Cloud Computing's Not-So-Silver Lining

Cloud computing may be inevitable, but security concerns about the technology platform just won't go away.

“The cloud” is unquestionably the hot new thing in the IT world, with supporters across Corporate America and the government sector alike touting its low cost and (allegedly) simple implementation. Still, concerns from legal, audit, and risk-management types stand in the way of mass adoption—and for good reason.

Cloud computing and its relatives, such as software-as-a-service, provide a way for companies to outsource everything from data storage to powerful service applications, paying only for what they use, scaling rapidly, and cutting IT costs in the process. But ever since its introduction, cloud computing has also been plagued by concerns about data security. Worse, vendors aren't close to solving the problems.

“From the perspective of enterprise-scale cloud adoption, how are you going to make me comfortable when I move my computing capabilities out of my control?” asks Cara Beston, national technology sector leader for PwC's risk assurance practice. “How do I know you have my back?”

It's a multi-billion-dollar question. The answers, cloud security and compliance experts say, involve knowing one's own data and processing intimately, pinpointing what should and shouldn't be outsourced, hammering out detailed contracts with cloud-service providers, and then keeping tabs on those providers' performance.

The risks are real, says Steven Teppler, a partner at the law firm Edelson McGuire who helps lead the American Bar Association's e-discovery and information security committees. “The problem is once you move to the cloud, there are no standards for security. There is no way to audit anything” consistently, he says. In virtualized computing environments, where a company's data may reside and circulate among multiple data centers, how do you define data preservation? How do you preserve integrity as it zooms from hard drive to hard drive? What does archiving mean in that setting?  How do you preserve confidentiality?

Complicating matters is the common practice among some cloud computing vendors of “sub-sourcing services”—that is, when cloud providers outsource to other cloud providers. A company with concerns about customers' private health information, for example, could find its data outsourced to “some godforsaken country where there's no privacy law,” Teppler says.

“You may come back and say, ‘My service-level agreement says this,'” Teppler continues. “But how do you know they're not sub-sourcing? How are you going to negotiate that with a major cloud provider, unless you're a mega-sized company?”

“You have to really understand what you're getting into before you jump. You're jumping into a cloud. Make sure you bring a parachute.”

—Steven Teppler,

Partner,

Edelson McGuire

Beston says sub-sourcing indeed happens all the time. One of her clients, a cloud-services provider, doesn't own a single computer server. They simple rent storage and processing power from Amazon.com, which, in addition to its retail business, is by far the biggest player in cloud computing. “Everything's on Amazon,” she says, “and the customers of my client don't have the rights to Amazon's SAS 70,” the IT security report meant to ease worries about data privacy.

Un-clouding Security Standards

It's not all bad news. The problems associated with compliance and cloud computing are already well defined. Everyone from technology companies to standards organizations such as NIST, ISO, the Cloud Security Alliance, and CloudAudit are working on solving them. There is historic precedent, too: similar concerns loomed over the disruptive technologies of the past. The transition from mainframes to client-server technology more than 20 years ago presented new security and compliance problems the market was able to solve, says Richard Rees, EMC Consulting's practice manager for virtualization and cloud security. The same thing's happening now, he says.

And while true cloud-security standards don't exist yet, they're coming, Rees says. “The capability is there, the technology is there, and organizations have been working to put this together in the past 18 months, so we're going to see a lot of movement in 2011,” he says.

Craig Balding, editor of CloudSecurity.org and an IT security expert for a major financial institution, says security technologies capable of dealing with the complexity of the cloud may take time. New technologies, he says, “will definitely fuel the adoption of the cloud, but so far, aside from evolutionary technology steps, I've only seen optimistic announcements—not ‘real world' implementations.”

CLOUD COMPUTING RISK ASSESSMENT

The following information from PwC explains what risks are associated with cloud computing, what cloud providers are doing to thwart risk, and the benefits of third-party assurance:

With cloud computing, risks include:

Security—You could be at a competitive disadvantage or subject to negative publicity and legal or regulatory action if your intellectual property or other data could be accessed by other cloud users. The same is true for data viewed and misused by cloud administrators.

Privacy—You are obligated to protect customers' and employees' personal data, such as social security numbers, health information and credit card numbers, from breaches. Even the loss of relatively small amounts of customer data has led to bad publicity and brand damage for many large organizations. Exposing customers' personal information can also result in fines.

Availability—Cloud providers promise certain levels of availability and uptime, but you have no way of knowing if the provider has adequately prepared for high usage levels across multiple cloud users. This is an especially relevant concern for companies considering moving transaction processing to the cloud.

Data Integrity, Retention and Ownership—You rely on data to forecast, report and manage your business. Inaccurate or incomplete data coming from a cloud provider's systems could result in poor forecasting or incorrect public reporting. Your business may also be subject to regulations or legal processes that require ready access to significant historical data. Without sufficient data retention and access rights, you may be subject to fines, penalties or judgments for non-compliance. Finally, your cloud service provider may use your data for secondary purposes if data ownership rights are not addressed in contracts.

Providers try to address user concerns with:

Self-assessments: Providers prepare assessments based on arbitrary frameworks, generally focused on the documentation of security policies. Even when these assessments are thorough, they are not objective.

Customer audits: Providers complete customer-prepared checklists and detailed questionnaires about capabilities, but a provider's need to protect confidential processes can limit the scope of customer audits. Also, cloud users need specialized resources to conduct effective audits.

Service level agreements (SLAs): These agreements spell out the provider's obligations, but they often do not include customer-centric monitoring of SLA performance or financial adjustments for non-performance that protect cloud users.

SAS 70• reports: These reports address a provider's internal controls as they relate to information processing systems that support financial reporting. But cloud computing risks go far beyond those relevant to financial reporting. So while the SAS 70 delivers insight, it is not sufficient to address the full scope of risks associated with cloud computing.

Third party assurance will help you understand a cloud provider's controls in any one or all of the following areas:

Security policies and procedures, including encryption, identification, authentication and access management capabilities

Availability procedures, monitoring and resolution to ensure systems or services meet minimum performance levels for availability according to SLAs

Ability to comply with relevant privacy requirements

Data and transaction processing capability

Source

PwC Whitepaper on Protecting Your Brand in the Cloud (December 2010).

Teppler is equally cautious about digital silver bullets. “When Sarbanes-Oxley came out, the vendor community co-opted the entire space. I saw more buy-and-comply solutions than I have fingers and toes, each one of them a lawsuit in the making,” he says.

Lawyers, auditors, and technologists agree that ensuring security and compliance in the cloud depends on hard thinking and assessing one's data and processing.

Robert Stroud, an ISACA International vice president and CA's cloud computing and governance evangelist, says classifying data is central to the effort. For example, he says, KFC would probably think twice before storing its secret 11-spice recipe in the cloud. “But if it's my chicken-ordering stuff, if I don't consider that confidential, maybe I will put that in the cloud,” Stroud says.

IBM is working on cloud-computing solutions for the U.S. Air Force as well as major financial-service and healthcare clients—organizations that must have secure data and be able to prove it, says Jason Hilling, portfolio manager for IBM's managed and cloud security services. What these organizations have in common, Hilling says, is a strategic approach to the cloud, one predicated upon “a lot of forethought in what types of workload and data are moving to the outsourced environment.”

Being strategic requires mature IT risk management and procedures, Hilling says.

“You have to know where your data is and how it flows,” Rees adds. “You have to know your own requirements—what can be virtualized, and what can be shared in this collaborative processing model.”

With the decision to take certain types of data, applications, or processing to the cloud, the challenge becomes how to audit that data and verify how your cloud service provider is managing it, explains Dennis Hurst, a Hewlett Packard security specialist and a founding member of the Cloud Security Alliance. Service level agreements (SLAs) with cloud-service providers are a critical element of the security equation.

SLAs do need to evolve to spell out more precisely how the cloud-service provider intends to meet your security, compliance, and auditing needs. Most companies could do a better job with their SLAs, says Carolyn Holcomb, the PwC partner who leads the firm's data protection practice.

Holcomb says SLAs are too focused on “mundane features” and not specific enough about confidentiality and information security. Monitoring is often a glaring weakness, too. “Companies are going to need more access operationally to how well the cloud providers are actually meeting their service level agreements,” Holcomb says.

Ultimately, the immense potential of cloud computing comes with added responsibility for those who wish to tap it, Teppler says. “You have to really understand what you're getting into before you jump,” he says. “You're jumping into a cloud. Make sure you bring a parachute.”