Phil Neray is the VP, Data Security Strategy, InfoSphere Guardium & Optim at IBM. In this interview Phil talks about the complex issues surrounding cloud computing security, offers insight into what companies migrating to the cloud can expect and lines up tips for those who have to consider migrating to a cloud computing solution for mission-critical IT services.

Although cloud computing has been widely accepted in the enterprise and its usage is growing exponentially, many are still worried about the security risks. IT managers have nightmares about insecure APIs and interfaces as well as possible account hijackings. How can a company be sure they are getting a secure cloud computing solution whose implementation is secure from every possible aspect?

While cloud technology and virtualization technologies provide many important benefits including increased agility, on-demand scalability and lower costs, they also offer unique security challenges for enterprises.

According to the National Institute of Standards and Technology there are three types of service models for cloud computing, with each providing enterprises with varying levels of control over security capabilities:


1. Software as a Service (SaaS) – In this deployment model, the cloud provider delivers the entire stack including the application itself as a hosted service. Examples of SaaS offerings include Salesforce.com, Gmail and Lotus Live collaboration services. With SaaS, enterprises have little direct control over critical security capabilities such as data encryption or compliance auditing and activity monitoring. However, enterprises are still legally responsible for the confidentiality and integrity of their customer data and other sensitive information. The recommended approach is to ensure – via RFPs and contractual commitments -- that your SaaS provider is providing the critical security capabilities you needed.

2. Platform as a Service (PaaS) – In the PaaS deployment model, the cloud provider delivers an application development platform – including programming languages and APIs – for creating applications on their cloud infrastructure. The enterprise doesn’t manage or control the underlying cloud infrastructure (network, servers, operating systems, or storage) but has control over the deployed applications and possibly application hosting environment configurations. Examples of PaaS offerings include Microsoft Windows Azure, Force.com and Google App Engine. There is more control over security with PaaS than with the SaaS model, but as the provider is still responsible for most security capabilities, enterprises should rely primarily on contractual commitments to meet their security needs.