Concerted drive on security will benefit cloud says Webroot

There needs to be a concerted effort to tackle the problem of security within cloud provider, says Gerhard Eschelbeck, the CTO of Webroot.  The lack of any generally-accepted certification for these companies means that users are left unaware of how secure a cloud provider could be – an issue that could delay the take-up of cloud services.

He applauds efforts by industry groups to have a basic form of accreditation but says they don’t go far enough. “Organisations like the Cloud Security Alliance and the Jericho Forum all have their own initiatives but there needs to be a way to bring them together. He thinks that ideally the move should come from a standards body such as the Open Group or the IEEE but that cloud security shouldn’t necessarily wait for standards. “Guidelines would be a start,” he says.

With the rising interest in cloud computing, there’s a major concern about the right way to ensure that cloud providers can meet the demands of their customers. It’s a question that very CIO looks at and, as yet, there’s no methodology to meet their concerns, beyond look and see. Eschelbeck is one of many industry experts who has looked at this problem, and it’s going to be a thorny challenge.

Eschelbeck is a security expert of some pedigree. One of the prime movers behind the Common Vulnerability Scoring System and a prolific speaker at security conferences, he speaks with some authority about security

 The authentication of cloud providers is just one of the three big challenges for the cloud says Eschelbeck, but it’s probably the most important. “There are lots of questions to ask. How do you trust cloud partners? Within that cloud, how do you ensure that customer A does not see the data of Customer B – particularly if they are competitors. How do you provision and de-provision employees?”

There are a lot of questions for users to ask, says Eschelbeck, the important thing is to get the right answers.  “If you ask a cloud provider about its security, they’ll tell you they’re secure. But that’s not really enough. It’s very easy for the cloud provider to say that they’re secure, but what they have to do is demonstrate it. What security do they have behind the scenes – and more importantly, how can the users see it.”

He says that this is where the certification of cloud providers could be used. It would offer a way for any customer to have peace of mind.

There are other issues facing cloud customers, however. There are the challenges of multiple cloud services, says Eschelbeck. “If an employee using four cloud services, some of form of single sign-on is critical – that’s something that has to be implemented.”

The third challenge is a long-standing one as he points out that the using cloud technology doesn’t prevent one of the thorniest problems for any organisation – dealing with malware and concerted attacks on an organisation’s infrastructure, for example DDoS attempts.

Eschelbeck himself is turning his attention to one of his other big three challenges – the issue of malware.  So far, he says, much of the efforts to tackle malware have focused on the desktop but the cloud could be a more fruitful area I’ve been looking at the malware problem in the cloud – every organisation has malware protection, but everything has been based on a desktop solution. “If you can filter the web, then you solve 80 percent of all malware problems. I’m going to be focusing on whether all malware protection should move to the cloud.

The other area that Eschelbeck is looking at for Webroot is mobile security. He says that this is an area that’s ripe for exploration – while users are becoming more clued up about threats to their PCs, he sees mobile as a fertile area for the bad guys. “Users are more complacent about mobile,” he says. “Mainly because there hasn’t been a big scare on mobile yet – just a little one on Android – but this will become a topic in 2011.”

The company is already exploring mobile protection and just this week has released two products that address Android security.

But, says Eschelbeck, protection against malware is one area but he thinks companies could be more ambitious and look to take security on mobiles into another direction. “You have to look a security on mobile phones in a different context, for example, I’d like to have parental control so that my teenagers’ phones don’t work when they reach a financial limit. Security needs to be reinvented for mobiles.”

It was only a few years ago that the main inhibitor for cloud computing was security. Now companies have overcome that barrier and are already looking at ways to improve security using the cloud.  Eschelbeck is philosophical about the challenges facing the industry.  “It’s true that most questions about cloud these days are operational rather than security. But cloud computing is a centralised architecture and that brings security problems of its own – cloud brings security problems and solves security problems.”