Is the cloud a safe place for engineers to hold their precious designs?

This is the fourth consecutive year that the CIF has conducted this survey and that headline figure represents quite a leap in acceptance compared to the 48% in 2010. The most popular uses are for Software As A Service (SaaS), which typically includes applications such as web hosting (74%) and cloud based email services (59%). The survey showed that other services include data infrastructure, quality assurance and testing purposes as well. Alex Hilton, CIF's CEO, pointed out: "It is a very broad spectrum of companies using a very broad spectrum of services." But the big question remains, how secure is it? Recent revelations about the USA's National Security Agency's cavalier approach to privacy in the name of security, does nothing to allay people's fears. This episode gives the impression that all information is accessible and that we have to rely on a moral code if that access is not to be abused. So is it appropriate, then, for design teams to share their valuable IP with their colleagues using the cloud as transport, storage or working environment? There are two issues according to the CIF survey that dominate concerns. One is data sovereignty – the location of the data centres. Hilton commented: Despite all the recent news stories, it is actually becoming less of a concern as to where it is located, depending on the nature of the services. There are certain services particularly in the public arena where they want to retain services from the UK. In the commercial arena we are seeing the desire to have that base in the UK as having diminished somewhat." The second major issue, that of security, shows no signs of decreasing in importance with the UK SME companies that largely made up the responses to the survey. C.J Radford is VP of Cloud at data protection specialists Vormetric, and he agrees that risks do exist. "There are inherent risks for using the cloud that are not present in on premise applications and services. These revolve around core needs that drive security requirements: compliance, prevention of data breach incidents and the need to protect intellectual property as in the case for CAD data. Applying the right security Radford said that unless mitigated with the right security controls, all cloud environments have inherent risks from privileged users at the cloud provider – cloud, virtualisation, storage and even security administrators - that are outside of the control of the organisation using the cloud service. Organisations also lose control of physical access to the environment, and of the security implementations used within it. The shared infrastructure that underlies cloud implementations can also expose organisations to additional risk. In an Infrastructure as a Service (IaaS) environment, multiple customers usually share the same CPU, storage and network resources. An attack on the IaaS environment based on an identified flaw in the IaaS infrastructure from one OS instance could expose other users of the same infrastructure to attack and data loss." However, Hilton did not necessarily agree that on premise IT was inevitably going to be more secure. In some cases he believed that certain individuals may have ended up with IT responsibilities purely through internal reorganisations rather than any IT expertise. Servers and systems are may only be secure as this individuals expertise allows them to be. "Conversely," he believes, "a professional data centre operation will have the appropriate levels of security in place, the appropriate firewall and the appropriate levels of connectivity around them as well." There are steps that users of cloud services can take to reduce risk. Radford commented: "For basic data storage, there is often the capability to encrypt information stored in the cloud solution and keep the encryption key that controls access to this storage locally within an enterprises' local data centre. Vormetric provides this capability for Amazon Web Services EC2 for instance. When this capability is used, it greatly reduces the risk of a full SaaS implementation by eliminating or reducing a number of threat and attack vectors. These include: privileged user access; physical access controls; and Government on-demand access." The latter is when a government agency requires access to an organisation's data. Actual examples of industrial espionage are few and far between, the problem of security is still largely one of perception rather than reality. However, one model that is emerging that tackles both this perception and takes advantage of the cloud's commercial and operational benefits: that is hybrid cloud. Hilton explained: "The essence of the hybrid model is that it is a mixed, heterogenous environment and companies will have a mixture of their on-premises servers and some outsourced hosted services. So they may for example host their web and email off site as well as disaster recovery or back-up facilities, because they are massively cost effective things to do in the cloud, but they might not want their accounting, or HR or payroll services to go off site. They may feel that they can do it better themselves, which is often not the case, but that is why they end up with a hybrid solution." While design files might be considered as on the more sensitive side, there is an argument that design teams who are working in different locations around the globe benefit from the reliable 24/7 operations that data centres have to offer. Confidence in the cloud Radford also believes there are technical reasons why users can have confidence in cloud based operations. "It depends upon the organisation's tolerance for risk. However, implemented with the right security controls, there are some cloud-based services that will meet the needs of many organisations. Let me explain. Cloud providers offer different levels of security, and security commitments within their infrastructure. Recently, many SaaS and IaaS providers are providing encryption and access control services that prevent their own access to customer infrastructure or data. They also offer expanded certifications for their facilities and infrastructure, as well as security options to make implementations more secure. Cloud providers that enable these kind of capabilities can often meet the needs for example of a team working on proprietary design, and for all but the most sensitive needs. "On the other hand, for an organisation that wanted a SaaS based Source Code Control solution (for software development), a SaaS environment that lacked physical environment certifications, security commitments and a strong set of security controls around data access would not be making a wise decision if they decided to use that service." In terms of certification, the CIF have introduced a Code of Practice to encourage confidence in cloud providers. Hilton said: "What it basically is a standard that we operate where service providers follow procedures as to how they sell and operate cloud services. This provides transparency, accountability and capability. It makes it clear what they will get, who to contact if things go wrong, and what the SLAs are, because there really are no standards that exist as far as service provision is concerned in the cloud."