"We are seeing some awareness dawning of how much weaker some cloud providers' contracts are in security terms," added Slaby of HfS Research. "But the siren song of lower costs and greater flexibility is difficult to resist."
Computing has changed from relying on physical servers to virtual and ultimately to a fully virtualised architecture that brought business agility, since it now takes minutes instead of days to provision a virtual server, said Scott Robertson, Asia Pacific vice president of WatchGuard Technologies. However, security issues, and privacy and compliance are the main hurdles to adoption of virtualisation.
He also explained how network security from the traditional standpoint could not be accepted in the virtualised environment since virtual machines running on the same box can serve different apps and different users. As such, at a service provider level, they may even belong to different companies. Network traffic can flow from virtual machine to virtual machine over host-only virtual networks, completely in memory, and that would mean no security box could be installed in between to intercept and examine traffic information.
The trend towards virtualisation would be accompanied by an awakening for the need for virtual security, Robertson said. VM sprawl and flexible deployment capabilities could lead to unmonitored or "invisible" machines -- with no protection from potential threats, or even, awareness of their presence.
Security Breaches and the Law
Rajesh Sreenivasan, partner and head of technology, media and telecoms practice at Singapore-based legal firm Rajah & Tann, said there are different types of legal issues in the event of breaches or system failures but two main crimes are the theft of IP and computer crimes. Solving such cases may require the use of digital forensics, especially in data retention and preservation of computer output evidence for compliance with rules of evidence in the event of criminal prosecution or litigation.
In IP theft, the laws governing such a breach are clear on violation. However, computer crimes will be harder to crack as they may be transnational in nature. This poses great challenges for the detection, investigation and prosecution of offenders, said Rajesh. Moreover, there may be extradition and jurisdiction issues to contend with. Sophisticated criminals might resort to the use of encryption to hide communication, and the transient nature of attacks might leave little trace for detection and identification, not to mention the anonymity of violators in the online world.
Digital forensics might be required to help solve a case, but the complex interplay between technology and law require special expertise in order to detect and prosecute offenders, said Rajesh. Evidence is a major issue in dealing with digital media which may be transient, and time is of the essence to secure it, all with the understanding that improper data preservation can lead to inadmissibility of digital evidence.
Sign up for CIO Asia eNewsletters.