It’s a Long Road to a Secure Cloud
April 4, 2011
When it comes to cloud computing, the security and compliance landscape is riddled with pitfalls and continues to shift. During the recent RSA Conference in San Francisco this viewpoint seemed to dominate the conversations between IT professionals, industry analysts and others who study the security industry. The RSA conference hosted more than 30 sessions and presentations dealing with cloud security – signaling a real hunger for reliable information on this topic.
My opinion is that cloud security, particularly public cloud security, is wholly inadequate.
Potential cloud customers who read the providers’ terms of service might be staying clear of off-the-shelf offerings – and for good reason. Study many of these offerings’ terms of service and you’ll see loopholes and ambiguity enough to scare any serious business manager. We are seeing adoption of private clouds hosted by the major cloud vendors but in these cases we hear of “special accommodations” to augment base security offerings if the deal is big enough.
Are the terms ‘secure’ and ‘cloud data center’ mutually exclusive? For example, many regulations presume that you know where your data physically resides. But to maximize cloud value, the providers must be free to move the data around. The data owner would need to prevent this as a matter of compliance – so the organization might as well just have a private cloud. Is this an example – possibly one of many – where cloud services and security/compliance are incompatible?
Even in private datacenter implementations, data replication and geographic distribution of data are normal, desirable activities. This is done as a precaution against data center disasters and to facilitate load balancing and routine maintenance. In essence, with the cloud the disaster and load balancing scenarios are carried out by the operator of the cloud infrastructure. It is possible to specify the geographic distribution of data as part of the contract with the cloud provider.
Regarding compliance, I’m often asked who is legally liable (cloud provider or data owner) and if data is in breach of regulatory mandates such as HIPAA, PCI-DSS, EU Data Protection and so on, the answer isn’t always clear. Generally speaking, cloud service providers’ terms of service may seek to absolve the providers of legal responsibility in return for aggressive pricing. Too many customers don’t ask the hard questions and blindly sign the service agreements with little thought given to compliance and liability. On the other hand, for those companies (especially small and medium ones) where the quality of security is poor, even the middling safeguards offered by cloud providers can be a quantum leap in improvement.
In the case of many mainstream applications like email, CRM and collaboration (i.e. WebEx, LiveMeeting), cloud services promise to reduce the load on the customers’ IT infrastructure (software, hardware, network), delivering services that can evolve quickly at a reasonable cost. Every company is expected to do more with less, and cloud providers are in a strong position to off-load those applications that customers cannot otherwise afford to install or maintain.
As I’ve noted, moving to cloud services means accepting the cloud provider’s terms of service – in effect, agreeing to play by their rules. This means that in general your frequency and duration of service outages (service windows) will be stipulated by the cloud provider and not you. Limits on traffic, transactions, users and other values may all be set by your provider. In some cases the cloud provider reserves the right to scan your data and present users with advertising based on what is sent in email. And if your hosted neighbors are a nuisance (think Wiki Leaks), your access may be impaired by denial of service attacks, or simply by overwhelming loads placed on the infrastructure.
Yet to me the most unsettling cloud security issue is the fraud perpetrated against customers by the SAS70 certification process. Customers implicitly rely on the security “being there” when a cloud vendor says they have been SAS70 certified.
What customers don’t know is what SAS70 certification actually says about that vendor since these reports are confidential. It is rare for customers to demand to see the SAS70 report before plunking down their money (don’t forget to sign that confidentiality agreement), and rarer for the customers to compare the SAS70 reports of multiple cloud vendors. It’s frightening to think how few auditors of cloud customers know to review these critical SAS70 reports or are being kept in the dark by IT departments regarding their usage of third party cloud providers. Even those auditors who know where to look for the data may have no experience or known processes to properly evaluate and report on the cloud solutions used by their clients.
“Trust me” is not a security strategy. Unfortunately many organizations seem ready to take big leaps into the cloud, naively trusting that the big-company names who host these offerings will protect their backsides.