As an
information security professional I am often asked about the Cloud, in
particular “Is the Cloud safe?” and “Should I use the Cloud?”
For me the starting point should be:
For me the starting point should be:
“What data do
I want to put in to the Cloud and how important is that data to me in terms of
confidentiality, availability and integrity?”
The answers to these questions, combined with an appreciation of the risks associated with using the Cloud will then enable you to decide if using the Cloud is for you. More importantly it will allow you to manage the risks involved. This approach will enable your business to meet its objectives whilst managing the risk to an acceptable level.
What is the
Cloud? Well in short it is a great marketing gimmick. There is no one individual
such thing as the ‘Cloud’. The Cloud is a term used to describe multiple
service offerings such as Software as a Service (SaaS), Platform as a Service
(PaaS) as well as Infrastructure as a Service (IaaS). All these are
characterised by the use of on-demand provision, rapid ability to scale and are
based on payment solely for the amount of resource required at any given point.
Cloud provision often makes use of shared virtual services for the storage and
processing of data.
Organisations
can implement their own ‘Cloud’ or can partner with an external supplier to use
the external party’s infrastructure. The basic premise is that you only
provision the services required to meet your needs and that you can then grow
and shrink this as required, with the organisation only paying for the resource
consumed.
Key Risks
What are the
key risks presented by using the Cloud? For me the key risks and some of the
issues that an organisation should explore when looking at the Cloud break down
as follows:
What legal jurisdiction will my data
be held within?
As an
organisation you should be aware of how legal requirements to disclose data may
be affected by the geography of where the data is stored. If you are based in
the UK and use a US based Cloud provider, consider the impact on your
organisation if the US courts enforce disclosure of your sensitive data. Where
the Cloud is used to store or process sensitive personal data, there may be an
impact on your compliance with the required regulation (Data Protection Act,)
which you will need to fully understand and mitigate.
Will your Cloud provider place your
data in multiple geographies without your knowledge?
Different geographical locations mean
different legal jurisdictions, which will have an impact on your legal and
regulatory requirements within each of those regions. This may restrict the
type of data that can be stored or processed or limit how the data in question
can be transferred between locations. The ability to encrypt data will also be
impacted within certain locations due to export restrictions.
Who else may have access to my data?
Many Cloud services are based on the
use of shared services / Multi-Tenancy solutions. The benefit to the end user
is reduced costs, but this can also lead to security concerns. The data may be
at risk of attack from another user of the same Cloud service due to the
architecture in use. Consideration should be given to how the Cloud provider
has limited the possibility of data compromise.
Will my data be destroyed securely?
As discussed earlier, the idea of the
Cloud is that you can grow and shrink your resource requirement. When the data
on disks is no longer needed then it will need to be destroyed. You will need
to gain assurance that this has been destroyed in compliance with your
organisation’s standards, that the next user of that environment will not
accidentally gain access to your data and that you have met any regulatory
requirements.
What level of availability do I
require for my data?
The Cloud sells itself as always being there. The data is ‘in the Cloud’, so
you will always have access to it. However, the Cloud brings its own impact in
relation to your organisational Business Continuity Plans and Disaster Recovery
approach. Consideration should be given to scenarios where the Cloud provider
fails or your ability to connect to the Internet fails. This may render the
data unavailable.
What other unintended consequences
need to be considered?
The list
above is not exhaustive and there will be other issues specific to your
organisation that will need to be explored to enable you to make an informed
decision about using the Cloud. There will also be further unintended
consequences that the Cloud will introduce and as many of these as possible
should be identified to enable a robust risk managed approach to be undertaken.
An example of
one unintended consequence is that Cloud services are based on the concept of
paying for the service required and on the flexibility to grow and shrink the
required resource on demand.
Many providers have an automatic provisioning
system that enables you to manage the demand and will bill your organisation
automatically. Consideration should be given to the security of this approach,
focused on who can authorise the provisioning, how costs can be limited to an
acceptable level.
If there is a
flaw within the provisioning system then there is a risk that this can be
circumvented and result in malicious / fraudulent use. This could result in
large unexpected financial bills or legal action being taken against your
organisation for storing illegal data that was maliciously uploaded.
Bringing it all together
The Cloud offers a cost effective and flexible approach to manage your data storage and processing requirements. However, the Cloud is no different to the wider challenges of managing an organisation’s data securely. With these unique opportunities, unique risks will arise. A sound understanding of these risks will enable an organisation to assess if the Cloud is right for them and if it sits within the overall organisational risk appetite for data security. Risk areas identified can then be used to structure any assessment of potential providers to ensure that they can meet your requirements and that the contract will legally enforce this.
