With cloud this and that everywhere we turn, I’m just about clouded out. What about you? Although the cloud computing marketing hype has about run its course, it seems that more and more people are jumping on the bandwagon. It has gotten to the point that it seems any time a business puts up a new website, it is their new “cloud offering.” Give me a break.
Why am I tired of the cloud as it stands? Well, first of all, with the marketing hype around the cloud over the past couple of years, you would think it is this wonderful new product/service that will solve everyone’s IT problems. The thing is, cloud computing is, by and large, the same thing it was when it was called “application service providers” (a.k.a. ASPs) and managed services a decade ago, as well as the more recent term, “software as a service” (a.k.a. SaaS).
The “cloud” — formerly known as the Internet — does offer some interesting application and computing architectures that businesses should be able to benefit from. The value propositions include quicker startup times, lower costs, and the need for minimal IT involvement and oversight. Sounds like a great idea on the surface; but, as most of us have found out the hard way, computers, applications and IT are not that simple.
The biggest misconception — and risk — is that once applications, network management and other IT services are moved out of the building and into the cloud, there is instantly less to worry about. Sure, maybe there are fewer servers to manage and less Internet bandwidth to worry about, and, perhaps businesses that have never invested the time and money into writing a solid disaster recovery plan now have a fighting chance when the unexpected occurs. But the harsh reality is that just because someone else is managing a chunk of your information systems, does not mean that you and your business are any less responsible for ongoing security, compliance and information management.
Just read your contract and service-level agreements (SLAs). Savvy cloud computing vendor executives and their lawyers know better than to fully take on those burdens. Even the grandest of legalese will not keep a breach from occurring in the first place, so contracts and SLAs only go so far. Just as important, do not fall for the hype — a vendor’s cloud environment is not necessarily secure because of an attestation regarding its general security controls has been made via a SAS 70 report. Real security flaws exist much deeper in the cloud environment. Even if you send a 100-page security questionnaire to your cloud providers and everything checks out, there can still be serious security gaps. The only way to be (nearly) certain that everything is in check is to also perform an in-depth security assessment, or penetration test, of the cloud environment. You may ask permission and do this yourself or ask your cloud vendors for the latest results of their independent assessments. If they balk at either one, that may be an indicator of an organization that you might not want to do business with.
Going beyond the obvious, some additional cloud concerns you may not have thought about include:
How are information classification, retention and destruction handled by your cloud providers? The cloud and all of its complexities create the ideal scenario for a data breach even after the data has been “destroyed.”
Who owns your data? Are the providers claiming ownership? What are the providers’ rights when it comes to handling your data? What’s going to happen when you need access to your data? What’s going to happen to your data when your cloud providers are acquired by third parties?
Have you gotten your attorneys involved so they can determine how your cloud strategy is going to impact related contracts, policies and SLAs?
Overall, you need to ensure that all the right people are involved, and everyone’s expectations are set regarding who’s responsible for what. Speaking of contracts and SLAs, customer service (or lack thereof) is another huge consideration for cloud computing. I have seen numerous cloud service gaffes that greatly affected me and my business. Granted, I have a tiny shop, but I could only imagine if the same thing happened in businesses with a few dozen — maybe even a few hundred — employees. I would be willing to bet that some heads would roll.
Above and beyond these issues you will experience when dealing with cloud providers, you are still going to need someone internal to your business who is responsible for managing everything on a daily basis. When it comes to IT, nothing is completely hands-off, not even with cloud computing.
What I’m trying to say is, think for yourself when it comes to the cloud. Don’t fall for the fast-talkers and marketing slicks. If there has ever been a great example of “talk is cheap” in IT, it is with the cloud, so buyer beware. Do your due diligence before going down this path. You must — it is just too risky otherwise.
Kevin Beaver is an information security consultant, expert witness, author and speaker with Principle Logic LLC. With more than 21 years experience, he specializes in performing independent information security assessments. He has authored eight books on information security including “Hacking For Dummies.” He is also the creator of the Security On Wheels information security audio books and blog. Contact him at www.principlelogic.com and follow him on Twitter at @kevinbeaver.