Cloud computing, despite taking baby steps in terms of adoption, has been on the top of the agenda of most IT companies. As the importance of the cloud increases, the question that arises is: how secure is this environment?

On the sidelines of Computer Associates Media Symposium, Singapore, Business Line interacts with Mike Denning, global head (General Manager), Security, CA Tech, and Vic Monkotia, VP, Security for Asia-Pacific, CA Tech, on the challenges involved in making cloud computing secure.

In your presentations, you have said that the IT budgets of companies are flat. Does that make cloud opportunity a zero sum game?

Mike Denning : It is not a zero sum game and the reason why I say it is, whereas software services and automation was traditionally reserved for the largest 5,000 companies in the world, it is now extending into a larger market. The number of companies with $2 billion in revenue is a finite number. Once you extend to companies that have turnover of more than $200 million, the addressable market is significantly larger. Now such companies that are relatively smaller in revenue can afford to deploy services as they are less expensive. They can pay as per usage.

What are the challenges one faces while implementing cloud in countries such as India?

Mike Denning : A lot of our cloud expertise and a lot of our development, particularly with the acquisition of Arcot (Arcot Systems provides advanced authentication and fraud prevention solutions) is based in India.

One of the biggest challenges around any kind of deployment is data residency. And in particular, organisations want to know where their data is. How is it moving in transit? How is it secured? Where are things managed? From India's point of view, the situation is not necessarily unique but organisations have different compliance requirements. Where is the data hosted, does it remain within the country's borders? Is it at anytime exposed to other areas outside of India?

I would say one of the biggest challenges is mapping the system, mapping the network; ensuring that data residency requirements are met, based on the organisation's need for information.

Vic Mankotia : It is a very broad question. There is a virtual cloud, virtual private cloud, there is a public cloud. Every company has a graduation path. If I am a banking company and I have Internet banking operations, perhaps it will take a little bit longer to get to the cloud. I may not need to because I have got resident IT services. But on the other hand, if I have a taxi service or a courier service, I am quite happy using a cloud-based service. It depends upon the customer, the business and cost.

Mike Denning : Sensitivity of the data is a big driver of cloud adoption. The less sensitive the data, the less personal the identifiable information, the less financial information involved, the more likely you are to share. Consider how much data is there on Facebook.com, for example. Sharing data in a social network is not necessarily sensitive information. When you start getting into personal identifiable information, such as financial data, then it gets more challenging.

The financial sector's concerns which Monkotia had mentioned, is this an India-specific concern?

Mike Denning : I think financial services and banking tends to be a little more sophisticated when it comes to technology. They are quickly adopting things like the private cloud. I would say banking is looking for better and sophisticated resources but they are very security-conscious. Aggressively moving into private cloud, less aggressively in public cloud.

Is there a regulatory mandate to have the private cloud in the same geography?

Vic Mankotia : What I am seeing more and more from regulators and governments is they tend to begin with data sovereignty. It happened in India with RIM, it will happen with other companies in other countries. Governments in specific and now banking sector, telecom companies, want to keep the data within the confines of the country they operate in. It is not about governments or banks wanting access to data, sovereignty of the data is important for them. The very premise of a US company five years ago, running a security operational centre from east and vice-versa an Indian company or a system integrator managing a client in the US, that paradigm is going to shift as we move on, people are much more sensitive and acutely aware of data leaving international boundaries. It is not only in India, it is happening in Australia, Singapore, in mainland China.

The cloud has no boundaries. The advantage in India is with the technology, with BPOs, the innovation, the amount of intellectual property already resident gives India an edge on how to do it.

Another advantage in India is Internet backbone capabilities. Strong telecommunication companies are based out of India. A key requirement for cloud hosting is strong peering points within the region at the network level to be able to move the data quickly.

We are talking of companies networked through the Internet being vulnerable to security threats. Are there any instances of network of intranet-only networked companies falling prey to security breaches?

Mike Denning : If you look at the RSA security breach, for example, that was an organisation that thought the seed records (a seed record is a symmetric encryption key, a shared secret between a hardware authenticator and an authentication server) are off the grids. Not connected to the network placed in a secret bunker. Never assume that a network segregated from accessibility is safe.

Additionally, there are ways of moving media other than e-mail. Understand identities that have access to what is important, regardless of whether or not it's an online or offline network. What I have heard over and over again is that the security officers of companies are going to zero trust networks. They just assume most laptops are compromised and when you assume they are compromised, your behaviour changes to — How can I secure this environment, given the aforementioned threats.

comment COMMENT NOW