Previous post in this series: Imperva Launches Spin-out Incapsula, Cloud-Based WAF Service

Background
The definition of the “cloud” is cloudy.  Before we talk about cloud security, it's important to define the different cloud offerings that enterprises hope to protect. Cloud models include:

• Infrastructure as a Service (IaaS) – IaaS providers offer state-of-the-art flexible and secure cloud data centers. By pooling together large number of tenants, and leveraging virtualization and large scale management capabilities, IaaS providers deliver a sophisticated and elastic data center platform. Different IaaS providers offer Web attack protection and regulatory compliance readiness to their customers and generate incremental business.
• Platform as a Service (PaaS) - PaaS providers offer application development and delivery platforms that accelerate time-to-market of new application and services. PaaS providers should provide their customers with Web attack protection as part of the underlying application architecture.
• Software as a Service (SaaS) - SaaS providers deliver cloud-based business applications for sales, financial, HR and other functional areas. These applications host large amounts of sensitive data across many organizations. As organizations adopt cloud applications to streamline their IT operations, SaaS providers are expected to ensure data security and address regulatory compliance – as would be the case for on-premise data.

Security Concerns With Cloud Computing
Migration to the cloud is on every organization's objectives list. Yet, a Forrester 2009 Q4 survey, encompassing 165 companies in over 39 countries, has shown otherwise. When asked “what are your top SaaS adoption inhibitors,” the most frequent cited concern was security (48 percent).

This statistic should not come as a surprise. After all, cloud services have fallen victim to security vulnerabilities. Just looking at the “big” players we can quickly count some of the mishaps: Gmail email and contact lists, as well as Yahoo mail, were prone to XSS and Javascript hijacking. Amazon EC2 was vulnerable to an Amazon Web Services signature vulnerability. Twitter has fallen prey to an attack when a hacker obtained and distributed more than 300 confidential documents pertaining to Twitter’s business affairs that were stored on Google Apps.

Threat in the Cloud
We outlined, in detail, concerns with cloud computing in a previous blog post.

Many of the security threats that affect non-cloud deployments are the same.  Hackers and insiders want data and we live in a data driven world.  But there are differences:

• Maintaining bulletproof partitions between datasets of different customers
• Providing different levels of data security to applications sharing the same logical or physical platforms
• Protecting customer data from the prying eyes of cloud administrators
• Providing solutions that operate over a specialized infrastructure (VM, Amazon AMI)
• Managing application and data security for a large number of applications inside the cloud.

What should enterprises ask themselves when choosing a cloud provider?  See Part II of our Cloud Security series tomorrow.