Cloud Computing's Top Security Risk: How One Company Got Burned

Expectations between customers and vendors are so ill-defined in cloud computing that it's often not clear who is responsible for security or what the penalties are for failure. Here's the story of one company that got burned.

Virtualization and cloud computing haven't eroded the online security of most companies, analysts say. But they may be contributing to situations in which IT-service customers leave themselves vulnerable to attack because they assume their cloud provider is taking care of security.

"Security and cloud hosting are two separate things, but the cost of entry is so low, and often so simple, that customers may not do as much due diligence as they should to find out who's responsible for security," says Ezra Gottheil, an analyst who covers server issues for Technology Business Research.

Placement of responsibility for security in cloud computing arrangements is so ill-defined that Gartner felt it was necessary to list access to information about how a cloud service works and a service level agreement spelling out customer expectations and requirements in a report released this week.

In March, research from the Cloud Security Alliance listed customer ignorance of security practices—and service providers' refusal to give information to relieve it—among the seven top security risks in cloud computing. According to the Cloud Security Alliance's research, cloud projects and the risks they entail may be "complicated by the fact that cloud deployments are driven by anticipated benefits, [and] by groups who may lose track of the security ramifications."

The nature of the cloud computing business means many customers or potential customers have no idea how exposed they really are when they put a website or other corporate application on someone else's hardware, says Josh Corman, analyst for The 451 Group.

Chris Drake, CEO of FireHost, a cloud services provider that hosts and secures customers' applications, agrees that most cloud and website hosting customers assume their provider is responsible for keeping their site safe even though that's not always the case.

To continue reading this article register now

Get the best of CIO ... delivered. Sign up for our FREE email newsletters!