Security must take centre stage as Cloud Computing gains
momentum
Following the release of the UK Government’s updated ICT
Strategy and related G-Cloud strategy at the end of October 2011,
Vega highlights the issues and suggests the appropriate security
measures that need to be considered by organisations and businesses
throughout the public and private sectors looking to benefit from
cloud computing.
The launch of Apple’s iCloud service, as
enabled via IOS5, has brought the new buzz phrase – ‘cloud
computing’ – to the consciousness of the masses. The concept is not
new. It was back in 1997 that the late Steve Jobs said of cloud
computing…
"Never have I seen something more powerful
than this computation combined with this network that we now
have...in the last seven years, do you know how many times I've
lost any personal data? Zero. Do you know how many times I've
backed up my computer? Zero."
However, in the history of ‘absolutely secure’
solutions, none has survived untainted over time, and as cloud
computing gains momentum, we do well to use some of the
aforementioned vision to understand the security issues with cloud
and the measures – both current and future – that organisations
will need to deploy to give their customers and the public the
assurance they seek.
The challenge becomes even more apt as cloud
computing moves to underline the UK Government’s future public
services agenda ‘Digital by Default’.
To fully understand how to balance the
opportunity against the risk of cloud, we need first a clear
understanding of what the cloud is.
To most, the easiest analogy is the email
services offered by Hotmail, Gmail and almost every ISP, in which
the service provider takes care of all the hardware, software and
data storage necessary to support your email account. Access to
this application (email) is not restricted by location or a
particular device; you can access it at any time from any location
on your smartphone, your laptop, from an internet café… anywhere
from any device with an Internet location.
Indeed, one of the tenets of the cloud
proposition is that a user of data has no need to know where that
data is physically stored. By hosting the data and applications
centrally, developments in functionality and new ways of using the
data can be implemented with comparative ease. Investments in IT
personnel and IT infrastructure are concentrated, therefore
offering the realisation of greater value.
Clearly such a liberated access environment
presents some security challenges which have led to a number of
variants that extend the concept of the highly liberal cloud
environment.
A private cloud is
established for use by a closed community of users within a single
organisation, but is likely to still use the internet as the
primary communications link.
A community cloud extends the
concept to cover several organisations with a shared purpose.
Then there is the secure
cloud. The secure cloud has been mooted by a number of
Governmental and non-Governmental organisations as providing the
benefits of data and application freedoms, but within a secured
environment. In particular, hardening of communications links
through the use of dedicated communications links and high grade
encryption; and the use of highly resilient data centre
technologies. However, is the prefix ‘secure’ deserved?
Despite an ever-evolving range of impressive
technologies that can be deployed to bolster security, as any
security expert will tell you, the greatest threat to IT security
is you. OK, maybe not you personally, but the collection of people,
policies and procedures that make up an organisation. The ‘insider
threat’, as it is known, extends beyond the disgruntled employee to
include the unthinking actions of many who allow data integrity
flaws; the introduction of malware; or unauthorised access to
systems. Unfortunately, when we outsource our data storage and IT
infrastructure, we do not outsource the risk. Indeed, when we
outsource, we effectively extend our organisation to include
people, processes and procedures that we have little direct control
over; we extend our risk rather than address it.
When adopting a cloud environment, we must
always therefore consider how we, as the information owners (rather
than the cloud service provider), will manage the risk. This has
significant implications for the contracts that we enter into and
the skills and competencies we retain in-house. How are we going to
ensure that the people, processes and procedures deployed will meet
with our approval? How will we ensure that escalation of IT issues
mesh with the management of business risk?
Consider for a moment if your organisation was
required to send a letter similar to the following that was sent by
the Chief Executive of a cloud computing service provider to his
customers earlier in 2011. The first paragraph read…
“In the normal process of reviewing our system
activity, our Security Team discovered that an unauthorized third
party may have viewed your account information, including payment
card data. We immediately took action to protect our customers,
including notifying federal law enforcement authorities, who have
since seized the computing equipment and records of the single
individual suspected of this misconduct. The criminal investigation
is ongoing, and we will continue to assist the authorities in
working towards a successful prosecution.” (ref GoGrid March
2011)
What this letter addresses is not the
manifestation of a technical risk but the manifestation of a threat
to the business. Structures and methodologies (such as ISO 27001)
for working through risks and their mitigation are not, therefore,
IT standards; they are business survival standards.
In an environment where your data is important
to you, you will ABSOLUTELY want to know where it is stored; you
will ABSOLUTELY want to know who has access to the servers the data
is on; and you will ABSOLUTELY want to know that the correct
procedures have been implemented and adhered to. It is insufficient
to allow a service provider to police itself with firewalls,
intrusion detection systems and a dusty procedure manual. Coming to
market now are third-party business assurance services, originally
designed to protect against advanced hacking techniques, that are
maturing to allow you to protectively monitor your data and the
processes that impact that data. At this time, it is mostly the
military that are taking up this level of protection. However, with
the benefits of cloud computing coming to the fore across
Government public services (and the chain of suppliers therein),
and the need to provide the necessary level of security, protective
monitoring services will increasingly be used by organisations to
provide assurance of their ISP.
To ask ‘is cloud computing secure?’ is to ask
the wrong question as it implies a technical risk that will be
addressed by a technical solution. While striving for agile,
cost-effective and environmentally sustainable ICT, one must
consider this is a business risk, a risk to shareholder value, and
a risk to the citizen. The questions should be ‘are
you able to manage [or live with] the risks to
your business when adopting such an approach to your data and
applications?’ and ‘are you ready to step up to
the responsibility of managing the data you are
responsible for, and for the actions of your
ISP?’.
Contact Vega for more information about cloud
computing security