Cloud; Barriers to adoption

My second post relating to cloud computing will focus at a high level on what seems to be the current major barrier(s) to the wider adoption of cloud use by businesses.

Future posts will likely go into more detail around technical threats such as side channel attacks (e.g. trying to connect to the target guest server from another guest known to be on the same host) and cartography (“mapping” the target environment by methods such as traffic sniffing and analysis), but this one will focus on providing a high level overview of the risks and fears around moving to the ‘cloud’.

It is already clear that in many instances the elasticity (ability to scale up and down on demand), resilience and cost vs. hosting services internally can offer clear benefits to businesses.  So why then are many businesses reticent to move completely or even partially into the cloud?

Outside of any general resistance to change the main concern is with security and regulatory requirements.

When infrastructure and applications are hosted internally you intrinsically feel that your data, and that of your customers, is safer.  Outside of potential ‘insider’ threats, data on your servers in your server room is inside your companies perimeter, no matter how porous this may be, protected by your firewall(s), AV(Anti Virus), DLP (Data Leakage Protection) tools, trusted staff and company policies.  Even when the data leaves site it is likely on managed, and hopefully encrypted, tapes or via a managed, and hopefully encrypted, network link to a DR / BCP site.

Now when you move to using the cloud in some way your systems and data are hosted elsewhere, potentially moving across multiple physical servers or even datacentres outside of your control.  This movement along with the environment being shared by other companies (e.g. multiple businesses may have guests on the same physical host) are the primary drivers of fear around the security of systems in the cloud.  Using the cloud also obviously shares various concerns with other forms of hosting / co-location around third party access to data etc.

Hand in hand with security are regulatory / compliance concerns that also stem from the above features of using the cloud;

–          Who can audit the systems and overall cloud?

–          Does the data move across state boundaries (e.g. does it leave the UK or the EU?)

–          Who could potentially access the data?

–          What happens in a disaster recovery scenario?

–          How can you move to another provider? (Vendor lock in concerns)

–          How is the data deleted from the cloud (data retention / incomplete deletion concerns).

Various measures exist to mitigate the risks, these include –

–          Procedural; Ensuring due diligence is carried out prior to engaging the vendor and contracts are in place to ensure adherence to legal / regulatory requirements.

–          Security checks; Regular penetration tests and other security checks of the vendors systems and facilities should be carried out, and any issues identified remediated within agreed time frames

–          Encryption; ensure all sensitive data (ideally all data if possible) is encrypted in transit and at rest – this prevents prying and mitigates risk of data not being deleted

–          Authentication; ensure all systems in the cloud utilise strong authentication methods to prevent unauthorised access.

The ENISA (European Network and Information Security Agency) report titled ‘Cloud Computing Security Risk Assessment’ neatly sums up the benefits of cloud and the security concerns;

The key conclusion of this paper is that the cloud’s economies of scale and flexibility are both a friend and a foe from a security point of view. The massive concentrations of resources and data present a more attractive target to attackers, but cloud-based defences can be more robust, scalable and cost-effective.

K

Advertisements

Is the Cloud something new?

This will likely be the first post of several relating to ‘cloud’ computing / the cloud.  This is one of the buzz words of the moment with many vendors pushing a variety of cloud services.

Cloud is currently a very nebulous term that encompasses various services such as IAAS (Infrastructure As A Service), SAAS (Software As A Service), PAAS (Platform As A Service).  All of these have been available for some time.

The combination of readily available, resilient and fast connectivity to the internet, along with big players such as Amazon, Google and Microsoft offering various ‘cloud’ services have made it into a the current / next IT buzz of the last few years.

Make no mistake, the concept of outsourcing IT services and infrastructure is not new, but its use is definitely growing and the umbrella term cloud is both as it has caused much great discussion around the benefits and issues of using these services (as well as some confusion around exactly what cloud stands for!).

Cloud offers great benefits to businesses allowing access to flexible and resilient IT infrastructure at a lower cost than purchasing the infrastructure directly.  Larger enterprises can implement internal clouds to allow multiple parts of the enterprise the ability to leverage flexible infrastructure and application performance without their data leaving the control of the enterprise.

Businesses do not have to be ‘all in’ with the cloud, they can utilise a hybrid strategy with certain services such as test and development or specific applications outsourced to the cloud while critical applications and data remain in the control of the business itself.

For anyone reading who thinks they do not yet use cloud services, think about your web usage – do you use web mail of any sort? Online office tools such as Google Docs or Microsoft office online? Blogging applications such as WordPress or Blogger? – these are all cloud services, your data is stored in the cloud somewhere, you can access it from anywhere without ever actually knowing where the applications are running from or where the data is stored!

Upcoming posts will focus on areas such as;

–          Cloud security – where is your data? Who can access it? How is it stored? Is your access guaranteed? Are there regulatory issues?

–          Cloud benefits and issues – variable performance, ease of scaling, reliance on network access.

–          Types of offerings – public vs. private clouds, hybrid solutions, dedicated vs. multi tenancy.

K

Movie Star

Well this week saw my, and my car’s, first foray into the world of acting.  A great friend of mine, Andre Renner and his partner in Recoil Films Sean J Vincent, are making a trailer for their next movie – ‘Their Law’.  Check out the full details at http://www.theirlaw.com/ it’s going to be an awesome film.

What I discovered;

–          Filming is long winded and it takes a lot of time and effort to get just a few seconds of quality footage.

–          It was very cold waiting around between shots in a car park, and spending a couple of hours being shoved into a van and shot (repeatedly!) until about midnight in mid-January!

–          A lot of thought goes into shots / scenes to make sure everything from the layout and backgrounds to the lighting is spot on.

–          I had a great time, and am hoping to be involved in their future projects!

Overall, I had a great couple of evenings helping out, and met some great guys.

The only downside seems to have been that repeatedly locking and unlocking the car for a scene appears to have broken the central locking on the Exige, so it is currently stranded on the drive until I can get it fixed and unlock the doors!

When it is released please support this movie, it’s looking great and the guys are putting a lot of work into it.

K

Real security – Safety vs. Liberty

Reading Bruce Schneier’s Crypto-gram from December 2010, this echoes conversations I have had many times.  How much of the extra checks and surveillance we go though at airports etc. actually improves our safety, and how much is for appearance to make us feel like governments are taking action.

Read the article here:

http://www.schneier.com/crypto-gram-1012.html

These same sentiments can and should (must) be applied to IT security in the workplace as well.  To often it is easy to be swayed by the hype of the latest products and fear of risks that are in reality extremely unlikely to actually occur.  Rational security and a clear understanding of the actual risk should be the drivers for any security requirements.

In a given scenario the cost of implementing the security measure (technology and process costs) should not be greater than the likely hood of issue X occurring (e.g. once in 10 years) * the total cost if the issue occurs (lost business, reputational damage etc.).

This situation is not helped by the security industry itself, it must be remembered that they companies selling IT security products and services are in the business of selling these products and services!  In order to do this it is in their interests to hype the risks and generate a culture of fear.

Of course I am in no way suggesting that there are not a myriad of threats from viruses / worms / trojans etc. to organised crime, botnets and of course the insider threat.  But these should be assessed in a balanced and rational manner that seeks to understand the risk to the actual system and data that is being protected.

This brings me back around to my favourite topic (read soapbox); requirements and architecture / design.  I firmly believe that making the right design choices early on in a systems life-cycle will minimise any security risks and also minimise the challenges associated with securing a system further down the line.  This is one of the main reasons moved into working in Architecture from working in the purely IT security field, as so many of the issues we solve in security every day can be resolved / designed out with the proper consideration at the design face of implementing a system / solution.

K