Sourcefire. Picture: joelesler
Enterprises across the world are hunting down the best way to scale their computing capability. Finding ways to work smarter has become increasingly important in today’s cost-controlled market. IT departments searching for a solution often demand that the infrastructure has to be quick, cheap and dynamic and this is one of the reasons that cloud computing is being touted as a potential corporate game changer.
BY LEON WARD
Cloud Computing has been described as, arguably, the third revolution of IT, following the Personal Computer and Internet revolutions. But like most revolutions, progress towards widespread acceptance of the new regime is likely to take some time, amidst suspicion, a lack of confidence, wise skepticism and some false starts.
Many CIOs are in the process of moving applications and services into the Cloud. Some are considering Cloud-based computing due to economic reasons, while others are looking to create new dynamic IT services. Regardless of the reasons, with organisations contemplating moving to a Cloud environment many are forgetting a potentially fatal element, security. Before an IT director can make a clear sensible decision about a future Cloud strategy, let’s investigate where some risks lie, and work out where responsibility and accountability falls.
Ensuring a security evaluation is undertaken is a ‘must do’. Never simply assume that a service provider’s security is up to scratch. It must be checked. Matt Watchiniski, Sourcefire’s Director of Vulnerability Research Team, endorses this view. He says that as more and more enterprises and organisations move their applications to SaaS platforms, some provider is bound to fail miserably. We haven’t seen the major compromise, but this risk has to be on the horizon. So with storm clouds ahead, who is going to be in the dock when there is a failure? An understanding of accountability needs to be clear. Businesses using these types of services need to make sure they understand who is responsible for fixing these problems when they crop up, and who is legally accountable for the data loss. Outsourcing your data to the Cloud does not equate to outsourcing the risk, if your Cloud provider was responsible for the loss of your customer’s data, you could still find yourself accountable.
The impact of failure
Serious failures within a cloud infrastructure can have repercussions that reach much further than within a single enterprise. Last year, after a major server outage, thousands of users of the Sidekick mobile phone and messaging service were warned that their personal data and photos had “almost certainly been lost”. Over a week later Microsoft, owner of Danger the cloud-computing provider, confirmed that they had managed to recover “most, if not all the customer data”. This example publically highlights the potential danger of entrusting trusting personal data to the cloud, but it doesn’t mean there’s a major design flaw in the Cloud-Computing concept. It’s implementation specific, but it negatively impacts confidence in the whole market.
On the positive side, Cloud service providers typically have more resources to put into security and reliability than most businesses, and far more than a small business. Where would you rather your sensitive, client and internal data was stored? Public clouds advertise a robust, highly physically secure data centre. Additionally there should be a team of on-site security experts focused on protecting that information stored. Compare this to the alternative of the data being stored on a laptop which is continually moving around and being accessed in different locations. The data centre now seems the smart choice, but don’t forget you are handing over your information to someone else, and therefore losing direct control over it.
Those considering a move to the Cloud need to consider how their market is regulated. Strict codes of conduct apply to many businesses and in some cases, regulations might stipulate that personal data has to remain within a specific country thus ruling out the use of certain providers who distribute data globally. In some situations the storage and processing of information away from a user or the enterprise is seen as a real advantage, a good example of this would be in a government, military or other high-security environment. Because of this advantage I expect to see some near-term implementations of Government controlled and designed community Cloud infrastructures. If those who are accountable for potential data loss are in control of the Cloud constructed to protect it, many of my concerns dissipate and central responsibility can be re-established around critical information that has traditionally been distributed. Imagine a world where DVDs of sensitive data are no longer lost in the post; they are simply re-referenced within the Cloud.
Make sure your house is in order
If the idea of storing and working with your critical data in a shared external infrastructure looks attractive in terms of cost metrics, before looking for a provider it is clear that some research needs to be undertaken.
Firstly, you need to prepare a list of mandatory security controls that you demand around the data you consider most sensitive, and then come up with suggestions of how a provider could potentially demonstrate these controls to you in action. Only then start to research the providers that believe they can meet the demands you place on your data. This should be part of any due diligence process. As the service consumer you should be in control of your data wherever it is, and you should have the ability to demand that any provider can prove their security capability, as it is likely that you will ultimately be accountable for a breach. Find out who you call if there is a problem and details around what service can you expect? In times of crisis you need guarantees that it will be prompt and responsive. The Cloud provider needs to be transparent.
If you have performed in-depth research before looking at service offerings you should understand the problems that face Cloud providers. Never be scared to call foul when you see a complex problem with an over simplified solution. It’s a cliché, but if it sounds too good to be true, it probably is. Always make sure you keep the horror show that is accountability in mind. Out of sight should never mean out of mind.
Leon Ward is Senior Security Engineer, Sourcefire – www.sourcefire.com