What are the main benefits & risks associated with using cloud applications?
I’m mainly going to skip over the benefit side of this question, just because the cloud market would not be valued at $75bn this year and predicted to grow to $121bn by 2015 if folk couldn’t already see the point of it.
Thus far the draw has mainly been cost:
– Cloud vs. owning (or extending) your own data centre
– Cloud vs. developing and/or hosting systems in-house
– Cloud vs. setting up and maintaining a development environment
These are all commercial no brainers.
There’s also strong evidence that nervousness associated with data handling in the cloud is rapidly ebbing away.
Forbes did a roundup of cloud computing forecasts and found 64% of 1,600 CIO’s interviewed saw cloud technology as crucial to customer engagement. Implicit in those results is the need to interact and exchange data with customers via the cloud.
But, (quoting a 24th October Privacy Law Blog post by Alexander De Gaye)
A recent sweep with participation from 26 data protection authorities across the world revealed a high proportion of mobile apps are accessing large amounts of personal data without meeting their data privacy obligations.
Out of the 1,200 apps surveyed, 85% failed to clearly explain how they were collecting and using personal information, 59% did not display basic privacy information and one in three requested excessive personal information.
This represents the most recent triumph of convenience over security. Human nature doesn’t morph to comply with corporate-dictated conduct when people clock on. Shadow IT is the result, with the lure of “quick, cheap and easy” working inside the business and out.
Yes, most of the vendors your staff contact won’t chance it with data and access as much as the mobile app crew. Yes, regulations, laws and consumer choices will nudge this back in the right direction. But until then, vigilance, universally understood cloud policies, security awareness and due diligence are the main pillars of your defence.
Summing that up in two words…
Caveat emptor
At the highest level, this is my take on what can trigger the most pain:
– Data Tracking – Not knowing what data is where (or how to selectively get stuff deleted or returned to meet legal retention obligations).
– Access – Who can get at what and how good an eye is kept on it.
– Clear text – Whether everything that should be encrypted can be and is.
– Problem & Incident Management – Not getting told quickly if your cloud stuff slows down, breaks or gets broken.
– Resilience & Recovery – Not having confidence that problems with cloud function, capacity, availability and/or security can and will get fixed before too much hurt is caused.
– Downstream Vendor Governance – Not knowing what your supplier’s supplier is up to.
– Poor Functional Fit – Trying to ram bespoke shaped applications and processes into cloud shaped holes.
– Interoperability – Having poor understanding of what you can and can’t splice together in the cloud
– Responsiveness – Beyond due diligence, will your cloud vendor talk to you? Do you really get the challenges and costs that come with arm’s length oversight?
Let’s add a little more meat to those bones.
Data Tracking a.k.a. where in the world is my data?
Writing vendor responsibility to track data into contracts isn’t enough. Check their capability and understand exactly what you are sharing and with whom. If you have no useful unique identifiers for records, can’t filter data based on age and confidentiality, and a bulk data analytics solution isn’t part of the supplied service, neither you nor your supplier can comply with PII or financial data retention law.
Cross-border data protection and retention requirements are brutally complex and still evolving. Not just that, relevant expertise in-house and in consultant-ville is still relatively scarce. With the focus on retention in new EU and other global Data Protection legislation, businesses have to think hard before firing Personal (or any confidential data) into the cloud.
Access – a.k.a who’s got their grubby mitts on my data and infrastructure today?
Stealing your keys is still the best and quietest way to break in. True for houses, cars, networks and systems. It might feel basic and obvious, but do spend enough time working out whether access mechanisms and processes are up to scratch.
Understand not just policy but practice for access management. Check system capabilities. Can the bought-in service allow enough granularity to sensibly segregate roles? Does it support two-factor authentication, captchas, retry limits, complex passwords and other controls needed mitigate the risk linked to what you want them to do? Is there a certificate from a respected authority, a de-Heartbleeded implementation of SSL and no other gaping holes in access interfaces or other control layers?
Clear Text – a.k.a. why did I bother setting up a 20-character password?
Encryption isn’t a panacea, and there’s always the question of key management, but it dramatically reduces the risk profile for data and credentials in transit. Check where vendors can implement strong encryption for the end-to-end data journey, but be realistic about exposure to interception if there are potential problems with functionality or capacity.
Problem & Incident Management – a.k.a. am I always the last to know?
Largely obvious – do they know quickly when something breaks (monitoring real-time availability and anomalous activity)? Do they have a proven incident management process in place to niftily deal with things that will go wrong? Is the absolute need to notify you promptly part of their processes? Did you flesh all that out before signing a contract?
What about legal and regulatory breach notification requirements? That’s still a moving picture for EU data protection law, but you need to keep an eye on the outcome.
Recovery & Resilience – a.k.a. but they said it would be ok.
When (yes WHEN) systems get nailed, go bang, or need to roll back, will things get fixed as promised? In a similar vein to access management – do your due diligence! Beyond simply agreeing SLAs, dig into their established resilience. Do they have cold/warm/hot alternative sites? If there are mirrored systems and infrastructure, does this really mean instant failover? Does their ability to get stuff back up (or back to a good enough state) allow you to meet internal and contractual availability targets for all affected services? Is recovery capability theoretical or tried and tested?
Downstream Vendor Governance – a.k.a. I didn’t know dev was done by a bloke in his bedroom.
How low do you go? Don’t take it for granted that the state of the art facility you saw during contract negotiations is the whole supply story. How many downstream or sideways supply links work together to deliver your nicely packaged solution? Will you get to poke around to see? Unlikely, but you can drill into their own vendor/partner governance practices; do they get notified of incidents, regularly audit security, monitor availability, make sure access management is up to scratch, keep a handle on any cross-border data handling challenges etc, etc?
Poor Functional Fit – a.k.a. where have all my savings gone?
Orchestration – a complex sounding concept you can’t afford to shy away from. Just because competitor A dives in to use a cloud app, don’t assume it is suitable for your purposes. You need to understand what you are outsourcing. Pick apart the people, process and technology elements of what you want the vendor to do. In other (now ancient and exhaustively repeated) words, don’t outsource a problem. If you miss overheads and changes needed to make it work for you, those savings you pitched gleefully to the board will bleed quietly away.
Interoperability – a.k.a. legacy and complexity bite back.
Very similar to the last point. It’s oh so tempting to try and cloudify the oldest, clunkiest, and most expensive to run stuff. But, these are the things most likely to bite you in the rear. Vendors can offer sexy savings (while making a handsome profit), by gaining economies of scale. Using latest (overwhelmingly virtualised) technology to make each extra unit of service cheap. Specialists design APIs and more traditional connectors to splice together disparate, old and new bits of end-to-end systems, but that isn’t cheap or easy. Even if a vendor loss-leads to nab the deal, the next upgrade, functional addition or security control needed could be extortionate or impossible.
Responsiveness – a.k.a. feeling like a very small fish in their very large pond.
By the very nature of a cloud solution, you are NOT their only customer (and almost certainly not their largest customer). Big multinationals can sometimes demand changes to standard cloud offerings, insist suppliers accommodate hefty annual audits, and expect them to pick up the phone when they call, but you probably can’t. Everyone underestimates the extra time and effort needed to make arm’s length oversight of systems and processes work.
Your vendor governance BEGINS with due diligence. Pay attention to the signals sent during tender and selection. Are they dragging their feet, not wheeling out the SMEs you need to speak to, and loathe to give you more than generic statements about security? If so, it doesn’t bode well for bedding in and maintaining the cloud solution. If the application isn’t handling confidential data and isn’t critical to the operation of any of your services, it’s not such a biggie. If it is and you’ve done the orchestration, you’ll know the hand-off points for support, development, maintenance and incident management. Use that to work out and agree the amount and frequency of on-going interaction you need.
The good news?
Vendors want to provide a secure service (or at least fear a fine or newsworthy breach as much as you). As a result, worthwhile firms will provide evidence of robust controls IF ASKED.
As well as price and efficiency economies of scale, they benefit from security economies of scale. Economies passed on to you. Fantastic, as long as their standard security offering ticks your risk and compliance boxes or, if it doesn’t, more security can be bolted on easily and cheaply.
None of this is meant to rain on anyone’s parade. There are still dramatic cost, flexibility and effort savings available to those who judiciously invest in cloud solutions. BUT (and this is worth repeating) don’t cut corners with your due diligence. We all know it’s the right thing to do, but that scent of quick, cheap and easy is intoxicating
*********************************************************************************************************
This is not and was never intended to be an exhaustive look at cloud risks, but it is a start. For extra detail you should keep an eye on NIST’s developing Cloud Computing Roadmap (updated this month) and great guidance from the Cloud Security Alliance. (“The CSA Guide To Cloud Computing: Implementing Cloud Privacy and Security” by Brian Honan, Raj Samani & Jim Reavis is also now out.)
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.