According to the Cloud Security Alliance: “Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services).”
This is as good a definition as you’ll find - it neatly summarises the key attributes for business: “convenient and on-demand” which translates to flexible, ad hoc and low cost.
There is no question that cloud computing is here to stay for the foreseeable future and that adoption of the technology will continue to spread. As a result, we need to ensure that we secure our data in line with the expectations of all stakeholders, including the business, our customer and clients, and of course regulatory bodies.
Cloud services are generally offered in one of three models:
- Software-as-a-service (SaaS), where the cloud provider owns the application, operating system (OS) and infrastructure and you use the application remotely. Examples include document sharing services, such as Evernote, and customer relationship management (CRM) applications, such as Salesforce. In summary: “Just run it for me!”
- Platform-as-a-service (PaaS), where the provider owns the OS and infrastructure, and you own the application. Often this type of service is used for software development in the cloud, providing a test environment for an application without the overhead of additional hardware and operating system licenses. Can be summarised as: “Give me a nice API and you take care of the rest”
- Infrastructure-as-a-service (IaaS), where the provider owns just the infrastructure, and you own both the OS and the application. This often suits a large e-commerce application and is very similar to a traditional hosted solution. Amazon’s EC2 is an example of this. In short: “Why buy machines when you can rent cycles?”
There are many drivers for the adoption of cloud computing, but the most common are these:
It’s often easier and cheaper to purchase a SaaS application than invest in in-house enterprise software, and of course, it can be available from anywhere without the need for virtual private networks (VPNs). SaaS services like Dropbox, Evernote and Gmail are used by digital natives at home and they expect the same facilities at work.
Projects which need a fast, easy solution to software development may invoke PaaS without involving the organisation’s central security people, or even thinking about doing so.
Any of the IaaS models will circumvent the cost of hardware, software licenses, power and cooling of datacentres, and the rental of datacentres themselves.
Each of these models presents a different set of security challenges and responses.
Cloud security isn’t a black and white question. You can’t say “no, I won’t use cloud because it isn’t secure”; neither can you say “yes, cloud services are the solution to everything.”
In fact, as Ben Goldacre says: "I think you'll find it's a bit more complicated than that…"
- Where is your data held? Which country? What about data protection legislation?
- Who has access to your data?
- Have the provider’s staff (and contractors) been vetted?
- How well is your data segregated from other users?
- Is your data encrypted at rest? Who holds the keys?
- How is it backed up? Are the backups encrypted? Where is the backup?
- How is the data transmitted? Is it encrypted? How are users authenticated?
- Has the provider been tested by a reputable third party?
Reviews of cloud services providers have revealed evidence of inconsistent and late patching of systems, weak remote access controls for administration, and even misconfiguration of data transfer channels between multiple cloud service providers resulting in credit card data not being encrypted.
The solution is to fall back on good security practice and processes, and to ensure that you get involved as soon as you can in any project which may acquire a cloud-based service.
Find out as much as you can about a provider's security measures and infrastructure - if they’re not willing to share their security policies and procedures, be suspicious. If the service does not encrypt data both at rest and in transit, do not entrust it with your sensitive information.
As far as possible, split responsibilities between your administrators and the service provider's administrators, so no one has unrestricted access across all security layers.
Check whether a supplier has been accredited to a recognised security standard, such as ISO 27001. Finally, consider selecting a high-end service provider with an established security record - "You get what you pay for," says Gartner analyst Jay Heiser.
A first draft checklist for evaluating the suitability of a cloud provider should include these key elements:
- Ask to see their information security policy
- Ask to see their staff and contractor vetting
- Ask for details of who has access to your data
- Ask for proof of independent tests and audits
- Ensure security responsibilities are clearly defined in your contract
- If your data is sensitive, ask if it is encrypted at rest
- Conduct your own tests and audits where possible
The Cloud Security Alliance publishes some excellent advice and help, most notably Security Guidance for Critical Areas of Focus in Cloud Computing, currently at version 3.0.
This is not a light read at 177 pages, but it is essential for anyone considering cloud adoption who is concerned about data security - in other words, anyone in a business using a cloud service. If you are concerned about security in the cloud, you really need to invest the time to understand the deployment model and the risks relevant to your data.
Peter Wood is the chief executive officer at First Base Technologies LLP and Member of the ISACA London Chapter Security Advisory Group