One on One with Rich Corbridge, Head of Global Security Testing Practice, AppLabs

Rich Corbridge

“With server utilization being 10-15% on average, cloud computing is a real possibility that IT shops will have to consider. One of the largest obstacles for any business in moving to a cloud computing environment is security.”

  1. What are the different types of Cloud Computing?

    Cloud computing is simply hosted IT infrastructure. Instead of being behind the corporate firewall, the servers, data, storage, and other supporting infrastructure are provided by a 3rd party. There is a large variety of offerings, but generally there are three different kinds of cloud offerings: Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS). IaaS, also called Hardware as a Service, is where the provider owns and maintains the physical network, server, and storage components while the customer is responsible for maintaining the operating systems and software. PaaS is where the provider provisions a software stack (and the supporting infrastructure) upon which a customer develops, tests, and deploys a custom application. SaaS is where an application is developed and hosted by the provider and is accessible by customers over the Internet.
  2. What is so enticing about Cloud Computing?

    The main attraction of cloud computing is the cost efficiency arising from cloud services being generally scalable, metered, shared, and outsourced. By scalable, I mean appropriately sized for the need. The infrastructure grows and shrinks to match the need. In the context of cloud computing, metered means that the resources you consume are measured and tracked and you pay for what you consume just like a utility. Further cost efficiency is gained because the infrastructure is shared and the maintenance of it is outsourced.
  3. In broad terms, what are the potential drawbacks of Cloud Computing?

    Security, of course, is the largest obstacle slowing the rapid adoption of cloud computing and it probably outweighs all other concerns put together. The next biggest concerns are availability, performance, and the ability to integrate with and customize the cloud. These concerns are largely technical in nature and can (and will) with time be worked out leaving security as the only potential drawback remaining.
  4. All other concerns aside, what specific kinds of security issues apply to the cloud?

    Beyond normal enterprise security features, a few areas of concern specific to the cloud are data safety, privileged user access, physical/logical/personnel access to the data, threats to the virtualization platform and regulatory compliance.
  5. This sounds an awful lot like enterprise security. What is different about cloud security?

    In the enterprise we talk about "defense in layers" where the layers are things like application security, host security, network security, authentication, authorization, and least privilege access. Cloud computing requires additional layers of security to account for things like data protection in the provider's shared network (encryption, data segregation, etc), the provider's administrative access to the data and systems, and vulnerabilities in the virtualization platform.
  6. What are some best practices in preparing to move to the cloud?

    This one is best answered by a bulleted list:

    • Document your security policies and procedures for running your applications in the enterprise. This is the starting point. Add policies and procedures to these in order to provide the extra layers of defense you will need in a cloud environment.
    • Companies must do their due diligence to find out and understand as much as possible about the cloud provider, its technology implementation, policies, and security practices. Companies may find that the provider's setup, policies, and practices are more secure. This research may include the results of audits, assessments or other 3rd party evaluations of the provider.
    • After understanding everything there is to know about the provider, conduct a gap analysis to identify any security-related shortcomings.
    • Work with the provider to confirm your understanding of the shortcomings and to see if there are any compensating controls or workarounds for them that have already been discovered.
    • Find a provider that will support your corporate security policies.
  7. What advances do you anticipate in cloud computing?

    Security in the cloud will definitely continue to develop. Also, I expect the ease of managing your cloud to improve. There will be greater access to statistics (usage, consumption, uptime, etc.) and control (scale up, scale down). There will be offerings enabling customers to create their own clouds on infrastructure they already own. The idea here will be to create efficiencies where the customer can do more with the hardware they already own. Ultimately, the cloud will become more secure, more affordable, and more manageable and these factors will facilitate more companies getting in to cloud computing.

Let us discuss how we can help your organization

What our clients say

“AppLabs delivered a solution that was bug-free, on time and within budget. We could not have asked for a more responsive partner.”

Manager, Software Development, Airgas

Company Brochure