Cloud security issues may require doing it yourself

Tools

By Frank Hayes

When the cloud can't meet your security requirements, do it yourself. That's the lesson learned by a relatively small nanotech company called Novati Technologies that wanted to shift to Google (NASAQ: GOOG) Gmail, according to Patrick Meyer, the company's IT director.

Novati was using Microsoft (NASDAQ: MSFT) Exchange and wanted to shift to cloud-based Gmail for its 130 mailboxes. The problem: With a collection of aerospace and defense contractors as customers, the company had to comply with federal security requirements known as ITAR (for International Traffic in Arms Regulations). Google couldn't promise it's service would fulfill ITAR's requirements, which impose stringent requirements on who might be able to access ITAR-regulated data--and Google definitely wasn't going to re-architect its systems to satisfy the needs of one small customer.

The workaround was to encrypt all mail with a gateway appliance from CypherCloud, which resulted in all mail being encrypted before it was sent to the cloud and automatically decrypted on the way back down. Meyer says the cost of the appliance plus Gmail is still 45 percent less than the operational expense of the pre-cloud setup.

While Novati's defense-contractor requirements are specialized, the issue of cloud security is one that has dogged companies in other sectors as well. For example, companies that handle credit cards, including retailers and restaurants, must keep card data secure under standards from the Payment Card Industry Council, which requires tight control over any network that's connected to any card transaction. Those requirements have made almost any cloud deployment impractical because clouds are, by definition, shared systems.

On Feb. 7, the PCI Council clarified how its requirements apply to cloud-based systems. That may make the cloud more PCI-friendly, but it will require plenty of cooperation on the part of cloud operators--unless retailers decide to add an extra layer of security themselves.

Hospitals and medical practices have an even bigger challenge. Many of them have been using cloud-based electronic health records systems, which were allowed (or at least not banned) under the 1996 law known as HIPAA (for Health Insurance Portability and Accountability Act). But in January, the U.S. Department of Health and Human Services issued new HIPAA rules that impose tighter restrictions on EHR data, as well as extend legal liability to cloud providers for any EHR security breaches.

In other words, unlike Novati and the retailers, health care providers don't have to wonder whether the cloud can be made secure. They're already in the cloud, and they suddenly need it to be made secure right now. A do-it-yourself approach may be the only way to avoid a much more radical disruption.

For more:
- see Ellen Messmer's article at Network World

Related Articles:
Study: Cloud isn't as cheap, easy as expected
Encryption practices vary widely in the cloud
How to write security into a cloud contract

Filed Under