The hard sell around cloud computing is in full swing, but many potential customers are finding it hard to evaluate the security profiles of potential providers and should take a broader view of their objectives and standards, an expert in the auditing of IT security infrastructures has warned.
"We make the assumption, often incorrectly, that things are being done correctly," says Brahman Thiyagalingham, manager of ICT risk and assurance with standards compliance firm SAI Global. "But the term 'cloud' means a lot of different things to different people. As an audit body, we've found there's a communications break between suppliers who struggle to sell their cloud services, and their customers. Customers are scared to put their stuff into the cloud, and don't know the sorts of questions they should be asking."
Brahman was recently joined by Alastair MacGibbon – a former AFP agent who's now director for the Centre for Internet Safety at the University of Canberra and managing partner of consultancy the Surete Group – to reach out to Melbourne customers keen to tap into the cloud to improve service reliability and security.
Their advice to customers was to become familiar with global process standards such as ISO 27001 ISMS (Information Security Management Standard) and ISO 20000, for IT service management. These and similar guidelines are not only prescriptive but auditable – helping customers evaluate the capabilities of potential cloud providers based on well-understood metrics.
Yet even with these standards in hand, many businesses are still asking the wrong questions when it comes to the security of their data in the cloud. It's important, MacGibbon warns, to get clear answers to questions such as: where will my data be kept? Who has access to my data? In what countries will my data sit? Is it encrypted? What type of backups does the provider keep? Is it in more than one location? How well-trained are the provider's staff?
Even obvious things – like at what point the cloud provider will contact the customer, if at all, in the event of a problem – need to be clarified as providers may have a threshold for notification that doesn't necessarily gel with the governance requirements of the customer and the industry in which it operates.
"There's a general assumption that a service will be provided to a certain standard online because we've lived so long offline that we have developed certain expectations," says MacGibbon. "But many large businesses still don't know what questions to ask. They put their data into other peoples' hands and assume they're doing the right thing, and they assume that they're as well off in the cloud as with data resting in server racks within the business. However, I don't know if that's a fair assumption to make."
Another potentially problematic assumption is one that Thiyagalingham said he has uncovered in many organisations he audits: the failure to revisit plans as technologies and working patterns change. One company, for example, had developed a comprehensive security policy six years ago but neglected to revise it to consider the new security posture of mobile devices.
The need for strong cloud security is greater not only because of the different structure of the model, but because "the threat environment has changed extremely dramatically in a very short period," MacGibbon continued, citing the rise in criminal data-farming operations since the early part of the last decade. In June, for example, Kaspersky Lab researchers identified a new TDSS 'super-malware' rootkit that was working to build a 4.5 million-strong botnet.
Since wholesale theft of customer information stored in the cloud could be devastating for any company – just look at the fiasco in which First State Super has found itself – MacGibbon recommends customers take "almost a product liability or product-safety standards approach" to cloud security and, similarly, be able to walk with their feet if they feel their current cloud provider simply isn't living up to expectations. While most cloud providers are well-meaning when it comes to security, the proof is ultimately in the pudding.
"If they were buying a car," he explains, "they'd have a reasonable expectation that the bits of the vehicle are going to perform in certain ways based on standards and engineering. But I don't think these standards have been applied consistently online, and while you'd like to see end users voting with their feet, many don't really know when to vote and what over. They won't know about whether there's a disaster recovery plan until their data is breached, and then it's gone."