Monday, March 1, 2010

Cloud Computing Security: "Cloud Nine" or "Lost in The Clouds"

   Image Credit: Technology Review
This week the Cloud Security Alliance (CSA) released their report "Top Threats to Cloud Computing"The CSA states the reasons for this new report being...

".. to provide needed context to assist organizations in making educated risk management decisions regarding their cloud adoption strategies. In essence, this threat research document should be seen as a companion to Security Guidance for Critical Areas in Cloud Computing.

The top threats as identified by CSA in the report are...

1. Abuse and Nefarious Use of Cloud Computing
2. Insecure Application Programming Interfaces
3. Malicious Insiders 
4. Shared Technology Vulnerabilities
5. Data Loss/Leakage
6. Account, Service & Traffic Hijacking
7. Unknown Risk Profile

For each threat the CSA lays out for the reader a detailed Description of the threat, Examples of the threat, Remediation strategies to avoid the threat and links to Reference material on the web to learn more about the threat. I highly recommend that CIOs, CFOs and IT staffers read this document if they are using, or considering using, hosted Software As A Service (SAAS) solutions.

There is no doubt at all that these threats, despite all the attractive technical and business benefits of cloud computing, should give pause to those businesses considering moving to SAAS solutions.  In this world there is no "Silver Bullet", no "Free Lunch" and the Second Law of Thermodynamics says things tend to get worse if you don't pay attention. The same is true here. "Cloud Computing" is not a problem-free panacea for businesses looking to reduce internal IT cost while still delivering the reliable, scalable, affordable, manageable computing services a business requires.

Having said that, one thing that immediately jumps out for me as I read through these well described and illustrated threat summaries was how every single one of them is already a security issue, either to a higher, lower or similar degree, for premises-based "in-house" solutions. So no matter your choice you are going to face similar problems.

In a prior blog post, where I discussed the concept of a "Private Cloud" approach to computing, I summarized one attractive benefit of "in-house", "premise-cloud" solutions as providing the CIO or CFO with the proverbial "throat to choke" when things go wrong either from a reliability, scalability or security standpoint.  What this means basically is that with an internally-owned and operated infrastructure for computing there is always going to be some one or more persons inside the organization that can be held accountable.  Job security is always one very effective way to guarantee that internal IT staff are personally engaged in insuring that corporate software solutions and the data stored on them are kept available to authorized users and secure from malicious use.

However, it is also true that a well-considered and well-written contract with an external cloud computing vendor, that includes specific legal remedies for lost, stolen or mishandled data and applications, can be a powerful means to make sure your vendors deliver on their promises. In fact, it might be argued that contractual incentives with an external vendor to deliver the security and confidence your business needs for it's mission critical applications can be much more powerful in making sure you "get what you are paying for" with cloud computing solutions.

But once again, to do this right, there is no free lunch. If you are migrating to broad-based use of SAAS solutions in your enterprise you better do your homework and read reports like the one from the CSA. If you put the time in to research these threats, specific to how they show up in the cloud versus premises deployments, you'll know how to intelligently and creatively demand the security you need when you write contracts with SAAS vendors. That's your "Cloud Nine" scenario where you get to be a SAAS hero. But beware the trap of trusting the cloud vendors too much.  If you fail to make sure your vendors are motivated by legal contract to insure you are getting secure solutions, your critical and important corporate data and applications, and your job, may well end up "Lost in the Clouds."
blog comments powered by Disqus