Is Cloud Computing Really Risk Transference?

The current buzz in the technology industry is all about this idea of Cloud Computing. It goes by many many names but we’ll just stick with this one to eliminate confusion. Sure, it’s a great idea and vendors are talking about “moving your data to the cloud” where someone else can manage your data, provide better uptimes, manage the patching process, etc. Unfortunately, as a security guy, I tend to look at the idea of cloud computing from a risk perspective…and it just isn’t fluffy cumulus clouds that I see…it’s more like the picture you see here.

From the security perspective, it appears to be nothing more than a matter of risk transference, very similar to what any good insurance policy will do for you. Companies are trying to be quick to market with their Cloud Computing Security Strategies, but I’ve yet to hear anyone truly identify the risk that this will solve. At the end of the day, it comes down to two simple questions that either your CSO or Legal Department will most assuredly ask:

Who ends up being liable for the data that’s stored in the cloud when it’s breached?

Who’s name and signature is going to be at the end of the Breach Notification letter you’ll send to your customers?

I’ve been doing a lot of research on the topic of “cloud computing security” the last few weeks, as I prep for my session at TechEd North America 2009 entitled “Securing the Cloud”. I have to tell you, I don’t see a lot of companies agreeing to become liable if your data gets breached on their network. I’m not sure how this really differs from putting your money in a bank, rather than in your mattress. The bank (through the powers of the FDIC) ensure my money up to a certain amount. Will my cloud vendor do the same?

Of course, with all new things, old problems still exist.  How is that 3rd party auditors going to successfully conduct an external audit of your data, when the data and controls aren’t even on the premises? “Well, Mr... Sarbanes-Oxley Audit Master, I’d love to show the controls that we have in place to remain compliant with 404, but the data isn’t actually here. Perhaps you can contact our cloud provider to find out the controls they’re using to keep my customer data secure.” That probably isn’t go to go over to well. Remember, you can delegate authority, but not responsibility.

I just want to be sure that we are all really giving this a lot of thought before we start dumping our data up to some unknown entity in the clouds. There are plenty of positive things that cloud computing provides, but at what cost? I’ll take the extra time to patch my enterprise’s servers if it means keeping my data close.

As someone who travels extensively talking to security professionals, I learned long ago that I don’t have all the answers….and this is no exception. Let’s start a dialogue through the comments. What risks do you see with regard to moving to a cloud computing infrastructure and is your business headed that way?  

Also, before I forget….I’ve found a really great cloud computing security blog called https://cloudsecurity.org. Two thumbs up! Check it out.

Comments

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  Hi Kai, Great article. Check my observations at: http://blogs.windowsecurity.com/shinder/2009/04/10/is-cloud-computing-really-risk-transference/ Thanks! Tom

• Anonymous
  February 20, 2009
  The comment has been removed

• Anonymous
  March 17, 2009
  Internal or external hosting and how security control objectives are maintained is a very interesting topic. Technical controls alone are not adequate when dealing with outsourced arrangements. I'd suggest that as outsourcing data hosting becomes more widespread, attention to oustourced 3rd party Contracts is needed.  Focus should cover specific security requirements, such as right to audit, compliance with your company security policies (or at minimum a gap analysis or theirs and yours to manage risks accordingly) and also getting that downstream liability clause agreed :) I'd expect that some organisations will be attracted towards the financial benefit of cloud computing without understanding or factoring in the security exposure and implecations it presents. It is these types of organisations where visibility is needed.

• Anonymous
  May 27, 2009
  I don't know why the technical media is blowing this up like it's some new great thing.  Cloud computing has been around for at least the last 10 years if not longer.   Conceptually shared web hosting platforms and file repository/sharing networks were some of the first clouds to surface on the Internet.  While, yes, these services are often used by the degenerates and vagabonds of the computing world, the concept in itself could be invaluable to smaller businesses without the financial or technical means to maintain their own datacenter.   The only thing that's really emerged from the idea of cloud computing is that companies like IBM and Google have essentially taken a less than reputable concept (and, yes, shared hosting is often a less than reputable means of web hosting when dealing with some of these providers), cleaned it up, sprinkled some glitter on it, and marketted the heck out of it until it shined. But moving to the point of the discussion, I'd like to address Robert's take on the risk management factors of cloud computing versus in-house solutions.  I would have to say that no company should ever maintain confidential (operational, financial, personal, and personnel) data on a cloud.  To do so would be a liability that could and eventually will ruin you.  Robert, I'm going to have to disagree with you about "Closer is not necessarily safer or more responsible."  Closer, with offsite backups, is probably the most responsible thing any organization could do with confidential data.  While, yes, there may be more security experts working in a datacenter, but nobody knows your data like you do.  And more times that you would think, you know a better way of securing your data than the acclaimed "IT Professionals".  As well, you lose the ability to define your security standards. In my experience at my datacenter, data is most often compromised when people have extremely poor security standards or none at all.  I would say to put more faith in your own security standards than some phone jockey at Google making $10/hr.  You have no idea (outside of all the marketing and propaganda) what that datacenter's security is like, and they're not about to give you a technical breakdown. Cloud computing is a great idea, though.  I would recommend usage to just about any entreprenuers, small businesses, or educational institutions but never at the expense of their confidential data.  If you can not afford to maintain your confidential data in-house, your probably should rethink your business model.