|Cloud Computing – How secure is it?
IT risk isn’t easily transferred between parties, and assessing the risk associated with handing your data to a third party is crucial. It also pays to note that liability can’t be outsourced, regardless of the contract you‘ve made with the cloud provider. That is, if he loses your customers’ data, it will be your name in the headlines. ‘Customers will surely start to wonder if they can’t trust these firms [viz Epsilon] with their email addresses,’ says Dave Frankland, principal analyst at Forrester Research, ‘[and if it’s] really that smart to trust them with their credit card data, or with their mortgage.’
There are applications and types of data which organisations are quite happy to put in the cloud, for example, with Salesforce.com or Gmail. Yet Gmail was hacked in June 2011 and earlier, the Gmail accounts of US security firm HBGary Federal were hacked, resulting in complete and embarrassing exposure. It follows that the question isn’t a black-and-white ‘Cloud Computing or not?’ but rather: ‘how much Cloud Computing, for which applications and in what situations?’
WHAT ARE THE RISKS?
To consider this carefully, we need to turn the cloud over and examine risk and liability. ‘On average, our research shows that cloud providers are less secure than on-premises IT infrastructure,’ Larry Ponemon said about the results of a recent survey by his institute. ‘and the reason that they don’t see security as their mission.’ He added: ‘CIOs and CISOs are starting to see this as a potential enormous risk ... because the environment is out of their control and they have to rely on the assurances of the cloud providers.
The risks are compounded by the multi-tenancy, shared resource arrangements that are common with cloud providers. That means you’re sharing infrastructure with other cloud services customers, possibly even your competitors. What happens, for instance, when mechanisms that separate storage, memory, processing and routing between fellow co-tenants fail? How can you ensure IT compliance management in this environment? Here are some key issues for potential Cloud Computing customers to consider:
•Multi-Tenancy: in large virtualised environments, the co-existence of sensitive information belonging to multiple discrete tenants is potentially hazardous;
•Open door: the customer management interfaces of many cloud providers are internet-based, posing an increased risk to data security;
•Data protection: there is limited control over how your cloud provider handles your data, which is complicated further by transfer of data between multiple clouds. You should look for cloud providers with high governance standards who offer compliance reports of their data processing, security activities and data controls;
•Force Multiplier: by amassing data from multiple tenants in one place, cloud environments carry greater risk for wider collateral damage as we saw with Epsilon;
•Virtual Storage: the dynamic nature of cloud computing makes it difficult to know where information actually resides. This lack of transparency can be a serious problem when data needs to be retrieved in the event of disaster or breach of contract;
•Compliance across different geographic regions: this is a big issue for organisations with global distribution; you need to ensure that the cloud provider understands and can fulfill his responsibilities across a range of jurisdictions, with certainty;
•Loss of governance: When you pass your data to cloud providers, you lose some control over its security. The cloud provider must therefore apply the same level of governance and security control as you would, and not leave exploitable gaps;
•Compliance risks: Your certification for industry standards and regulations such as PCI DSS or ISO 27001 may be at risk if the cloud provider is not certified for these.