The term "cloud" has been turned into a marketing platform by many suppliers and this has obscured what it really is - a way to procure and deliver IT services. The cloud covers a wide spectrum of services and delivery models. The common security concerns are ensuring the confidentiality, integrity and availability of the services and data delivered through a cloud environment.
Cloud computing makes people uneasy. The perceived lack of ownership and control has a tendency to cause an almost instinctive sense of vulnerability, but Simon Salmon, CSA UK and Ireland Chapter member, questions if this is justified.
He says the answer depends on the circumstances, since cloud solutions can be as secure or insecure as any other IT implementation. Many of the issues an organisation should be considering regarding cloud computing relate equally to traditional IT implementations.
One pressing question surrounds what happens to a customer's data when stored and/or processed in the cloud. Should things go wrong, what mechanisms are available for reporting issues and tracking them? Is the SLA acceptable for your business? Peter Wenham, committee member of the BCS Security Forum strategic panel and director of information assurance consultancy Trusted Management, urges chief information security officers (CISOs) to understand the type and value of the data your organisation wants to put into the cloud. So businesses need to consider whether the data is public, company internal, company sensitive or personal information (personal data includes employee National Insurance number, medical information, credit card or bank details).
Once you know what type and value of data you are dealing with, you can identify any regulations and/or industry rules that might apply, such as the Data Protection Act (personal data), Payment Card Industry (PCI, credit card information), says Wenham.
Knowing the value of data and the applicable rules and regulations leads to an understanding of what needs to be done to ensure compliance. From this understanding, the terms and conditions of various cloud-based services can be reviewed and informed decisions taken. For instance, if the cloud service provider is unable or unwilling to legally commit to keeping data at all times within the EU (or EU-acceptable safe harbour), then personal data should not be stored or processed in the cloud.
CISOs must also evaluate a cloud provider's guarantee that data cannot be lost, as data loss has happened in the past.
He says the service level on offer may not be sufficient. Remember that a 99.5% availability means in any 12 month period the cloud service could be off air for a total of nearly two days, and don't forget your local internet connection and your internet service. The cloud provider can only commit to an SLA for their service and not for the whole internet or your connection to it. Wenham urges business leaders determine how well the supplier's definition of service availability matches their own requirements.
And when things go wrong, the CISO must examine the mechanisms available for reporting issues and tracking them. Wenham says: "Remember that many cloud providers will only accept problem reports by e-mail and then only from one named/identified person (usually the account holder) and this could impact service restore time."
Wenham says protecting sensitive information in the cloud requires encrypting the data. If you do encrypt the data, then you would typically only be using the cloud for storage and not processing, as you would need to decrypt the data before you can process it.
He recommends CISOs assess whether the login authentication mechanisms the supplier offers are commensurate with the value of data being stored or processed. For instance, is a user name and password the only mechanism available or are multi-factor mechanisms available? Can password complexity and password expiry be set and can these be managed by the business?
Looking for and choosing a cloud provider that is ISO27001-accredited is to be recommended, but the fact that a vendor has current ISO accreditation does not mean you can ignore other considerations.
Along with data controls, Mike Small. member of London Chapter ISACA Security Advisory Group and senior analyst with KuppingerCole, urges CISOs concentrate on establishing a good framework for governance: As Wenham said earlier, when moving to the cloud it is important business requirements are understood and the cloud service is selected to meet these needs. Small says taking a good governance approach, such as COBIT, is key to safely embracing the cloud and the benefits that it provides.
Small warns CISOs to be wary of supplier lock-ins that can easily occur in the cloud. There are a number of factors that can make changing cloud provider difficult. The ownership of the data held in the cloud may not be clear and return of the data on termination of contract may be costly or slow, Small warns. When data is returned, it may not be in a form that can easily be used or migrated. Cloud services (built using cloud platforms, PaaS in particular) may be based on a proprietary architecture and interfaces making it very difficult to migrate to another provider. The risks of building business services based on a proprietary technical architecture are high and technical standards should be adopted where possible. Ensure ownership of data is clear and the terms for its return on termination of contract are acceptable.
For Simon Salmon, CSA UK and Ireland Chapter member, the question remains of whether businesses are being over-cautious when it comes to cloud security.
He says: "At the least, cloud-based systems should prompt everyone to think through far more carefully what their security requirements are across the whole supply chain. Given that, and also that cloud services have been developed with security in mind, it is possible the information security may actually improve."
There will be cloud security breaches, but businesses have experienced security breaches that are not related to cloud computing. When working with a cloud provider, it is possible to ensure your exposure to risk does not increase.
"However if you currently don't consider security issues, you may struggle in the cloud!" says Salmon.
Video: Managing security in the cloud
This was first published in January 2012