by Pete O’Dell, CEO/Founder, Swan Island Networks
Cloud computing is an increasingly important IT option for organizations of all sizes. There are many different ways of sizing, configuring and implementing cloud based solutions and new security methods are continually evolving. Like every legitimate IT option, there are trade-offs and risks associated with the deployment and continued used of a cloud architecture:
- Cloud provider malicious insider: A malicious insider attack on a single company is terrible, but one that impacts many companies is exponentially worse. Make sure the provider is doing continual background checks on their personnel, and insure the provider has liability provisions in place.
- Attack on the cloud provider: You might be the indirect recipient of an attack if someone decides that the cloud provider is their target. You could end up as collateral damage, and have a reduced capability or full outage.
- Neighborhood break-in: The public cloud infrastructure is built on the concept of shared resources, which implies that many other customers will operate inside the same environment. The risk would be the equivalent of a burglar who lives inside a secured, gated community. There are already strong walls between customer instances, but you should understand the differences between the different cloud models, and understand who else is in your cloud instance.
- Lock-in: Insure that you do not become dependent on special cloud features that limit your ability to change vendors if the need arises. You want flexibility and the ability to change managed providers, not a deadly embrace situation.
- Rogue implementation: Cloud implementations that exist today might be unsanctioned by your IT and security groups. All it takes in most cases to engage a cloud solution is a contract signature and purchase order/credit card. There may be internal efforts that want to be able to operate/make it happen independently from the rigorous (or ponderous) procedures in IT, and this type of action can put your overall organization at risk.
- Misconfiguration: Using the best cloud solution in the world doesn’t make you immune from configuration errors that leave security door(s) open. You should still have penetration testing done and insure that you are minimizing vulnerabilities. Engage multiple parties to check your work across the entire instance.
- Attack from the mainland: Your cloud implementation will likely be attached to your current legacy systems. If intruders are already resident in your network, it may be an easy commute to your cloud instantiation unless you’ve separated duties, established alternate accounts and widely separated all access (including privileged IT).
- Carry forward risks: Most of your current risks move with you to the cloud. If you have an organizational insider intent on doing harm, they stay engaged in both areas. If you aren’t applying good cyber hygiene and a culture of cyber awareness, malware and breached passwords will continue to be a problem.
Before you make a determination, it is important to understand the risk/reward balance on this course of action. The noted risks are offset by some of the unique values that cloud providers bring to the table:
- Security as a core competency: Cloud providers spend a lot of time and money on security for their facilities, both physical and electronic. They hire very good teams of people, and due to the increased number installations, there are typically more of them.
- New generation equipment/software: Most cloud providers do not provide 100% coverage for all the legacy platforms. Hardware and software are usually newer, well maintained, and patched quickly. This reduced complexity eliminates many vulnerabilities that come with old, difficult to maintain, far flung systems. A company I worked with had an open, unprotected network connection that had remained live even when a 14-year-old piece of equipment was de-commissioned.
- Economies: For most cloud deployments I’ve been involved in, the costs have continued to decrease from the cloud providers. This is a highly competitive crowd, and the market is still developing. You might want to consider diverting some savings to an enhanced cyber insurance position.
- Speed: In today’s environment, speed of deployment of new capabilities is important to every business. The cloud can help accelerate the schedule in many cases.
- Enforcement: The cloud provider staff can help you enforce rules and policy that are set instead of allowing for some creative bypassing of standard procedures. They aren’t subject to the political pull that can sway internal actions.
- Built in redundancy: Your cloud providers have multiple centers, so the ability to move your implementation to another place in the event of a localized emergency is highly likely. With the concern over attacks on critical infrastructure, this could become important.
- Defined services and service levels: Cloud providers have extensive agreements and in most cases provide significant clarity on process, procedure, and how shortfalls are addressed. Negotiated service level agreements are also part of most cloud deployments.
- Deep pockets: This advantage of the cloud providers is for the lawyers more than the immediate customers, but all of the providers have substantial insurance coverage, and many of them (Microsoft, IBM) have substantial cash reserves. If there is a major shortfall or breach, this kind of recourse is another mitigation factor.
A look to the future: The cloud is here to stay, and only starting to have what will be a sweeping impact on all future information technology architecture. The idea of many more individual, hand built data centers inside organizations large and small is worrisome to me from a security standpoint. Electricity started out as a local resource as well; mill wheels drove generators, and long belts delivered power from central sources until reliable remote generation and transmission systems moved us into the utility based world we live in today. I remember a major conference back in 1996 where the Network PC was unveiled by Oracle’s Larry Ellison; he was several decades ahead of the wave, but the wave of utility computing is still building.
I’m confident that the risks of cloud implementation will continue to be mitigated, and central monitoring, defenses and response capabilities strengthened. There will certainly be notable disasters; and your organization should be diligent in selection and monitoring any vendor chosen; and always hire and validate the best employees and partners available.