Cloud computing is immensely popular with companies and government agencies in search of revolutionary cost savings and operational flexibility. According to industry research firm IDC, cloud computing's growth trajectory is, at 27% CAGR, more than five times the growth rate of the traditional, on-premise IT delivery/consumption model. [1]

Cloud computing practitioners cite numerous benefits, but most often point to two fundamental benefits:

• Adaptability: An enterprise can get computing resources implemented in record time, for a fraction of the cost of an on-premise solution, and then shut them off just as easily. IT departments are free to scale capacity up and down as usage demands at will, with no up-front network, hardware or storage investment required. Users can access information wherever they are, rather than having to remain at their desks.
• Cost Reduction: Cloud computing follows a model in which service costs are based on consumption and make use of highly shared infrastructure. Companies pay for only what they use and providers can spread their costs across multiple customers. In addition to deferring additional infrastructure investment, IT can scale its budget spend up and down just as flexibly. This leads to an order of magnitude cost savings that wasn't possible with 100% proprietary infrastructure.

Other benefits of the cloud include collaboration, scaling and availability, but revolutionary cost savings and the almost "instant gratification" offered by the agility of the cloud will be the key contributors to adoption of the cloud.

What Is the Cloud?
So much has been written, advertised and discussed about cloud computing, it is appropriate to define the term for common understanding. Cloud computing generally describes a method to supplement, consume and deliver IT services over the Internet. Web-based network resources, software and data services are shared under multi-tenancy and provided on-demand to customers. It is this central tenet of sharing - and the standardization it implies - that is the enabler of cloud computing's core benefits. Cloud computing providers can amortize their costs across many clients and pass these savings on to them. This paradigm shift in computing infrastructure was a logical byproduct and consequence of the ease-of-access to remote and virtual computing sites provided by the Internet.

The U.S. National Institute of Standards & Technology (NIST) defines four cloud deployment models:

1. Private Cloud, wherein the cloud infrastructure is owned or leased by a single organization and is operated solely for that organization
2. Community Cloud, wherein the cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns, including security requirements
3. Public Cloud, wherein the cloud infrastructure is owned by an organization selling cloud services to the general public or to a large industry group
4. Hybrid Cloud, wherein the cloud infrastructure is a composition of two or more cloud models that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability

NIST's definition of cloud computing not only defines how infrastructure is shared, but also outlines what will be shared. These service models shift the burden of security accordingly between provider and user:

Software-as-a-Service, or "SaaS," is the most mature of the cloud services. SaaS offers a "soup to nuts" environment for consumption of a common application on demand via a browser. Typically, the customer controls little or nothing to do with the application, or anything else for that matter, and is only allowed to configure user settings. Security is completely controlled by the vendor. Examples of providers include Salesforce.com, Workday, and Mint.com.

Platform-as-a-Service, or "PaaS", is an emerging cloud service model. The customer is able to develop applications and deploy onto the cloud infrastructure using programming languages and tools supported by the cloud service provider. They are not able to control the actual infrastructure - such as network, OS, servers or storage - the platform itself. Because the customer controls application hosting configurations as well as development, responsibility for software security shifts largely to their hands. Examples include Google App Engine and Amazon Web Services.

Infrastructure-as-a-Service, or "IaaS," is where even more of the infrastructure is exposed to multi-tenant users. The cloud service provider provisions processing, storage, networks and other fundamental computing resources. The customer is able to deploy and run arbitrary software, which can include operating systems and deployed applications. Software security in this deployment model is completely in the customer's hands, including such components as firewalls. Examples include Amazon Elastic Compute Cloud and Rackspace Cloud.

While SaaS gained popularity as an alternative to on-premise software licensing, the models that are driving much of the current interest in cloud computing are the PaaS and IaaS models. Enterprises are especially drawn to the alternative development infrastructure and data center strategies that PaaS and IaaS offer. At this point in time, smaller enterprises seem to have more traction with PaaS, enabling them to rapidly bring websites to market; whereas larger enterprises are more comfortable beginning their cloud deployments with an existing application moved to an IaaS cloud service.

How Do We Fully Realize the Benefits of the Cloud?
Realizing the cloud's benefits is greatly determined by the trustworthiness of the cloud infrastructure - in particular the software applications that control private data and automate critical processes. Cyber-threats increasingly target these applications, leaving IT organizations forced to sub-optimize the cloud deployments containing this software, limiting flexibility and cost savings.  Assuring the inherent security of software, therefore, is a key factor to unlock the power of cloud computing and realize its ultimate flexibility and cost benefits.

Recommended Approaches to Cloud Software Security
According to the Cloud Security Alliance, a not-for-profit organization promoting security assurance best practices in cloud computing, the ultimate approach to software security in this unique environment must be both tactical and strategic. Some of their detailed recommendations include the following:

• Pay attention to application security architecture, tracking dynamic dependencies to the level of discrete third-party service providers and making modifications as necessary
• Use a software development life cycle (SDLC) model that integrates the particular challenges of a cloud computing deployment environment throughout its processes
• Understand the ownership of tools and services such as software testing, including the ramifications of who provides, owns, operates, and assumes responsibility
• Track new and emerging vulnerabilities, both with web applications as well as machine-to-machine service-oriented architecture (SOA), which is increasingly cloud-based

The key to achieving the benefits of the cloud and to putting the above recommendations into practice is Software Security Assurance, or "SSA."  Recognized by leading authorities such as CERT and NIST, SSA is is a risk-managed approach to improving the inherent security of software, from the inside.  There are three steps to a successful SSA program:

1. Find and fix vulnerabilities in existing applications before they are moved into a cloud environment
2. Audit new code/applications for resiliency in the target cloud environment
3. Establish a remediation / feedback loop with software developers and outside vendors to deal with on-going issues and remediation.

To realize the full benefits of cloud computing, organizations must assess and mitigate the risk posed by application vulnerabilities deployed in the cloud with equal vigor as those within their own data center. It is only then that they will be able to take full advantage of cloud computing to save cost and increase the efficiency of their business.

Reference

1. Worldwide IT Cloud Services Spending, 2008-2012, IDC, October 2008

Resources

• IDC on IT Cloud Services
• NIST definition of Cloud Computing
• Cloud Security Alliance "Security Guidance for Critical Areas of Focus in Cloud Computing v2.1"