If Kayak.com were launching this year, it would almost certainly stash much of the data and technology underpinning its top-rated online travel-planning service in the cloud, according to the company’s chief IT architect.
But Kayak.com launched in 2005, when cloud services were a much less serious an option than keeping all the IT in-house as most companies have always done. So Kayak built a data center in New Jersey, and later moved it to an anonymous industrial park in Concord, Mass.
“We started the company a little before using [Amazon’s] EC2 or Rackspace were really safe or practical, so we built our processes around not having those things,” says Bill O’Donnell, chief architect at Kayak.com. “We would almost certainly have started with cloud just for the lower capital expenditures, but once you pick a path, it’s hard to change.”
Changing course on IT strategy is not the only issue facing enterprises eager to check out the growing set of infrastructure offerings, including analytics services, in the cloud. By 2020, IDC projects that 40 percent of all the digital information in the world – not just that owned by corporations – will be stored in the cloud at one time or another during its lifecycle by 2020.
Data security remains an important hurdle to overcome, though security experts and coalitions such as the Cloud Security Alliance have identified some risks that must be managed either because cloud security isn’t up to the task, or procedures to avoid them are not yet well enough accepted to eliminate the threat. Specifics vary, but the hot list includes managing access to the data, securing active workloads running in the cloud and training both end users and IT in best practices to deal with new, evolving technologies including NoSQL databases.
Cloud security has improved a lot during the past few years, but isn’t up to the standards of most large companies, which have spent years building systems that not only track every byte of important data, but also where it moves, who uses it, what they use it for and whether they should be using it at all, said Eric Chiu, founder and chairman of HyTrust Corp., which makes data- and IT-monitoring software or virtual infrastructures.
That need for data management represents a challenge as more companies try to cut costs and increase capacity using cloud-based storage and compute services, to house and analyze permanent or temporary data stores. Eighty percent of the 243 IT executives and system developers surveyed by virtual-application vendor Gigaspaces said they planned to move their big-data projects partly or entirely to cloud platforms to save money and raise availability at the same time.
Without tools to provide measures such as role-based access controls that only let people with certain job descriptions see certain information – clouds will remain an insecure platform on which to house critical data and analytics tools to use on them.
Role-based and policy based security systems within a company’s firewall can limit access to sensitive information based on a user’s specific job title, responsibilities, business unit or even the time of day.
Most cloud services, because they’re commercial, multi-tenant facilities more similar to a hotel than a bank, protect the perimeter by requiring a password to get in to a company’s slice of cloud. Once a user is inside the gate, however, there are very few controls.
Ashish Nadkarni, a storage analyst at IDC, said many companies treat cloud storage or other services as a peer to their own systems, which makes configuration and access simpler, but assumes the cloud is as trustworthy and secure as systems they own. “Cloud is basically being used as a storage tier, not a resource to build storage- or management automation that would eliminate any of the work of managing the data,” Nadkarni said.
A Cloud Service Floats Inside
At Kayak.com, the software, servers and networks that underpin the company’s travel service live inside Kayak’s own data center, where the IT operations staff constantly tweak, tune and adjust various components to shave a few more milliseconds from the site’s response time. “We have a real obsession with latency,” O’Donnell said. “We stay pretty close to the metal so we can squeeze out a little bit of it wherever we can. That would be hard to do with distributed services [as in the cloud].”
Like many organizations, end-users at Kayak do access a cloud-based service outside of this core IT infrastructure. For example, Kayak users go to the cloud to exchange non-critical files and data using Dropbox for Teams, a business-oriented version of the consumer-oriented online storage provider.
The consumer-friendly, self-explanatory interface on Dropbox makes it easier and more pleasant for employees to use than a remote-access setup requiring remote-access servers, VPNs and extra security, according to O’Donnell.
One can see the benefits of such a service at a company like Kayak. Of its 200 or so employees, only eight are traditional IT people working on technology to help employees do their job—and only one of those people works on the company’s help desk part-time. “We’ve always had this lean – cheap, really – philosophy, from the time there were only six or seven of us and the approach was ‘Here’s your computer, set it up on your own. You’re smart, make it work,'” O’Donnell said. “We didn’t want to spend a whole lot of money on internal stuff rather than on the production systems.”
And the service Kayak chose offers system administrators visibility into end-users’ activities including data access. “Administrators can see all their different web sessions, whether they’re logged on or at work; they can see who’s logged on so they can end sessions to avoid malicious access; they can unlink applications to make them unavailable, filter usage of the whole team, see all the failed access attempts so they know if someone is trying to hack it,” said Anand Subramani, product manager for the Dropbox for Teams service.
The service also offers two-factor authentication, links to third-party applications for security and monitoring, and “tools to control the state from which data can actually leave the company so administrators can keep the data under control, not just access to the account,” Subramani said.
Granular, Policy-Based Controls
If end-user companies are going to continue expanding their cloud-based assets, for big data and other projects, cloud providers have to offer more formal, granular, policy based controls to keep users from accessing the wrong data, and auditing systems to document the restrictions, according to a report on cloud and big-data security from the Cloud Security Alliance. The group is seeking comments on its report to gather insights on best practices.
As the alliance works to develop risk management best practices, corporate users continue to gain experience in the field. Half of the 4,140 IT and security professionals surveyed by The Ponemon Institute last summer said they stored sensitive data in the cloud; of those that did not, a third said they will during the next two years.
Only 24 percent said responsibility for securing that data is shared between the cloud provider and the end-user company, however. Forty-four percent thought the cloud provider did or should provide all the security, while 30 percent thought security was the customer’s responsibility.
In a measure of effective security for cloud-based data, Ponemon found companies that store sensitive data in the cloud are about 37 percent more effective at securing that data than companies that use the cloud for only mundane data or tasks.
It’s not that the cloud is inherently more risky than the data center, Chiu said. The risk comes from end-user companies that don’t realize the effort they need to put in to securing their cloud-based data, or the layers of security that is taken for granted within a data center, but is completely missing in the cloud.
“If you look at the concentration of risk, you have thousands of switches, routers, storage, apps, servers, all collapsed into a single platform and a single login,” Chiu said. “Inside the enterprise all those devices have some level of security monitoring, or separate logins and rules for who can use which resources. In the cloud, once you’re in, you’re in.”
Kevin Fogarty is a veteran writer, editor and analyst whose work has appeared in CNN.com, InformationWeek, CIO, Computerworld, Network World and other news and technology sites. Reach him at firstname.lastname@example.org or on Twitter at @kevinfogarty.
Home page photo of cumulus clouds by Michael Jastremski via Wikipedia.