Cloud computing is a nebulous concept, defying the attempts of many to even define it. However, use it we must. Business value is enhanced by it and competitive edge is often lost by ignoring it. So we need to understand how to safely integrate this emerging technology into our business processes.
Defining the cloud
For clarity, I define cloud computing as any infrastructure or service provided by and from a third party location that supports or delivers business processes. To maximize business value, it should also provide on-demand scalability and enhanced business continuity processes. Examples include:
- Vendor developed and hosted Web services, integrated into systems developed in-house but accessed across the Web
- Vendor managed servers hosting applications developed and managed by in-house staff
- Moving complete systems (i.e. payroll, accounting) to a vendor hosted site
As the cloud matures, the services provided change and grow. However, the basic premise is that it provides flexibility to large organizations and opportunities to SMBs that might otherwise break the budget.
It's all about risk
From my perspective as a security professional, assessing and managing risk associated with cloud services is simply an adjustment to my existing risk management processes. Okay, so the answer is simple; actual implementation takes a little work.
If you don't have have a risk management framework in place, creating one is your first step. Protecting your organization's data is all about balancing risk with business need. Formal processes designed to identify, mitigate, and report risk are necessary when working with business managers—and auditors—to achieve the right balance. If you have a documented framework in place, you just have to extend it.Figure 1 is a simple model of the risk boundary of many organizations. Security analysts perform risk assessments when IT designs and implements internal solutions. However, the managed risk boundary stops at the perimeter firewall. No formal processes exist to model threats created by connecting to cloud service providers.
Extending the risk boundary isn't just about asking the same questions. Integrating the cloud requires additional considerations unique to dealing with vendor-providers. The following is a list of challenges I consider when evaluating a cloud services provider:
- Has an outside entity certified the provider as an organization that effectively manages security (SAS 70, ISO 27001, etc.)? What internal controls exist? How do they compare with my internal controls? What are the gaps, and are the gaps reasonable?
- What data is involved? Is my organization providing more data than is absolutely necessary? What are the minimum data elements required by the provider and why?
- Does the provider understand my security expectations? Are these expectations included in the contract? What sanctions are identified if the vendor fails to adhere to security wording in the contract? Does the contract allow me to perform my own periodic audit of how well my data are protected?
This list asks the basic questions. I assume you already protect your data in transit and possess robust and flexible access controls. If not, you might have bigger problems to solve before you look at expanding to the cloud.
The final wordDon't run from the cloud. It is not your enemy, and you will be assimilated. The question is not whether you will integrate cloud services. Rather, it is how well you will manage the associated risk. Is every vendor a good candidate? Absolutely not. But selecting a cloud vendor is similar to selecting any provider of internal software, hardware, or services. Understand your needs, communicate your expectations, and assess the vendor's compliance. Report your findings to management and, if necessary, work with the vendor to improve controls.
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.