Thursday, January 21, 2010

The Darker Side of Cloud Computing

We've been hearing about "computing in the cloud" for some time now. Sounds fluffy... peaceful... idyllic... effortless. Wake up, people! Cloud computing is just another term for outside your control.

Cloud computing is a marketing buzzword that's thrown around an awful lot today. A vague (but useful) definition is that cloud computing refers to data, processing, or experiences that "live" out there somewhere in the cloud we call the Internet. Everyone's got something going on in the cloud these days: collocating or hosting Web or e-mail servers, social networking, software as a service (SaaS), even infrastructure as a service (for example, off-site online storage). Cloud computing is becoming very popular, primarily as a money-saving technique—cloud services don't require expensive in-house hardware, software, and staff. In addition, cloud services are usually available for a small monthly fee rather than a huge up-front expense, which makes them even more attractive from a budgeting standpoint. Like many things that seem to have only an upside, cloud computing makes me nervous.

The cloud is burgeoning. Businesses are using Salesforce.com for CRM; Zoho, Microsoft Office Live, and Google Apps for office productivity; Intuit QuickBase or a hosted Microsoft SQL Server for databases—and the list goes on. More features, less expense, and fewer IT resources? It almost sounds too good to be true. And it may be. Much the way in the early eighties we asked "Where's the beef?" we should now be asking "Where's the security?"

To secure data, you need to understand something I like to call the data life cycle: How data is collected, entered, processed, transmitted, stored, reported, and exported. Any one of these stages may contain multiple vulnerabilities, some ubiquitous and some particular to your environment. To assess the security of corporate data, you'll have to understand the risks that apply to each stage of the data life cycle. You will be able to take proactive steps to prevent data from being compromised by understanding the integration of security risks, business processes, and the data life cycle.

By now you are probably beginning to see the downside to cloud computing—it's difficult enough to protect data that doesn't leave your control as part of ordinary business, but in the cloud you've relinquished control. Depending on your contract, you may not even own your cloud-resident data! And worse, there are clouds within the cloud—your provider may subcontract with another provider for data storage, and that provider might also subcontract for data storage management. Your provider may not even be able to tell you where your data is, or even which country it is in and whether the laws that apply to you regarding data security and breach disclosure even apply in that twice-removed jurisdiction.

Gartner published a great report in early June that is the industry's first attempt to identify the security risks of cloud computing. In it, Gartner urges something that we at PC Magazine have been advocating for decades: full disclosure (aka "transparency") with regard to security practices and procedures. The reasoning is simple: If your provider can't tell you exactly what it does to protect your data at each stage of the data life cycle, then how good a job do you think that provider is doing?

What other recommendations spring from Gartner's findings?

  • Apply internal risk assessment and controls to all externally sourced (cloud) services.
  • Assess all legal, regulatory, and audit issues associated with location independence and service subcontracting.
  • Demand transparency. Anything less is a deal breaker! Don't contract for IT services with a vendor that refuses to provide detailed information on its security and continuity management programs.

Yes, cloud computing is a set of powerful technology solutions that are here to stay. It provides cost savings that may temporarily blind you to the risks. But don't dive in simply to save money and time. Evaluate each service's security the same way you would evaluate off-the-shelf hardware and software. Ask tough questions about data security. If your provider refuses to answer, or his answer doesn't adhere to your current security policy, look elsewhere. I've sat through countless vendor meetings and I guarantee you this: Every time a security concern is dismissed as "taken care of" without explanation, it's a potential problem.

Thanks to pcmag.com