Risks in the Clouds

Cloud computing is “all the rage” right now. Does this sound nebulous to you?   In a pure sense, cloud computing means taking a highly complex infrastructure such as the Internet and hiding all the complexity from the IT service being provided. Living near San Francisco, I guess a better metaphor would have been "fog" computing in that the fog hides everything from you and you only see what's right in front of you. That's what we are talking about when IT services are in the "cloud." However, most people use the term to mean outsourcing an IT function, service, application, storage or hardware. While that technically is Cloud computing, it is only a subset of what cloud computing really is. For this article, I am going to focus on the outsourcing aspect of cloud computing. 

 

I have received a number of emails from readers and clients asking questions about cloud computing. Specifically around the security issues related to cloud computing or outsourcing a function of IT. Yes, we need to think about outsourcing for our organization but we should also take into consideration when we use the same service for personal use.

 

One of the helps I often use when making an IT decision is the old pros vs. cons two-column brainstorming activity. All you need to do to get started is draw a simple line on a whiteboard or a piece of paper. In one column, list all of the pros and then list all of the cons in the other column and brainstorm different benefits and detriments of outsourcing that particular IT function. Once this exercise is complete, you will be able to make an informed decision.

 

There are a number reasons why you might want to outsource a portion of your IT function. Generally, it is either to save money by cutting costs or to increase your current IT capabilities.  You can actually do both with outsourcing. You can cut costs and increase capabilities by leveraging your IT staff's core competencies and outsourcing any areas that are not in their core competencies. In this way you can save money by having them focus on what your IT staff does best and increase capabilities by outsourcing certain functions to organizations who specialize in that area.

 

There are many more pros that you can use for outsourcing a particular IT function. In fact, most of the articles you find on the Internet address those pros no matter what service you're looking at outsourcing. Of course, the salesperson will give you all the pros you need.

 

As an IT security professional when I talk about Cons, I typically use the word risks. In other words, I ask myself this question, 'what is the risk of outsourcing this particular IT function?' I know it sounds really negative to always go around asking questions about all of the possible things that could go wrong. It makes you a real hit at all the staff parties. However, it's not a negative to find out what the risks are before you implement something new. The purpose of asking the questions is to determine what the risks are, whether the risks are acceptable and if there is anything that can be done to mitigate those risks. My legal-minded friends would call this due diligence.

 

I want to revisit my metaphor of fog for cloud computing. Imagine yourself standing in Golden Gate Park on a really foggy day. It is so foggy that you can only see 10 feet in front of you. Now, imagine that you have a ball and take that ball and throw it as hard as you possibly can. What happens to the ball? It disappears into the fog. Now, you have a friend out in the fog that takes the ball and throws it back to you. Anytime you want the ball he throws it back to you. Because of the fog, you never really know where the ball is. However, when you want the ball, your friend throws it back to you. For all you know he can be throwing your ball to other people. The point is you really don't know where your ball is after it leaves your sight.

 

The same thing is true with cloud computing. Think of the ball as your data and your friend is the third party you outsource your IT function to. There are a number of questions you should ask any outsourcer before you place your data on their systems. Where do they store the data physically? Is it in the United States or in a different country? Do they encrypt it? Can their technicians look at your data? How do you know? Do they do background checks on their employees? Where do they back up your data?

 

One of the misconceptions people have with outsourcing IT functions is that they also outsource the risk; in reality they don't outsource the risk or the responsibilities for protecting the data.

 

There is nothing more frustrating than going to your favorite restaurant to get your favorite food to find out that they are already sold out for the day. You want it but you can't have it because it's no longer available. Luckily, food is just a preference and you can always change your mind and get something else.

 

The same thing is true for IT functions. No one gives it a second thought when key services are just available. They become expected to be available hundred percent of the time. Having worked as a network technician, I know all too well that you never hear anything when everything in IT is running fine. Then, when the e-mail server goes down for an hour, you never hear the end of it. The problem is that organizations have grown to depend upon the IT services and the more they depend upon the IT services, the more money is needed invest in the IT services to make sure that they're going to be available when needed.  The same thing is true when outsourcing IT functions. We still have availability requirements so when we sign a contract with a third party we need to make sure we have service-level agreements included in the contract.

 

You are looking for a place to store some of your belongings and you decide you need to rent a storage unit at a local self-storage company. You come across two different places. One of them has state-of-the-art motion sensors, alarms, security cameras, a security guard, and they have the local police stop by to verify the guard is awake at night. The other place is an old dilapidated wooden barn with no locks, no cameras and no alarms. The one good thing is the owner sits on his front porch watching the barn. Who would you choose?

 

The questions we need to ask of service providers is what level of security do they provide. Do they follow industry security standards and how is their compliance with the standard verified. I would look for a company that follows one of the two main industry standards for IT security.   Either ISO 27001/2 or NIST. ISO 27001/2 was developed by the International Stands Organization and is implemented mostly in multi-national corporations. NIST, the National Institute of Standards and Technology, has developed a number of standards to support Federal, state, local and tribal governments. These standards are used by many private organizations as well.

 

Once I know they follow some industry accepted standards, I would also determine if they have any regular 3rd party audits that verify they continue to follow those standards.

 

If there is one thing I have learned from some of my friends is that there is never a clean breakup or divorce. They are always messy and difficult. No matter how much you love a person when you first hook-up that love can fade over time. Now they are stubborn and you can't decide who gets the cat or the new 65' plasma TV. What do you do then? How do you move out gracefully? 

 

The same thing is true for any service you outsource. You need to think from day one what your exit strategy will be. Think of it as a prenuptial agreement for your cloud computing service provider. Consider having provisions in your contract that stipulate when and how you can break out of the service and what they will do to help you transition your data or the service.

 

One morning I went outside to let the cat in and water the plants. I could hear my neighbor come out of his house to get his paper. To my surprise, he was wearing nothing but his boxers. All I could think of was that I really didn't need to see that and then I was wondering if I could plant some tall shrubs or bushes to give my neighbor some much-needed privacy.

 

Here, life's lessons hold true in the clouds as well. There are all kinds of data you have on your network that requires protection. Generally we call this data PII for Personally Identifiable Information. We are legally required to protect certain information such as student records, health information, credit card transaction data, certain financial records and social security numbers. Outsourcing any confidential information is, at best, problematic. The only way to guarantee control is to keep it in-house.  

 

Often, when organizations look to outsource a service especially ones that seem to be commoditized, such as email, the service often comes with contracts written by the service provider. Do you really expect the agreement to be in your favor and look out for your best interests? More likely, the contract is a CYA for the service provider, protecting them if you ever decided to sue.

 

Security professional Robert Gellman said, "Users should pay more attention to the consequences of using a cloud provider and especially, to the provider's terms of service." Make sure provisions and concerns are addressed contractually and that it actually protects you and not just the service provider. 

 

Supply-chain management tells to never do business with suppliers who can't consistently deliver or are not likely to be able to deliver in the future. Only a gold-digger would want to marry someone with one foot in the grave. If you plan to outsource for a long time, remember to evaluate the health of the service provider before you tie the knot.

 

I remember an incident I had when I was in high school. I borrowed my parents’ car one night and, on my way home, I accidently ran into the curb. I messed up the rim and the tie-rods on the car. I drove it home and left it in the drive way. My mother went out the next morning, got into the car to go to work and drove it a bit before she noticed it wobbling. I never told my parents what had happened until they came and questioned me about it. You can imagine how angry they were.

 

How would you like your cloud computing service to hide material facts from you? What if they had a security breach and your records had been exposed to the whole world? It is important to ensure that you have a Breach Notification clause in your contract with specific time limits for reporting. It is not unreasonable to require notification of 'suspected' breaches within 4 hours of discovery.

 

One of the other hats I wear is IT Auditor, and one of our principles is not to suspect everyone of elicit behavior. We can trust that they are doing the right things we just need to verify that they are. Think of it as protecting the innocent. 

 

On a regular basis you should also verify who has access to your data out in the clouds. Ask the service provider to grant you access to real-time log data. As noted above, make sure this is in the contract. The audit logs should show you if anyone at the service providers company has accessed, altered or deleted any of your data.

 

As you can see, there are quite a few things stuff you should do before you dive in the deep end. There are other considerations that I could not cover, given the length of this article. However, I have some resources you can review that will help you dive a little deeper into the risks and rewards of cloud computing.

 

"Above the Clouds managing Risk in the World of Cloud Computing" by Kevin T. McDonald

"Cloud Computing Implementation, Management, and Security" by John W. Rittinghouse and James F. Ransome

"Privacy in the Clouds: Risk to Privacy and Confidentiality from Cloud Computing" Report by Robert Gellman

"Seven Cloud Computing Risks" Gartner report

 

Find us on facebook