in the cloud. What are the security issues, and how arecloud providers responding? CT went to three higher ed SaaS vendors-- Google, IBM, and TopSchool-- and asked them to share theirthoughts about the state of security in cloud computing. Our panelistsfor this virtual roundtable discussion were:
Anthony Hill, CTO for SaaS-based student lifecycle management provider TopSchool. Previously he was CIO of Golden Gate University (CA), where he led a major initiative to move the university's IT services to the cloud.
Jeff Keltner, business development manager at Google, responsible for Google Apps in the education sector worldwide.
Dennis Quan, director of autonomic computing in the IBM Software Group. He launched the IBM/Google Cloud Computing partnership in 2007.
Campus Technology: What's the most compelling argument SaaS vendors can make that moving services to the cloud is a secure choice for institutions? Jeff, give us a Google perspective.
Jeff Keltner: In our experience, security is one of the top concerns for colleges and universities as they look at taking advantage of cloud computing. But the more we work with schools, the more they come to see that cloud [services] are often much more secure than the environment the schools have been providing, or could afford to provide in house. That's because of the scale and level of investment that a provider like Google has, and the fact that IT security is at the core of what we do. Security is critical for the operation of Google as an enterprise-- whereas for most universities it's something they need to do but it's certainly not a core aspect of what it means to be a college or university. A cloud provider's investment clearly outstrips what a school can afford to invest, and by partnering with a provider like Google, schools can actually get a higher level of security for their information than they were able to provide previously.
CT: What kinds of security issues have emerged in cloud computing projects you've seen in higher education? Dennis, you've been working with the IBM/Google Cloud Initiative-- maybe you could use that as an example.
"The more we work with schools, the more theycome to see that cloud services are often muchmore secure than the environment they couldafford to provide in-house." -- Jeff Keltner, Google
Dennis Quan: In any industry, education included, there's going to be a spectrum of applications and workloads that you'll see moving onto the cloud. In our experience working with higher education, a lot of work has been focused on the research or instructional spaces. And in those areas, security concerns tend to take on a very specific flavor-- not so much security as in confidentiality, but more in terms of safeguards or in some cases having to do with law enforcement.
I'll take the IBM/Google research cloud as an example. About two years ago, we put three clouds together-- one at the University of Washington, one at an IBM research facility, and one at a Google facility-- to support classroom instruction and research uses of cloud computing facilities. The security concerns in such a research or academic setting are certainly not as onerous as they would be, say, for a bank. If you have a cloud that is being used for classroom instruction, you use security not so much as a way to prevent others from seeing your work, but as a way to make sure that there isn't accidental deletion of data that are being created by other students or researchers. Sometimes it is used to ensure that there is fair distribution of resources across multiple teams. You put policies in place to divide the time up in a logical fashion so that no individual can end up monopolizing the environment.
CT: But surely you all must have seen additional areas of concern that are more on a par with other industries.
Anthony Hill: I don't think there's really much difference between the needs of the commercial and education sectors relative to cloud security.
Quan: Of course academic environments hit upon traditional IT challenges, just like any other industry-- running payroll, running HR systems, with confidential student records, and so on. Another area is adherence to government policies. As an example, when we were setting up the cloud computing partnership with Google, the issue came up around export compliance. The reason this comes up is that of course the classrooms that are leveraging these cloud facilities have a mixture of students of different nationalities. [Ed note: Sharing certain kinds of data with foreign students or faculty from some countries can be considered a form of export according to Export Administration Regulations and International Traffic in Arms Regulations.] To enable us to trace or keep records to ensure that export compliance laws are being upheld, we need to be able to create accounts for different students, to be able to have ways of monitoring the information that's kept on the clusters. And in some aspects, it's been part of that security policy to make the information as public as possible in order to prevent it from being treated as sensitive, confidential data.
CT: How can cloud providers show hard evidence of their security practices-- are there standards or groups that can help do this?
Keltner: At Google we've tried to find standard ways to be more open about what we do. The one big one we've gone through is what's called the SAS 70 Type II [Statement on Auditing Standards No. 70 certification, where we have third parties auditing, with a control document-- a confidential document we can show to customers that specifies how we are operating the data centers and what our privacy and security mechanisms are. We are also working toward a FISMA [Federal Information Security Management Act; csrc.nist.gov/sec-cert] certification, which is commonly used by federal government agencies. So we've tried to choose the right ways to be open and transparent, but this is still a very new and emerging space. I'm sure we'll continue to see this space evolve as more and more people get involved and some more standards emerge.
Hill: In IT there are a lot of ways to do things, and I think it's incumbent upon the end-user organization to be able to interview the cloud vendor, learn what its controls and protections are, and what the infrastructure is, and then make a decision. The end-user organizations also can benefit from compliance regulations. SAS 70 can validate that the cloud provider has met all of the controls. It's a very good place-- perhaps the best place-- for the end-user organization to begin. And we can also check references for cloud providers, both with other universities and in the commercial sector. The vendor will provide references, and it's always a good idea just to ask around. And organizations that have been in the market longer will sometimes have user groups.
CT: Do you have any examples of good security measures that may be more easily achieved in the cloud, or that may even be unique to cloud computing?
Keltner: One is the ability to enforce the encryption of data in transit at all times, so the internet is not an exposure risk. So any time a user is accessing our services, the communication between that user's computer and the Google cloud is encrypted. Still another common example we hear is about e-mailed documents. In the cloud world, when you don't send the data, but rather provide access to a spreadsheet or a Google document, you can also later revoke access to those data. So in the cloud, you start to see holes plugged in the way security is done. The model provides some security capabilities that really aren't there when you're talking about data on local machines and clients.
"It's a mistake for schools tothink that by moving to a cloud,they are absolving themselvesof some responsibilities."-- Anthony Hill, TopSchool
CT: What are some security concerns that are out of the direct control of the cloud vendor? Who's responsible then?
Hill: Because an application is in the cloud, it is by default available to any browser. So you have to give additional thought to access control as an end-user organization. Previously for on-premise applications we could rely on authentication to the network. Or we could rely on someone having to be physically on campus to use the application, because the application was installed on the client side on the user's local workstation-- he could not access the application from home or from a café. But with cloud computing, the applications are available anywhere, any time. And while that's a huge advantage, it also means that the end-user organization-- as well as the cloud provider but mainly this falls on the end-user organization-- has to be especially diligent in account management, because the other levels of network or physical security that were previously relied upon have gone away.
Take for example, a terminated employee. There are many stories in the industry where a terminated employee's access to an application was never turned off. Yet the employee in many cases couldn't get to the application anyway because he couldn't log on to the network anymore, or he couldn't come to sit at his workstation on campus anymore. Now, with cloud computing, that has changed, and account management needs to become a lot more rigorous.
Despite the fact that an end-user enterprise goes to a cloud provider to use an application service, there are still joint responsibilities. Security is one of those joint responsibilities. The cloud provider has a set of responsibilities, but the enduser organization also has a set of responsibilities. And for the security model to work, both organizations have to do their part.
I think it's a mistake for any end-user organization to think that by moving to a cloud, they are absolving themselves of some responsibilities. What they're actually doing is leveraging the much larger and more sophisticated infrastructure and management capabilities of the SaaS vendor.
CT: Should IT organizations be asking cloud providers what kind of procedures they have in place to respond to security incidents?
Hill: I think they should ask what mechanisms the SaaS provider has to respond to security incidents, and I think they should ask themselves that very same question. Things that universities typically have not been rigorous about, they need to become more rigorous about in a cloud environment.
Top 10 Questions...
To ask your cloud provider
- What kind of team does your company dedicateto security issues (e.g., number of people, background,focus, and priorities)?
- Do you replicate data at various geographical locations?
- What technologies and procedures do you have in place to protect your facilities?
- Do you offer encryption for client connections to your servers?
- What procedures do you have in place to limit internal access to data?
- Can you provide third-party, independent verification of the security controls you have in place?
- Can you cite as references other organizations that use your services?
- Do you have information on how your services meet regulatory requirements that may apply to my institution and to the education market?
- What is your response plan for security incidents?
- Can my institution move large amounts of data to or from the cloud? In particular, what are my institution's options for retrieving its data when we stop using your services?
CT: So is it a good idea for institutions to ask the same questions to cloud providers that they ask themselves about their own security processes and procedures?
Keltner: Well wait-- there's often an assumption that the operations of the cloud provider's data center and the underlying technical architecture are similar to what an institution would do in-house. That's a misconception. For example, the way Google stores data, or what would be stored on an individual hard disk, would be very different from how an IT shop for even a large university would store data. If someone took a server from a university data center, they'd likely be able to look at the data and read e-mails, etc. But with the way Google stores data, even if someone were able to break into a Google data center and run out with some servers, the data would be totally incomprehensible to them for a variety of reasons. So there's still a lack of understanding of how it is that a cloud provider can offer the kind of scale of service that they do. And I think when you dig into the reality of what's being provided and how it's being provided, then you start to understand that some of the concerns that you used to have around security and redundancy are really the wrong questions to ask. [For a list of the right questions to ask, see "Top 10 Questions...."]
CT: What about data migration issues related to security-- especially when you want to move data to a new application or end your relationship with a vendor?
Hill: It's inevitable that at some point an application service provider's relationship with a customer will end. So at that point, what are the options for the enduser enterprise to migrate its data forward to its next-generation application? I think a good vendor will provide an exit strategy. And in this scenario where the industry is relatively immature, it's fairly important for end-user organizations to understand what their options are.
CT: Given concerns for security, how do you think adoption of cloud computing may play out over the next few years?
Keltner: People are looking at cloud computing in different areas. There's lots of computing that goes on in a university, from high-performance computing, to running course management systems and student information systems, to e-mail. Schools are beginning to evaluate where to start. It's not going to be everything at once; maybe they start with the e-mail, or the calendaring. We anticipate that institutions will slowly move bits and pieces of what they do into the cloud.
CT: You mean, as they have more experience with the cloud they'll feel more secure?
Keltner: It's somewhat like the difference between flying and driving. Some people feel a lot safer behind the wheel of their own car than flying on a commercial airline, but statistically speaking, you are a lot safer flying than you are driving your car. But those of us who fly all the time have become very comfortable with it. And I think people will also develop a level of comfort with cloud computing.