Cloud Computing is hot: “Cloud Computing heralds an evolution of business that is no less influential than e-business”.
It might sound very simple: Instead of maintaining your own applications, platforms and servers, you obtain them as a service from outside your own organization, so you don’t have to care about maintenance, performance, scalability, software upgrades and uptime anymore. But is that all?
No, there’s more. According to a recently published research (see this survey and risk assessment) by the European Network and Information Security Agency (ENISA), Confidentiality of corporate data and Privacy are the number 1 and 2 main concerns (and showstoppers) for companies who are on a journey of implementing Cloud Computing.
This article addresses Cloud Computing from a Security and Privacy perspective and introduces a four step approach to overcome cold feed for Cloud Computing.
With the increasing popularity of Cloud Computing, organizations’ architects are making plans to embrace Cloud Computing in one or more of its forms, on Process, Application (also known as Software as a Service), Platform or Infrastructure level. They typically deal with this in a complex context: They are architects of global companies who have to deal with many different security and privacy laws.
Besides dealing with personal data they often deal with Intellectual Property material as well. This information should not be accessible for competitors and therefore moving this kind of data outside the organization is subject to many regulations and guidelines. This means that when they start to create visions about Cloud Computing, or start actual implementations, they have to deal with Security, Data Privacy and Export Control risks. Since typical characteristics of Cloud Computing are “open” and “accessible”, many organizations rank Cloud Computing as the highest level risk implementations in terms of Security and Privacy.
This can lead to contradicting interests between technology driven architects and the Security and Privacy departments of the organization.
But why are Security and Privacy architects so ‘scared’? And how can Accenture help you in dealing with this?
In order to address this let’s first look at some fears and facts about Cloud Computing.
Cloud Computing Security Incident: Twitter
One reason for organizations to be reserved is the unfamiliarity with Cloud Computing: it’s new. And when something is new negative press tends to be over overemphasized compared to positive press.
In the brief history of Cloud Computing, there have been incidents regarding the undesired disclosure of data. In July 2009, TechCrunch reported that they received a message from a hacker who claimed he had accessed hundreds of confidential corporate and personal documents of Twitter. The security leak consisted of using a password guessing technique to get access to Google Apps accounts used by Twitter employees for their day to day work (email, calendar, docs), where the confidential information could be found. While this incident was caused by users who used unsafe passwords or made use of easy-to-guess password recovery questions, rather than by flaws in Google Apps. This incident still shows that the chance of somebody getting access to the organization’s applications is much higher in de context of Cloud Computing than it would have been on an internal network that cannot be (easily) accessed from outside.
Such incidents don’t really promote the use of Cloud Computing.
The Main Security and Privacy Risks
Apart from the negative press that causes a general feeling of discomfort regarding Cloud Computing, there are some tangible risks that need to be addressed.
Where is the data stored?
Although Cloud Computing sounds virtual, data will eventually be stored somewhere on one or more physical servers, perhaps even at multiple locations.
Identifying the location of the servers might be difficult; especially in case of nested Cloud Services (one application in the Cloud makes use of other applications in the Cloud). Cloud service providers cannot always guarantee that data is stored in any predefined location.
In that case, multiple privacy laws apply to the overall implementation.
In some countries, like Canada and Germany, there are specific laws about storing personal data at a central location within the own company, but outside the ‘country of origin of the data’. Storing such data outside the organization is an even tougher step to take. Thus global companies and organizations have to deal with the toughest regulations around the globe.
Sometimes it is not allowed to store certain data in certain countries or engage in cross border data transfer. The USA has strict laws on exporting data and knowledge to certain countries. Therefore storing this information in so called ‘Embargoed Countries’, such as Cuba, Iran, Syria, North Korea, Myanmar (formerly Burma) and Sudan, is not allowed.
Everybody is on the Web
Hosting an application inside an organization will make it easier to prevent ‘the whole world’ from accessing it, as it is protected by firewalls and DMZ’s. But an application in the public Cloud (i.e. the Web) is accessible for everybody who has access to the Web, including unsolicited intruders as the Twitter incident showed.
Terms & Conditions
Many people use web based applications like Gmail, LinkedIn, Hyves and Facebook. Most people just tick ‘I agree with the terms and conditions’ and assume it’s all fine. That’s a risky assumption, as personal information is not always as private as users think. For instance, several concerns have emerged around Facebook’s privacy agreement.
The same applies to Cloud Computing. Server space is bought within a couple of minutes with a couple of clicks (and a credit card number). But it’s very important to check and understand the Terms & Conditions of the provider of the cloud applications. Not only in terms of Security and Privacy (e.g. under which conditions will they grant access to the data to Justice or General Intelligence and Security Service?), but also in terms of availability and other SLA’s.
Shared Applications, Shared Infrastructure?
Cloud Computing implies the use of shared applications, shared infrastructure and probably shared databases. When data from many organizations is stored in one common database, in common tables, data access violations can be a risk. Splitting databases reduces the risk of data access violations.
Types of clouds addressing Security and Privacy
From a Security and Privacy perspective, various types of clouds can be used to address the earlier mentioned risks:
The Public Cloud is externally hosted and publicly accessible. It is both open and agile by nature. Due to its virtual character, the physical location of the shared servers is usually not (exactly) known and Terms & Conditions are identical for all users.
Some organizations might conclude that the Public Cloud is not the best solution due to its open and intangible character. They might consider the following alternatives.
An Internal Cloud basically is a cloud that resides in the organization’s own data centre. Shielded from the outside world, but lacking (part of) the agility you will find at a Public Cloud. Advantage is the great extend of control that the organization has, including where the physical servers are located and under which Terms & Condition the cloud is implemented. Applications and servers are not shared with other organizations.
Virtual Private Cloud
A Virtual Private Cloud combines characteristics of both the Public and Internal Cloud. It is a dedicated, secured cloud within a Public Cloud environment. This means that the cloud is hosted outside the organization in the public domain, but can only be accessed via a private/secure connection – so not by ‘the whole world’.
Another advantage is that it provides the agility of a Public Cloud with the possibility of tailored Terms & Conditions. The physical location of the servers isn’t necessarily (exactly) known and parts of the infrastructure might be shared with other organizations.
The Hybrid Cloud consists of a combination of Public Cloud, Virtual Private Cloud and/or Internal Cloud.
Please note that the term Private Cloud is also commonly used as a type of cloud. Unfortunately, the meaning of this term is not ambiguous: sometimes it is used to refer to a Virtual Private Cloud (i.e. outside the own organization), sometimes it is used to refer to an Internal Cloud (i.e. inside the own organization).
The table below summarizes how the various types of cloud address the earlier mentioned risks and Agility:
How to overcome or avoid cold feet?
So how can you overcome or avoid cold feet and become comfortable with Cloud Computing? This article introduces a four step approach:
Think about it – be rational
Many barriers regarding the use of Cloud Computing are psychological. Based on the lack of information, or based on wrong information, or just perception.
Of course, Cloud Computing does cause additional restrictions in terms of Security and Privacy. Many organizations have a tough security intake process, and combining ‘confidential data’ with ‘data accessible by third parties via the Internet’ makes it a top category security implementation. This means of course that they will enforce a very high level of security to the external vendors. The stakes are high, if something goes wrong, large fines may be the consequence due to the breach of various regulations, let alone the impact of the public reputation of the organization.
On the other hand, for Cloud Computing providers topics like Security and Privacy are core-business. They can’t afford to suffer from such incidents as this will cost them big business, now and in the future. So they will take extra care. Whereas for most big companies, IT is not core-business, so in general, they won’t be able to dedicate as much money and resources to IT (including Security and Privacy) as a Cloud Computing provider.
Actually, in many cases you might experience an improvement of Security and Privacy when you move to a Cloud Computing solution.
Read and learn about it
Two interesting starting points to read and learn about Security and Privacy in Cloud Computing are Craig Balding’s Cloud Security and the World Privacy Forum. These sites might help clearing the skies during the journey of introducing Cloud Computing. Industry or market specific researches on Cloud Computing can be found on the web.
Read more about the advantages and disadvantages of the various cloud types (Public, Virtual Private, Internal, Hybrid) in terms of Security and Privacy. And Accenture has Point Of Views on Cloud Computing that address Security and Privacy as well.
An interesting book to consult is ‘Cloud Security and Privacy: An Enterprise Perspective on Risks and Compliance (Theory in Practice)’.
Hear about it
The best way to promote Cloud Computing is via word of mouth. No story is more convincing than a story from somebody who is already using Cloud Computing.
Make a couple of reference visits with other organizations who are either dealing with a similar situation or already are a few steps ahead. Accenture has the network and showcases which can help you get more comfortable with Cloud Computing.
Some providers of Cloud Computing even allow site visits. So you can personally have a look and see how it works. And quite commonly, providers have their environments regularly audited by one or more independent external companies. Ask for these reports to validate the points that are of great importance to the organization.
Cloud Computing is a new topic for many companies. The perception of Security, Privacy and Audit departments regarding Cloud Computing is often based on bad press and a lack of detailed, fact-based knowledge. There is no desire for that which is unknown.
This article introduced a four step approach to overcome or avoid cold feet:
• Think about it – be rational: Cloud Computing providers know what they’re dealing with. In the agile world of Cloud Computing they can lose customers as easy as they won them – and they won’t put their own business at risk by not properly addressing Security and Privacy.
• Read and learn about it: There’s a lot of information available regarding Security and Privacy in a Cloud Computing context. This article provides information as well as numerous references.
• Hear about it: Organize reference visits. There’s no better way to convince people than via word of mouth.
• Check it: Visit the provider and request independent audit reports.
Following these four steps makes it easier to clear the skies and overcome cold feed for a Cloud Computing solution.