Martin Kuppinger: Cloud Computing – a security risk?
March 2010 by Martin Kuppinger
Cloud Computing is all the rage, but while most enterprise IT departments are eager to explore the possibilities offered by decentralized infrastructure and applications, they are also deeply worried about possible security risks. And they’re right. Before heading for the cloud, IT departments and business leaders need to solve a number of issues, the first of which may sound almost too simple. They need to answer one very basic question, namely: What do we mean be cloud computing?
Like with most hype IT topics, everybody seems to have his or her own definition of what it’s all about. The vendors and their marketing departments tend to complicate matters further by trumpeting out their special brand of cloudiness tailored to fit their own existing product portfolio or, worse, products that are still on the drawing board.
Cloud Computing is all about service
In a nutshell, cloud computing is the first step toward truly service-oriented IT; one that is able to adapt itself better, faster and more flexibly to the everyday needs of lines of business by orchestrating a wide range of IT services to fit their special requirements and situations. These services can be provided either by internal or external providers. As long as they offer top quality, it really doesn’t matter that much whether they are supplied in-house or from outside. In fact, the trend seems to favor outsourcing, but that really isn’t essential to the cloud vision.
This explains why users are so confused. Confronted with a jumble of catchphrases such as “private” clouds via against “public” clouds, they don’t know what to believe. Some vendors muddle things up further by suggesting a mix of both – often referred to as “hybrid” clouds. Pity the poor layman! Maybe it would be better to avoid the „cloud“ moniker altogether and to talk instead about „internal“, „external“ and „mixed“ services. And in actual fact, most IT departments in the past have ended up opting for some kind of hybrid model, so for them at least all this is really nothing new. Most companies have been using external services for years. External backup, managed eMail services, virus library updates, web hosting and web conferencing are everyday stuff, as are specialty services from outsiders such as services offered by DATEV, a large German tax assessment service provider. IT outsourcing, by any name, is actually a form of cloud computing, more or less. So nothing new under the sun, it seems. Cloud computing is just a nice new label for something that has been going on for years. Just think of SaaS (software-as-a-service) or demand computing and you get the picture.
Securing the cloud
All this is not to say that the security issues facing cloud computing are also old news. Yes, outsourcing has always carried its risks, and many of these have been successfully solved in the past. But the nature of next-generation cloud computing is also changing the nature of the threats. New technology, as a rule, brings new hazards.
Possibly the most important aspect of cloud computing is that it forces IT departments to abandon their hitherto often rather opportunistic handling of outsourcing in favor of a straightforward, strategic approach. This means that providers must be chosen on the basis of service quality and because they offer the best service and because they offer the proven ability to adapt to the needs of the customer. Customers following a well-planned cloud strategy will also insist on being free to switch vendors if it turns out that their provider simply can’t cut the ice.
The capability to move from one vendor to another inevitably brings new risks – and new chances. The later arise from the fact that strategies tend to favor standard solutions and formal criteria on which decisions are based. In this case, odds are that security will receive greater attention than it would if decisions are made ad-hoc. The risks lie in the fact that working with many different providers simultaneously makes the job of overseeing each of them more difficult. New challenges also arise from the necessary virtualization that outsourcing by its nature brings about. It would be wrong to underestimate the workload this causes.
The compliance perspective
Similarly, it would be a mistake to take compliance issues too lightly. Processing personal data outside the European Union is generally seen as a bad idea in data and privacy protection circles, at least on this side of the Atlantic. It can also be positively illegal since the European Data Protection Directive positively forbids it in many cases. If you don’t want to land in jail yourself (or worse: send your boss to jail inadvertently) you should think long and hard about how you deal with data protection in a cloud-based infrastructure.
There are other regulatory issues to deal with, as well. Especially in the finance business, but also in others, industry-specific rules often determine what may and may not be outsourced, and these often apply to cloud computing, too.
Getting started in the cloud
IT risk management is always a good first step towards entering the cloud. If you are aware of what can go wrong, you can make smart choices about individual services and outsourcing opportunities. This means evaluating the offerings of vendors from a risk perspective and determining which can be used for each cloud application based on the nature and sensitivity of the data involved.
Risk management also calls for a consistent and comprehensive evaluation of the service on offer. This involves not only looking at the risks themselves but also at the environment in which the service is to be hosted and run. Which security measures are in place? Where are the data being stored and processed (especially personal information)?
“In the cloud” isn’t the answer you want to hear. Push your service provider to give specifics. The same goes for encryption. Ideally, data should be encrypted over its entire lifecycle („at rest“, „in motion“, „in use“). Can your provider guarantee this? Is he willing to sign an SLA? Maybe it would be a good idea to compare the vendors service level agreement with existing ones from other parts of your company, just to make sure he hasn’t left any loopholes. But contracts are one thing, making sure the vendor lives up to them is another. Monitoring SLA compliance can be tricky, especially since many cloud providers believe their customers don’t want to be bothered by pesky details. After all, isn’t that why they’re going cloud, just to rid themselves of everyday hassle and bother? Think again! Keeping tabs on your provider is essential to any successful cloud strategy. And if he tries to wriggle out of giving you all the information you need to assess his performance – fire him and find someone else!
Cloud computing also calls for end-to-end administration, authentication, authorization and auditing. No cloud solution can do without full identity and access management (IAM) capabilities if you want to make sure that security policies are truly enforced within the cloud. Unfortunately, most cloud vendors aren’t up to snuff on IAM. They often lack standard-based interfaces for external identity management and monitoring. There is no excuse for this. Standards such as SAML, SPML or XACML have been around now for years and belong in any decent cloud service tender. Customer should watch for them and press the vendor for details if they are missing.
Virtualization, on which most cloud computing technologies are based, involves certain unique risks that must be dealt with, preferably before taking off for the cloud. Since we are dealing with “idealized” machines here, and not with real, old-fashioned dedicated servers and storage arrays, security concepts designed for individual physical systems need to be examined to see if they work in a virtualized environment, too.
Finally, risks tend to multiply in mysterious ways once you start to work with more than one provider, especially if internal and external services are mixed together. However, these usually concern only availability issues, not overall security, at least if good “Cloud IAM” is in place.
Auditing the cloud
Data leakage can be embarrassing, especially if personal data from users and customers is lost or released. Incidents like that can even threaten the company’s existence if too many angry customers start heading for the door. Well thought-out security strategies, SLAs and close provider monitoring can help lower that risk.
Multi-client capability is a key issue here. Cloud providers must be able to prove that data from different clients are clearly separated. This can be difficult if internal legacy applications and databases are transferred to external, cloud-based systems. Unfortunately, most run-of-the-mill cloud offerings lack this basic capability or only offer it in very rudimentary form.
Cloud providers have their work cut out for them here. They are under pressure to speedily implement important industry standards such as SAML, SPML and XACML so that their systems can be controlled and monitored from outside by the customer. Here, the usual market effects will almost certainly weed out the bad apples within a relatively short time, leaving behind only those who can offer their customers true, secure, multi-client capable cloud services.
Cloud Computing – a calculated risk
Nevertheless, cloud computing remains a calculated risk for most IT departments. This goes, however, for any kind of externalized service. The past has shown that companies by and large are pretty good at dealing deal with residual risk. The strategic decision to enter the cloud calls for extensive rethinking within the IT organization itself. Clearly-defined, end-to-end service management at every level is the final goal. That way, IT professionals can keep their eye on the risks while enjoying the undeniable cost and efficiency benefits that cloud computing can bring. If, on the other hand, cloud is seen as “just another service”, the risks may in fact be incalculable.
Martin Kuppinger is Founder and Principal Analyst of Kuppinger Cole, which has become one of the leading Europe-based analyst companies for all topics around Identity and Access Management, GRC (Governance, Risk Management, Compliance) and Cloud Computing. Kuppinger Cole is the host of the European Identity Conference 2010, which has established itself as a leading conference on mentioned topics. Martin Kuppinger is the author of more that 50 IT-related books, as well as a widely-read columnist and author of technical articles and reviews.