7 deadly sins of cloud computing
- — 02 January, 2013 14:56
Automation, cost savings, and data redundancy--no wonder cloud adoption is tempting. The CISO can rest easy knowing there is no vice in moving to the cloud to reap these rewards. What may keep her up at night is not knowing how many missteps the enterprise is making in the process.
Here CISOs and security buffs round up seven security sins that can undermine cloud computing's benefits.
Failing to check IDs at the door
The only secure way to log in to the cloud is through enterprise identity management systems. Though many cloud services permit just about anyone in the organization to sign themselves up, create their own IDs and passwords without registering these with the enterprise, and then connect these credentials to personal email addresses, that does not mean that IT or the business should let it happen.
"While it is easy to start out this way, failing to integrate with enterprise IMS will leave the organization open to leaks, policy violations, and ultimately the inability to secure the cloud," says John Thielens, Chief Security Office of Axway.
[Also read 5 (more) key cloud security issues]
In a similar way, some companies that are deploying IaaS do so rather quickly--using self-service capabilities--to address complaints that their IT departments are slow and unresponsive. But this approach bypasses governance, allowing unguarded access to cloud servers.
"People connect to data they should never see, such as legacy project data on VMs that were never shut down," explains Stanton Jones, Emerging Technology Analyst and Cloud Expert at Information Services Group.
And what if it is a customer-facing cloud service? What is the access model? "How will you integrate it to allow user sign on that is similar to, say, the single sign on model you have internally," asks Julie Talbot-Hubbard, Chief Information Security Officer for The Ohio State University.
Letting demands for (secure) APIs fall on deaf ears.
When a company moves to the cloud, users will require APIs (application programming interfaces) so they can uniquely leverage the company's services. The cloud brings internal services and capabilities closer to the customers who will want to access them. API-based integration enables that.
Mobile developers use APIs to build valuable ecosystems on top of companies' internal pieces and business information. "If the developers monetize that, those revenues can cut into your value chain and you should have a share of the proceeds via a developer portal for APIs," explains Thielens.
Having said that, API keys--which developers use to access the API services --have been compared to passwords. Know what happens if you lose your passwords? CISOs using cloud service APIs need a solid security plan for protecting API keys.
Not keeping sufficient independence from cloud providers.
As cloud services evolve and new vendors and approaches pop up, the cloud's old guard such as Amazon and Facebook are turning best practices into standards and products available on a smaller scale, according to Thielens.
"This is revolutionizing approaches to the cloud all the way to on-premise infrastructure," says Thielens.
With everything still changing and evolving, the best cloud approach today may not be the best choice down the road. "Applications can even reach the point where it is economically more sound to move them back out of the cloud and into the enterprise again," says Thielens. New standards efforts such as TOSCA and CAMP (both from OASIS, the Organization for the Advancement of Structured Information Standards) are offering tools so that companies can move to cloud like architectures without inescapably locking themselves in with a given cloud provider.
Companies should use these tools to maintain their independence just enough so they can switch to new cloud approaches as these become better suited to the organization's needs. On the operational risk management front, business resiliency is also better if you have flexibility to move quickly to another vendor (see next point).
Thinking you are outsourcing risk and accountability.
The company can outsource some of its infrastructure to the cloud, but it cannot completely outsource its risk, accountability and compliance obligations. Enterprises require a certain amount of transparency into the cloud provider so they can own the risk models and mitigate enterprise strategies.
These needs suggest the cloud provider that may or may not be suitable for the company since some are more accessible for assessing and managing risk. "You don't want to sign off on the cloud provider taking on all of the risk," says Thielens. The cloud provider certainly cannot own or care about your risks like you can.
In an example from last spring, those who had all their services in the cloud in a single Amazon E2C Availability Zone had severe downtime issues. Those who shouldered some of the risk by proactively splitting their data across multiple availability zones were able to recover more quickly.
Signing up cloud solutions without IT and security involvement.
It is easy to sign up and get into the cloud with various providers and applications large and small without any technical knowledge. Dropbox, SharePoint, a little extra computing oomph from Amazon--your organization may already be using cloud-based services without IT's knowledge or involvement. It is as easy as entering a credit card number!
"The thinking is that they can bypass the long queue of IT projects and requirements and become productive," says Jerry Irvine, Chief Information Officer, Prescient Solutions and member of the National Cyber Security Task Force.
Unfortunately, this approach brings many new security, performance, and fault tolerance issues. By implementing corporate solutions with no IT involvement, users potentially create conflicts with existing systems, configurations, and applications. Unqualified personnel have little understanding of the regulatory and compliance requirements that they may be defeating.
"While these cloud applications may offer quick resolution to specific feature needs, the risks and vulnerabilities they introduce can lead to significant costs in damages, systems failures, breaches and fines for noncompliance," explains Irvine.
For these very reasons, all cloud adoption needs to be subject to risk assessments, contract review, compliance checks, and internal policy checks.
"Many organizations are finding that they have pockets of cloud services appearing throughout the organization despite not having a corporate policy on the adoption of cloud computing within the enterprise," says Steve Durbin, Global Executive Vice President, Information Security Forum.
When no one from IT, procurement or legal is involved in moving to the cloud, the organization can lose all of its governance of related data, applications, services, and infrastructure, says Talbot-Hubbard.
Overestimating cloud security
In the rush to adopt cloud services and realize the potential savings they may give, notes Durbin, companies are concentrating on the functionality of the cloud services and failing to ask questions about the way cloud providers deliver security across their services or how that security can be checked.
This happens when companies assume that because cloud service providers service multiple companies, they have a larger security department and stronger policies, processes, and procedures.
"That is often not the case," says Irvine.
Often cloud service providers will attend to the basic levels of security in-house and depend on automated security applications and platforms to fulfill the bulk of their security practices.
Other cloud providers may outsource higher levels of security that are outside their core expertise to third party providers. But the security services of these third party providers may not be included in the contractual requirements and SLAs that the cloud provider shares with the customer.
"You have to require the service provider to maintain specific security functions, document security tasks, and provide copies of all security policies and practices as well as security reports," says Irvine.
Failing to understand the costs.
When cloud providers put their wares on display, they often showcase basic offerings for the sake of cost comparisons by potential customers.
"Unfortunately, after engaging a service provider, companies frequently determine that additional services, software licenses and even hardware licenses are required to perform all the IT tasks to which the business has grown accustomed," says Irvine. Security costs and those related to compliance (and, significantly, the documentation of that compliance) can similarly rise.
Companies underestimate cloud costs even further due to an unrealistic expectation as to the number of internal IT resources that they will need after pushing applications to the cloud.
"Depending on the type of cloud service being offered (SaaS, IaaS, PaaS), the number of resources required internally may not change at all. In fact, many of our clients who engage in cloud computing have no decrease in the internal IT department at all," says Irvine.
In any case, the likelihood that a company will outsource 100% of its applications and systems into the cloud is minimal. Even businesses that push many of their systems to a cloud solution still have requirements for internal infrastructure and workstation engineers. "As a result, IT department costs are only minimally affected," says Irvine.
Read more about cloud security in CSOonline's Cloud Security section.