As we near the close of 2010, I thought it would be a good time to share some of the more frequent cloud security questions I receive, and my thoughts on the ever evolving relationship between the cloud and security/compliance challenge.
Q: Are the terms ‘secure’ and ‘cloud data center’ mutually exclusive? For example, many regulations insist you know where the data is. But to maximize cloud value, the provider must be free to move the data around. The data owner would need to prevent this to be sure of compliance – so you might as well just have a private cloud. Is this an example (and possibly one of many) where cloud data center and security/compliance are incompatible?
A: Even in private implementations of data centers, data replication and geographic distribution of data are normal and desired activities. This is done to handle the possibility of data center disasters as well as to provide load balancing and the ability to perform maintenance. In essence, with the cloud, the disaster and load balancing scenarios are carried out by the operator of the cloud infrastructure. It is possible to specify the geographic distribution of data as part of the contract with the cloud provider.
Q: Compliance: who is legally liable (cloud provider or data owner) if data is in breach of international regulations (HIPAA, EU Data Protection etc)?
A: Generally speaking the cloud providers absolve themselves of legal responsibility in return for aggressive pricing. Most customers don’t ask the right questions and just blindly sign EULAs/ agreements with little thought given to liability in the cloud. On the other hand, the quality of technical security and security processes in many companies (especially small and medium ones) is so poor, even the middling security of the cloud providers is a quantum leap in improvement.
Q: Do you have any specific examples of how moving into the cloud has provided bottom-line benefit?
A: In the case of many well accepted applications like email, CRM and collaboration (i.e. WebEX, LiveMeeting), the nature of the cloud reduces the load on IT resources (software, hardware, network), and produces solutions that can evolve quickly at a reasonable cost to companies. Every company is expected to do more with less. In the case of cloud providers, they can off-load areas where companies cannot afford, or are incapable of properly running, key IT systems.
Q: Do you have any specific examples of how moving into the cloud has produced problems?
A: With cloud providers you must conform to their “Terms of Service” which means you must play by their rules. This means that service outages (service windows) are determined by the cloud provider and not you. The amount of traffic, emails, users and usages are all controlled by the provider. In some cases the cloud provider reserves the right to rifle through your data and present you with advertising based on what you are sending in email. If your hosted neighbors are a nuisance (i.e. think WikiLeaks), your access may be impaired due to denial of service attacks, or simply overwhelming loads placed on infrastructure.
Q: Finally, is there a specific cloud data center issue that bothers you the most?
A: The most upsetting cloud data center issue to me is the fraud perpetrated against customers by the SAS70 certification process. Customers implicitly rely on the security “being there” when a cloud vendor says they have been SAS70 certified. What customers don’t know is what the certification means or says about that vendor since these reports are confidential. It is rare for customers to demand to see the SAS70 report before plunking down their money (don’t forget to sign that confidentiality agreement), and even more rare for the customer to comparatively evaluate the SAS70 reports of multiple cloud vendors. Worse yet is the incompetence of auditors failing to review these SAS70 reports and their being kept in the dark by companies and IT departments as to their usage of third party cloud providers. Auditors have little to no experience or processes to properly evaluate and report on cloud solutions used by their clients. “Trust me” is not a security strategy, but it is the working methodologies of companies that are moving to the cloud and trusting that the names of big companies hosting these solutions will protect their backsides.
Feel free to leave a comment or send me your thoughts or any questions about the challenges of and solutions to security in the cloud at firstname.lastname@example.org. You can also follow me on Twitter: @liebsoft or connect with me via LinkedIn.