The current buzz in the technology industry is all about this idea of Cloud Computing. It goes by many many names but we’ll just stick with this one to eliminate confusion. Sure, it’s a great idea and vendors are talking about “moving your data to the cloud” where someone else can manage your data, provide better uptimes, manage the patching process, etc. Unfortunately, as a security guy, I tend to look at the idea of cloud computing from a risk perspective…and it just isn’t fluffy cumulus clouds that I see…it’s more like the picture you see here.
From the security perspective, it appears to be nothing more than a matter of risk transference, very similar to what any good insurance policy will do for you. Companies are trying to be quick to market with their Cloud Computing Security Strategies, but I’ve yet to hear anyone truly identify the risk that this will solve. At the end of the day, it comes down to two simple questions that either your CSO or Legal Department will most assuredly ask:
Who ends up being liable for the data that’s stored in the cloud when it’s breached?
Who’s name and signature is going to be at the end of the Breach Notification letter you’ll send to your customers?
I’ve been doing a lot of research on the topic of “cloud computing security” the last few weeks, as I prep for my session at TechEd North America 2009 entitled “Securing the Cloud”. I have to tell you, I don’t see a lot of companies agreeing to become liable if your data gets breached on their network. I’m not sure how this really differs from putting your money in a bank, rather than in your mattress. The bank (through the powers of the FDIC) ensure my money up to a certain amount. Will my cloud vendor do the same?
Of course, with all new things, old problems still exist. How is that 3rd party auditors going to successfully conduct an external audit of your data, when the data and controls aren’t even on the premises? “Well, Mr... Sarbanes-Oxley Audit Master, I’d love to show the controls that we have in place to remain compliant with 404, but the data isn’t actually here. Perhaps you can contact our cloud provider to find out the controls they’re using to keep my customer data secure.” That probably isn’t go to go over to well. Remember, you can delegate authority, but not responsibility.
I just want to be sure that we are all really giving this a lot of thought before we start dumping our data up to some unknown entity in the clouds. There are plenty of positive things that cloud computing provides, but at what cost? I’ll take the extra time to patch my enterprise’s servers if it means keeping my data close.
As someone who travels extensively talking to security professionals, I learned long ago that I don’t have all the answers….and this is no exception. Let’s start a dialogue through the comments. What risks do you see with regard to moving to a cloud computing infrastructure and is your business headed that way?
Also, before I forget….I’ve found a really great cloud computing security blog called http://cloudsecurity.org. Two thumbs up! Check it out.
It would be unfortunate if companies decided that keeping confidential customer data on their own servers physically in-house was the only way to be responsible. It's rather like deciding that employing your own cleaning staff was the only way to keep your office premises secure, rather than hiring the services of an external cleaning firm.
I read somewhere that firms must divide work into 4 categories based on the questions "Can the business survive without this?" and "Does this directly contribute to our bottom line?". For IT operations, most firms would answer "Yes" to the first question but "No" for the second. In other words, it is critical to business survival, but more a supporting operation than a value-adding operation.
An IT firm might justify maintaining their own servers, but a non-IT firm is unlikely to have the expertise and is better off finding an external supplier to maintain their supporting IT operations.
Because IT is often such a critical system - all client data being stored etc - there needs to be a clear contract with adequate compensation being paid if ever systems fail (through data loss or theft) because it will inevitably have a damaging effect on the reputation as well as (value-adding) operations of the business.
There is no easy answer about data breaches, but there is still a risk of data breaches for in-house data, and you could argue you are being more responsible to your customers by out-sourcing to experts than keeping it in-house with potentially under-qualified staff. Think of the security in a data centre compared with your average small business! Closer is not necessarily safer or more responsible.
Someone else needs to answer the auditing question?
Great points Robert and thanks for starting the discussion.
I certainly agree that things can and often shoul dbe outsourced, but I worry about the ramifications as to what happens when the data for which I'm the legal custodian of, is compromised on someone else's box.
From what I've seen, this is a question that is only beginning to make the legal rounds.
Internal or external hosting and how security control objectives are maintained is a very interesting topic.
Technical controls alone are not adequate when dealing with outsourced arrangements.
I'd suggest that as outsourcing data hosting becomes more widespread, attention to oustourced 3rd party Contracts is needed. Focus should cover specific security requirements, such as right to audit, compliance with your company security policies (or at minimum a gap analysis or theirs and yours to manage risks accordingly) and also getting that downstream liability clause agreed :)
I'd expect that some organisations will be attracted towards the financial benefit of cloud computing without understanding or factoring in the security exposure and implecations it presents. It is these types of organisations where visibility is needed.
Check my observations at:
I don't know why the technical media is blowing this up like it's some new great thing. Cloud computing has been around for at least the last 10 years if not longer.
Conceptually shared web hosting platforms and file repository/sharing networks were some of the first clouds to surface on the Internet. While, yes, these services are often used by the degenerates and vagabonds of the computing world, the concept in itself could be invaluable to smaller businesses without the financial or technical means to maintain their own datacenter.
The only thing that's really emerged from the idea of cloud computing is that companies like IBM and Google have essentially taken a less than reputable concept (and, yes, shared hosting is often a less than reputable means of web hosting when dealing with some of these providers), cleaned it up, sprinkled some glitter on it, and marketted the heck out of it until it shined.
But moving to the point of the discussion, I'd like to address Robert's take on the risk management factors of cloud computing versus in-house solutions. I would have to say that no company should ever maintain confidential (operational, financial, personal, and personnel) data on a cloud. To do so would be a liability that could and eventually will ruin you. Robert, I'm going to have to disagree with you about "Closer is not necessarily safer or more responsible." Closer, with offsite backups, is probably the most responsible thing any organization could do with confidential data. While, yes, there may be more security experts working in a datacenter, but nobody knows your data like you do. And more times that you would think, you know a better way of securing your data than the acclaimed "IT Professionals". As well, you lose the ability to define your security standards.
In my experience at my datacenter, data is most often compromised when people have extremely poor security standards or none at all. I would say to put more faith in your own security standards than some phone jockey at Google making $10/hr. You have no idea (outside of all the marketing and propaganda) what that datacenter's security is like, and they're not about to give you a technical breakdown.
Cloud computing is a great idea, though. I would recommend usage to just about any entreprenuers, small businesses, or educational institutions but never at the expense of their confidential data. If you can not afford to maintain your confidential data in-house, your probably should rethink your business model.