Security in the Cloud

The Cloud is full of feature-rich applications which enable us to do more than we could ever dream of doing before. It is a universally understood fact that the Cloud enables companies to operate more efficiently and reduce their CapEx investment. The fact that SaaS, IaaS and PaaS make it easier for operations to be scaled to virtually limitless sizes with little direct human involvement to slow down the rate of work is also an accepted fact.

What makes this all so scary is how the Cloud enables growth with or without a strong, robust security aspect. Individual consumers access the Cloud all the time. With Google’s range of SaaS solutions, there is a lot of transparent conversion ongoing than people even realize. For corporations and large enterprises, the Cloud proves to be a way to practice central consolidation of data and resources so that there is more productivity, less replication of tasks or intellectual property and acquisition of thin clients that simply have to do what they are required to do after connected to the database or information residing up there. Not all applications need to be installed on machines because all that can be pulled from the virtual location now.

Wikipedia describes Cloud computing through the perspective of its customers.

“Customers that Cloud Compute, do not generally own the physical infrastructure serving as host to the software platform in question. Instead, they avoid capital expenditure by renting usage from a third-party provider. They consume resources as a service and pay only for resources that they use. Many cloud-computing offerings employ the utility computing model, which is analogous to how traditional utility services such as electricity are consumed, while others bill on a subscription basis. Sharing ‘perishable and intangible’ computing power among multiple tenants can improve utilization rates, as servers are not unnecessarily left idle helping to reduce costs significantly while increasing the speed of application development. A side effect of this approach is that overall computer usage rises dramatically, as customers do not have to engineer for peak load limits. Additionally, ‘increased high-speed bandwidth’ makes it possible to receive the same response times from centralized infrastructure at other sites.”

But with all this fast paced convenience, companies are now also realizing the threats and risks they are opening themselves to. And regardless of the fact that your business may be operating in Pakistan, here are some aspects of Cloud security you should be aware of.
Tariq Mahmood, Lead IT Auditor at Kuwait Petroleum Corporation says, “To me the difference is this –accessing information from within the Cloud exposes your applications to the number of employees which are connected across the intranet in case of traditional closed setup. Once you expose it to the Cloud, you are potentially exposing yourself to the entire world. I think there is greater risk to the company in this situation.”

But it would seem that the cost-benefit analysis which many smaller companies may do, will yield a result that makes it effective to reach into the Cloud. Isn’t that what the news reports? Financial crunch causes companies to cut back on all kinds of resources and keep the bottom line as far afloat as possible. For a lot of companies, especially start-ups in Pakistan, there simply aren’t enough resources to establish a traditional, offline framework. Prasad Takkar, QA Lead with experience on FAN and Network Security says, “I believe Managed Services is the way to go for your scenario. There are many security vendors such as McAfee who are into the Managed Services Domain. In short, this means that you don’t have to invest in infrastructure to hold security solutions. Instead companies like McAfee provide Managed Services wherein they protect your organization for processes such as Emails, for example, via their Managed Data Centre. Your data is routed through them and you are ensured a risk free organization.” Is there really such a thing as risk-free?

Tariq Mahmood suggests referring to ISO 27001 International Information Systems Security Standard as a starting point and then consulting security professionals in networks, databases, operating systems, application systems and help desks to assess what gaps need to be plugged in.

According to Nitin Kumar, Business Leader, Strategist & Management Consultant, there are several risks with respect to the Cloud right from cross-border issues, multi-tenancy issues, accountability, liability, privacy, data protection, continuity and all of these need to be addressed from a standpoint of the service provider as well the organization choosing to migrate into the Cloud. “One of the key issues is the lack of standards (as yet) to help nail down all of the above which although look simple are not easy to resolve while keeping costs low as well as quality of service within acceptable levels. There are several criterion one might apply to pick from when they are trying to move applications to the Cloud – these include cost savings, risk tolerance, maturity of the provider, maturity of the business process, core versus non-core process amongst others. There are a plethora of security issues with respect to the cloud which can be resolved by clever selection criteria of what to move to the cloud and some adept architecture and this will vary from industry to industry and also depend on a number of factors for any given organization.

One can so easily do away with licensing, bandwidth, personnel and other costs if they implement a Cloud solution properly, it comes with a truckload of risks if not approached well.”

Peter Gregory, Security Consultant, Risk Manager and Strategist takes a step back to explain the foundation. “Any organization considering cloud computing needs to establish security requirements – this is no different than an organization considering using a SaaS or ASP provider, or developing an in-house solution. Security requirements must be developed first, and any cloud (or SaaS, ASP, or in-house) solution evaluated to match those requirements. If the Cloud service provider meets your requirements, the risk should be no different than what you are currently vulnerable to.

Rob Shein an InfoWar Architect explains, “There are different degrees of what is considered ‘Cloud’ ranging from on-demand provisioning of dedicated, in-house resources to entirely off-premises, highly distributed solutions. An example of this would be the RACE (Rapid Access Computing Environment) offering that EDS, an HP company, provides to DISA (Defense Information Systems Agency). Usually, even the provider of Cloud services can’t give you complete assurance which of your systems are processing or holding your data. An example of this would be something like Google Apps. So, if you imagine a set of quadrants, with the two categories “dedicated” and “dispersed” on one axis, as well as ‘on premises’ and ‘off premises’ on the other, you can demonstrate the two main factors that play into how ‘cloudy’ something is.

Rob continues to explain that once you have that in mind, the more ‘cloudy’ (off-premises is more ‘cloudy’ than on premises, dispersed is more ‘cloudy’ than dedicated) an implementation is, the more trust shifts from the organization purchasing the service or leveraging cloud computing to the company providing those services. “The risks involve a company going bankrupt and not giving back the information they’ve been keeping, that company not having sufficient security controls, insufficient backups, a security model that doesn’t fit the requirements of a customer, and so on. All of these events,” he says with a huge smile, “have already taken place in the real world. It’s basically the same set of problems as the mainframe hosting services business all over again…only this time, the level of maturity for things like security isn’t quite where it needs to be to match the threat. In the early days of mainframe computing, security was nothing nearly as mature as it is now…but the threat was practically nonexistent, and the nature of the threat was far less malicious. So there are some significant challenges to cloud computing security which only exist or are amplified by the context of the world today.”

But not everything is that dark. Rob is good enough about sharing the flip side. “Cloud computing can give the ability to lower risk in many ways. Processes such as COOP and DR become a lot simpler if an outside Cloud computing provider is leveraged, and the more ‘cloudy’ the service is, the more robust the service in terms of things like surviving natural disasters. There’s redundancy, protection against scaling risk, protection against financial risk from having to build infrastructure before it can be used to provide ROI, and so on. And while some of these aren’t traditionally considered ‘security risk’, they are nonetheless very real forms of risk, and need to be considered also.”

For companies in Pakistan, in case the primary tasks can’t be replicated into the Cloud without being comfortable about it, the DR aspect of it certainly sounds like a prospect.
Javed Ikbal, Chief Security Officer at zSquad offers some help. “The Cloud is just a new-fangled word for an old model. Companies have been outsourcing data processing since the beginning of computing. Just like earlier, you are giving up control over your data, and the only protection you have is in the contract language and service level agreements. So you really need to do a risk analysis. If your data is critical and must not be accessed by outsiders, then outsourcing it to a cloud or any other model is not a good idea. But if the value of the data is low, by all means outsource.” And outsource is certainly the way to go, however the problem with the outsourcing occurs when you don’t have adequate compliance with privacy or data legislation.

Daniel E. Turissini, CEO at ORC, Inc, offers, “Regardless of the operations, in-house or outsourced, strong mutual authentication is necessary to protect an organization’s resources. We have to stop hoping that changing names and complicating computing, networking or storage solutions will provide adequate security. Strong digital accountability must be globally adopted.” Accountability and transparency.

Jeroen Smeulders, senior sales engineer at Salesforce.com says, “Tariq already mentioned it earlier, however ISO27001 is only one aspect. SysTrust audits are another one. Another aspect is to be more intuitive: realize that any self-respecting organization that offers Cloud computing services should be more than willing to help companies better understand the concept considering their entire business model depends on it! If their services are not secure then why offer them in the first place. Not secure means they will be going out of business!

The Vendor Selection and Questions to Consider
Faraz Hoodbhoy, Founder & CEO, PixSense Inc. says, “The simple answer to the question of whether there is increased risk in the Cloud, is ‘no’ – I think there is neither greater risk, nor is it a lesser risk. It’s the same as before: it’s you’re responsibility to find the right vendor, whether internal or external to run your infrastructure. Pick a reliable vendor that you’re sure you can afford since they are quite expensive. One other advantage of cloud computing is financial; it’s an OpEx line item versus CapEx line item. If you’re profitable and seeking to reduce tax liability, it may present certain taxation advantages.”

Rick Lawhorn, Chief Information Security Officer, author and advisor takes it a step further. “Simply put: Security in the Cloud is only as good as the contract you have with the provider. You need to control every aspect of security that is important to you and the regulators in contractual terms, up to and including incident response and communication. Ownership of the data and use of your data is an important note to remember as well. Last but not least is ensuring that the contractual terms in regards to security are being met. Today it is a must to demonstrate that the test of design and effectiveness are being audited on a routine schedule.”

Muhammad Imran, Manager IT / ERP at Pakistan International Airlines says, “A secure network is one of the most important issues at hand. If someone is thinking about running any mission critical application in the Cloud, security should be a large part of primary research. Before enterprises jump into the Cloud, they might want to ask themselves, and their potential providers, a few key questions regarding Cloud and risk.” Imran shares some of these questions to be:

How much visibility do I have? How can I manage my risks? What risks do your other tenants pose to me, or to you? Are the tools and techniques available for managing risk mature enough? Is my data safe? How will turning to Cloud impact the current approach to management?

Eric J. Weibel, President at Alta Financial & Insurance Services adds to the list of questions. “Are all of the people involved in the agreement willing to provide contractual guarantees? Are they willing, and do they have the resources to indemnify you if something goes wrong – and remember is something goes wrong for you it probably will also go wrong for other clients – so their will be a lot of people seeking indemnification.

What sort of tech E&O or Cyber liability policy does each participant carry or required to carry? If you go to a Cloud model, will you be able to purchase a yber risk insurance policy and what will happen to the price and the coverage terms?” None of this will prevent you from having to checkout the security yourself, he says. “But it is a good first step. If the people you want to do the deal with aren’t willing to indemnify, and insurance companies aren’t willing to insure, then you may have your answer without having to do the legwork!”

Saba Jamaluddin, CEO of Cloud3Solutions says, “Most of the cloud computing companies offer services on servers and in data centers that are more secure than traditional server / client set ups. The data at rest is usually encrypted using 128-bit encryption and since the data is in the Cloud, the DR aspect is already taken care. The major Cloud computing server providers house their services in Data centers around the world that give them 99.9% uptime and also redundancy and robustness so I think moving data to the client is more secure than traditional in house storage. As for the criterion to consider, you should be working with reputable firms like the Googles of this world so you know you are “secure”!

Stuart King, Audit Manager at Information Security at Reed Elsevier says, “You’ve got to consider the “cloud” service as you would any other and assess risk accordingly using the same criteria. The significant difference, of course, is that you don’t have control but conversely, the security controls being provided by the service provider may well be better than what you’d be able to provide. If you can’t physically get to visit the service provider and see for yourself then look for evidence such as external audit reports and certifications. Remember that past performance is no guarantee that they won’t have problems in the future – and if you have an unreliable Internet connection then it doesn’t matter how good the service provider is because when your link goes down then they may as well not exist. So, make sure you have plenty of your own contingency.”