|Issue:||Europe II 2010|
|Topic:||How to stay secure in the wild west of cloud offerings|
|Title:||Vice President R&D|
Ville Laurikari is Vice President, R&D, of SSH Communications Security Corp. Prior to his current role, Mr Laurikari has served in numerous engineering management and software development positions at SSH and other software companies. Ville Laurikari holds an MSc in Computer Science from Helsinki University of Technology.
Confidential data is increasingly being stored and maintained by companies specializing in cloud services. But are these companies trustworthy? The cloud comes with its risks and, as with all IT outsourcing, recognizing and managing those risks is paramount. Identifying reputable cloud service providers and learning how to deal with them in a way that ensures the security of services as well as your data has to be a priority.
Companies are busy outsourcing non-core functions to cloud services. Yours is probably too. But how can you tell which services are trustworthy and which aren’t? By the end of this article, you’ll know what the typical risks are and the signs to look out for when searching for a reputable stable service provider. Economies of scale mean that cloud services are usually much cheaper than producing a similar service in-house. A recent Gartner report predicts that by 2012, 20 per cent of businesses will own no IT assets. Companies’ confidential data will be increasingly stored and maintained by other companies specializing in cloud services. We are in the midst of a gold rush to the cloud and mobile. And where there’s a gold rush, there’s a wild west. Where there’s a wild west, there’s someone selling rat on a skewer (free ketchup!) and, quite possibly, snake oil. You want to avoid the snake oil. Cloud service provider companies, by the way, make very attractive targets for hackers and industrial espionage. Imagine gaining access to all the data of Salesforce.com. That would be worth a lot of money to someone. A large service provider with many customers has particularly high requirements for security. Trends It’s called ‘the cloud’, and it may be ‘in your mobile’, but in practice the security technology is the same as before. The cloud infrastructure still runs on computers which have CPUs and hard disks, network connections, operating systems and secure data connections that primarily rely on open standards such as SSH, SSL and X.509 PKI. Besides the security technologies, the cloud model itself isn’t brand new, either. In the 1960s, before the advent of the personal computer, the timesharing mainframe model was the norm. Despite these similarities with the past, the cloud isn’t a backward step. It’s a natural evolution from the desktop-centric world where each machine has potentially a different set of software. Users have significant ability to install software that can basically ‘break’ their computer. When we take away some of this power from the user, the end result is a system which is less prone to breakdown but still able to provide the users with the services they need. The Apple iPad and iPhone are paving the way in this direction. The devices have been criticized for being too closed: all applications installed on these devices have to be pre-approved by Apple. But the reality is that most users don’t really want the freedom to tinker. All they want is a device which does what they need. In the end, IT security always boils down to trust. The cloud is no different in this respect. You already have to trust your CPU manufacturer, your Internet service provider, and your operating system and software vendors. When you start using a cloud service, you are extending the circle of trust to the company providing the service. Risks As with any IT outsourcing, the cloud comes with its risks. While the monetary cost of these risks may be hard to quantify, they still should be considered alongside the other financial incentives for outsourcing. There have been many instances where a service provider’s systems fail, data is lost, and there are no backups. It sounds amazing, but it’s true. The lesson is that, for the most critical data, you should not trust solely on your service provider’s backups. Your company must take responsibility for critical data itself. Data held hostage – You may be perfectly happy with a service provider today. But can you trust you will also be happy next year? In three years? The provider might decide to raise prices enough to start making a real difference on your company’s bottom line. You should be able to get your most critical data out of the service provider’s system in some form. Confidentiality – Let’s face it. Given that everyone and their uncle Sven from Norway is setting up their own business selling cloud services, there is a growing number of providers out there who simply don’t know the first thing about security. They will commit the most elementary mistakes and your passwords and data may be available to anyone. Usually choosing a larger established player who has been around for a few years is a better choice than going with Uncle Sven’s SaaS Shop. Hostile insiders – When you send your data to a cloud service provider, you may be radically extending the trusted circle of people who have access to that data. Do you know how many people have access at the service provider? Does the provider keep audit trails? Can you see them on request? Complexity Cloud – services are increasingly interconnected through various application programming interfaces. Your confidential data may go through multiple service providers with the click of a mouse (or even no clicks at all). Do you know, exactly, where your data resides and which companies have access to it? Legislation – In many countries, data stored online has less privacy protection under the law, compared with the case where your company keeps the data only on its own computers. This may or may not be relevant to your business or you personally. Help Reading the above, you have probably by now spilled coffee on your lap at least twice with the sudden realization that you haven’t really thought about some of the cloud risks at all. Fear not, what follows are some pointers to help you figure out how to spot a reputable cloud service provider, and how to make sure you don’t end up with the short end of the stick when things go pear-shaped. Stability – Large companies tend to stay around for longer than smaller ones. The same goes for profitable companies. Before building your business processes around a cloud service, you would do well to take a look at the service provider’s key financial indicators to gauge whether their business is fundamentally healthy or if they are going the way of the dodo before you can say “hybrid parallel cloud application platform infrastructure”. Data liberation – It is a possibility that, despite your best efforts, the cloud service you’re betting on goes belly-up in the future. If this ever happens, you want to get your data back. Depending on the level of your paranoia, you may want to get your data back regularly for safekeeping just in case the belly-upping happens fast enough that there is no-one to give you your data back anymore. In order for you to get your data back, the cloud service must make your data available for download. Google, in fact, has an entire dedicated engineering team whose sole goal is to make it easier for users to move data in and out of Google products. This team is called the Data Liberation Front. From the Data Liberation Front web page (http://www.dataliberation.org): “… we always encourage people to ask these three questions before starting to use a product that will store their data: 1. Can I get my data out at all? 2. How much is it going to cost to get my data out?; and 3. How much of my time is it going to take to get my data out? The ideal answers to these questions are: 1. Yes. 2. Nothing more than I’m already paying. 3. As little as possible.” Data liberation eliminates many concerns regarding cloud services. I hope it will one day be as commonplace as backing up, but until then, you may want to check how to get your data out before implementing a new cloud-based service in your company. Terms of service – As with any contract, you should have a lawyer go through the terms of service to make sure that liabilities are appropriately disclosed and shared. You also want to make sure that the level of service is unambiguously defined. Also make sure that the contract defines appropriate financial incentives for the service provider to react swiftly to service outages and proactively develop a more reliable service. Ask – If you have any questions regarding the security of a service, and documentation provided to you isn’t helping, you can always ask. If the company cannot provide satisfactory answers, you should assume that they may not have the issue covered. Hopefully, this little list of risks and checklist of solutions will be helpful to you the next time you go shopping in the clouds. Just remember, it’s still a bit of a wild wild west, so be careful out there.