In tough economic times, cloud-based services can look almost too good to be true.
Hard-pressed companies, eager to keep their capital expenditure to a minimum, find the attractions of a subscription cloud model, where they pay for what they use, hard to resist.
When I realised [asking about security] was not working, we shifted to asking service-based questions, and then we started getting answers.
Stuart Okin, managing director, Comsec Consulting UK
Security can be better in the cloud, too. A well-run cloud supplier often has more security resources and expertise than its customers, and may therefore be better able to carry out everyday security tasks, such as employee vetting, file back-ups and data protection.
But how do you know if a potential cloud supplier is well run, or if it will look after your data?
Stuart Okin, managing director of Comsec Consulting UK, a division of Israel-based Comsec Consulting Ltd, gained firsthand experience of this sort of challenge recently when a UK company with more than 100,000 employees called him in to assess a cloud-services contract it had already signed. Although he declined to identify the cloud provider or the customer, the lessons gained from the experience can serve as a lesson in how to get proper assurance from a provider.
The company’s CIO had decided to replace the in-house Lotus Notes system with a cloud-based service that would provide more flexible email, messaging and information sharing for around 30,000 users. Up to that point, only a few senior directors had been able to access mail from outside the corporate network.
The deal was signed and about to go live, but the company’s CISO was concerned that some aspects of security might have been overlooked, so Okin’s company was called in to provide more detail on the security services offered by the provider.
Okin learned that the contract had been negotiated by the central purchasing department, which had failed to ask some fundamental questions about how the service would operate, particularly concerning cloud computing security issues.
“The cost driver for the project had overruled any risk considerations, because moving from an in-house service to a cloud solution seemed to demonstrate such a compelling return on investment,” Okin said.
Okin said that, when he first approached the cloud supplier, he was stricken by its “take-it-or-leave-it” attitude. “We were initially told that no customisation was possible, no audit was allowed, and no information about internal assets, including location [of the data or data centres], could be provided,” he said.
All the provider would offer as a guarantee of quality, said Okin, was a SAS 70 auditing certificate (“not worth the paper it was written on," according to Okin), and an ISO 27001 certificate which, it emerged later, applied to a different service than the one in question.
Okin's approach was to change tack and, rather than asking about security, focus on aspects of service provision and delivery. "When I realised [asking about security] was not working, we shifted to asking service-based questions, and then we started getting answers," he said.
This meant asking questions about how the service would be provided, what levels of uptime could be expected, and what the customer needed to do to enable the supplier to provision the service. Other questions concerned how secure access would be granted to different types of endpoint devices, and how the provider would handle disasters.
These service-based questions unearthed the following information:
- The cloud supplier required the client’s Active Directory (AD) servers to be located with the supplier in order to offer a properly integrated service. However, the AD servers also provided access to the client’s other non-cloud services. Therefore, anyone with access to the AD servers would be able to access the company's non-cloud services as well. Okin explained: “That’s when we said, ‘You can’t keep the location of your data centres a secret if you’re holding our Crown Jewels.’ They accepted that, and so we then needed to know their privileged user procedures, because their system administrators were going to have access to our mission-critical systems.”
- No consideration had been given to controlling which users could, and could not, access the cloud service. The provider said it was “all or nothing,” and the best way to stop users from accessing the service was not to give them the URL to the cloud login.
- There was no way to control which component services users could access from an unmanaged endpoint device. As such, Internet access to the service for remote users has been delayed until a multifactor authentication system can be put in place.
- The original agreement defined no guaranteed uptime, and all parties appeared to expect an unbroken service. However, there were no provisions for on-site back-ups and archiving (which was a regulatory requirement for the client), and the bandwidth between the supplier’s primary and secondary site was too small to deliver rapid disaster recovery for all users. Okin said the cloud provider, when asked, openly admitted that a break in service of up to 24 hours was possible for some users.
This back and forth spawned further negotiations, which resulted in the supplier investing in an expensive archiving product. Meanwhile, the customer accepted that service uptime may not be 100%.
“As far as I know, they have not had [uptime] written into the SLA, though,” Okin said. “It may not matter, because these are two well-known brands, and so, if there was any trouble, my guess is they would both try to get it sorted out fast. But personally, I’d still like to see it in a contract.”
No consideration was given to the fact that some future information accumulated by the cloud provider would be stored outside the country. For the customer, this meant implementing a more stringent secure development lifecycle to manage future applications, and recognising that the risk profile could change as a result of this new way of working.
Okin said he was able to work with the supplier to introduce the necessary controls, and insisted this can be done if clients are not blinded by the economic savings to be had, and are able to draw on what they might have learned from managing traditional outsourcing contracts. “Our experience from the assessment," he said, "demonstrated that many lessons learned from outsourcing had not been considered.”