March 10th, 2010
Many discussions on cloud computing have thus have focused on Confidentiality and Integrity of Cloud provided services. But what about Availability as well?
I think one of the biggest challenges is that if a company moves its core application processing infrastructure to cloud based services then access to these services is 100% reliant on an Internet connections. Gone will be the days when you turn up at work to find the Internet is down but at least you have access to your internal LAN and data centre which will give you your core tools for working and your files. Move it to the cloud and the loss of the Internet connection will mean loss of your ability to work.
Another point is that many corporations have spent large sums of money investing in highly resiliant and solid SLA protected WAN implementations with diversly routed connectivity to protect against circuit and equipment failures. This isn’t necessarily the same case with their Internet connections.
One issue that people seem to be overlooking (or at least not talking about) at this stage when it comes to the economics of moving to cloud based services is how much will companies need to spend upgrading their Internet connectivity to provide similar levels of resilience and the additional bandwidth – this needs to cover the connections and all of the supporting infrastructure such as proxy servers, firewalls, routers, switches, IDS/IPS etc etc. If you needed a Gigabit backbone connection to your old data centre for normal use won’t you need similar levels of connectivity now to the internet – not cheap in a resilient form !! And if you do start moving data intensive workload to your cloud provider have you checked that they have similar resilience and capacity capabilities to support not just your requirements, but also their ever growing customer base?
And what of those SLA’s – it seems people are happy to consider an uptime SLA of 99.9% from a cloud provider (where has 3 or 4 nine’ gone?), but lets not forget that this is an SLA on their infrastructure up time. We also need to factor in the SLA of your internet connectivity which will reduce the combined SLA below 99.9%. And all that aside I am not sure that anyone can yet offer an end to end SLA on the Internet per se so can we realistically attach any SLA to services provided through an internet based cloud provider?
This will be a fun one for CIO/CFO discussions. I can just see the dilemma faced by the CFO as he is told by the CIO he can save 50% on the cost of his Oracle/SAP/Microsoft Finance system if he moves to cloud, but in doing so he will have to forgo his four nines SLA and replace it with a best endeavours SLA instead. The phrase having your cake and eating it immediately springs to mind.
Tags: Availablity, Cloud, Economics, Internet, Security
Posted in Cloud Security | 1 Comment »
March 3rd, 2010
One of the questions I have been regularly asked by colleagues and customers alike is how do I know which of the growing band of “enterprise” cloud service providers is providing a secure cloud infrastructure, how are they doing it and are they doing it well. At this stage cloud providers treat some of the answers as proprietary or confidential and getting at the detail is almost impossible. But is this the correct way for cloud providers to engage with potential customers and security professionals alike?
Recently Microsoft announced to the world its new Government Cloud Offering which offered security and privacy enhancements over the public cloud. All well and good with a smattering of security credentials (ISO27001, FIPS140-2, FISMA) but what does this mean in practice for this particular offering and more importantly what security is being provided to Job Public cloud customers. And does FIPS140-2 just mean implementing SSL Certificates or does it mean specialist HSM protected cryptographic key management controls?
Likewise last June Unisys launched their “Unisys Secure Cloud“ the focus being that it is protected with their patent pending Stealth technology. But what of firewalls, IDS/IPS, Access Controls etc and where is the independant technical validation of Stealth within this environment?
I’m sure similar could be said of all the enterprise cloud providers looking to take advantage of the numerous world wide Cloud marketing campaigns. The problem is with this lack of transparency comes lack of trust and confidence. If the only way to get visibility into this level of detail is to engage in protracted due diligence by potential customers of individual cloud providers then the cost savings offered up through cloud services is going to be swallowed up by consultants, technical advisers and lawyers.
In this age of compliance obligations no company will be able to migrate its computing services to the cloud without the assurance levels that first hand knowledge of the technical, logical and physical controls in place at the Cloud provider will give.
I suggest therefore that We need a new approach to Cloud security assurance that takes a similar path to approved public domain encryption algorithms. In this case security is in the secrecy of the cryptographic key and not the secrecy of algorithm. The translation for cloud is that the security should be in the proper implementation of the controls and not the controls themselves. If this can be achieved then there would be no reason for a Cloud provider to openly publish their security architecture and controls to the world thus enabling customers to identify those cloud providers that take security seriously and those that don’t. My guess is that those who don’t would be less likely to publish in the first place.
So my challenge to cloud providers – which one is prepared to be the first to openly publish their security architecture and controls enabling customers to make an informed decision about which cloud provider to go with.
Tags: Cloud Provider Security Microsoft Unisys
Posted in Uncategorized | 1 Comment »
February 9th, 2010
One of the issues Cloud Service Providers are facing at the moment is the significant confusion that they have between them generated about what cloud computing really is. One area is location of your cloud providers data centre – on the one hand you have global cloud providers such as Google and Amazon abstracting the location of the cloud data centers from the end customer, whilst on the other hand there are cloud providers taking the definition you posted and providing this from a contracted location.
This becomes significant when you start dealing with compliance – lets take one simple PCI DSS requirement as an example- are there any non WPA2 protected wireless connections connected to the same logical network as that within scope of PCI DSS. If you don’t know which location your cloud provider is hosting your application/data/system from (and it could be multiple over a period of time!) then, unless the cloud provider has certified every single possible location that they could host from, your PCI DSS QSA is not going to be able to tick the compliance box.
I think there is a significant danger of cloud providers taking the rather negative stance towards auditors and their ability to understand new technology. I’ve seen this attitude appearing in recent Cloud Security Alliance discussions where it is all very well to criticize auditors for not updating their views on compliance, however I do think that the Cloud Providers and Cloud technologists really need to make a positive contribution given that it is their technology strides that have resulted in the current debate.
Tags: cloud compliance pci
Posted in Cloud Security | 1 Comment »
February 8th, 2010
Over the past 6 months I’ve been busy considering how the cloud computing paradigm and traditional compliance requirements can work together, if at all. Given the change in subscriber/provider relationships compared to traditional co-lo/hosting operations I am sure that this is going to generate many headaches. Questions around where is your data actually being hosted…..today….tomorrow are immediate harbingers of concern when it comes to demonstrating compliance and that’s before you get into the issues around right to on-site audits, penetration testing and the such like.
Cloud providers, subscribers and compliance auditors are all going to have to get their heads together soon to work out how compliance can be achieved and validated in this new paradigm otherwise we will either end up with very little compliance data being transferred to the cloud, or alternatively we will have lots of subscribers suddenly finding out that their previously hard earned certificates are suddenly under threat.
My two cents worth of contribution to this ongoing debate is that perhaps we need a new class of internationally recognized certifications for data centre/cloud providers to adhere too and be measured against that are recognized by existing compliance bodies. Perhaps this new certification could also be graded such that a provider can choose which of the existing compliance objectives (e.g. PCI DSS, SOX, SAS, BASEL, FSA, ISO etc etc) they want to be measured against and thus flow down to their customers.
An interesting debate which can only get hotter as cloud services take on more live mainstream customers.
Tags: cloud security compliance
Posted in Cloud Security | 7 Comments »
