Thursday, July 7, 2011
A recent Wall Street Journal article reported that the majority of cloud service providers do not consider security as one of their most important responsibilities. This sentiment is based on a survey from the Ponemon Institute. According to the survey of 127 cloud service providers – including 24 in six European countries and the remainder in the U.S. – the belief is that customers are responsible for securing their own data. The report also states that the majority of cloud providers (79 percent) say their organizations allocate only 10 percent or less of IT resources on efforts tied to security and control-related activities.
My own company’s experience as a provider of privileged identity management software is certainly consistent with these findings. While we’re discovering that a small number of top-tier cloud service providers are starting to think seriously about controlling and auditing their own employees’ access to sensitive customer data, you’d likely be surprised by some of the well-known providers who seem to treat customer data security as an afterthought.
The fact that so many cloud providers – large and small – have no interest in managing privileged identities and segregating duties to limit access to sensitive data and systems should give customers pause before putting their most precious data and resources in the hands of many providers.
Are the terms "secure" and "cloud data center" mutually exclusive? For example, many regulations presume that you know where your data physically resides. But to maximize cloud value, the providers must be free to move the data around. The data owner would need to prevent this as a matter of regulatory compliance – so the organization might as well just have a private cloud. Is this an example – possibly one of many – where cloud services and security/compliance are incompatible?
Even in private data center implementations, data replication and geographic distribution of data are normal, desirable activities. This is done as a precaution against data center disasters and to facilitate load balancing and routine systems maintenance. In essence, with the cloud, the disaster and load balancing scenarios are carried out by the operator of the cloud infrastructure. It is possible to specify the geographic distribution of data as part of the contract with the cloud provider.
Regarding regulatory compliance, I'm often asked who is legally liable (cloud provider or data owner) if data is in breach of regulatory mandates such as HIPAA, PCI-DSS, EU Data Protection and so on. The answer isn't always clear. Generally speaking, cloud service providers’ terms of service may seek to absolve the providers of legal responsibility in return for aggressive pricing. Too many customers don’t ask the hard questions and blindly sign the service agreements with little thought given to compliance and liability. On the other hand, for those companies (especially small and medium ones) where the quality of security is poor, even the middling safeguards offered by cloud providers can be a quantum leap in improvement.
In the case of many mainstream applications like email, CRM and collaboration (i.e. WebEx, LiveMeeting), cloud services promise to reduce the load on the customers’ IT infrastructure (software, hardware, network), delivering services that can evolve quickly at a reasonable cost. Every company is expected to do more with less, and cloud providers are in a strong position to off-load those applications that customers cannot otherwise afford to install or maintain.
Moving to cloud services means accepting the cloud provider’s terms of service – in effect, agreeing to play by their rules. This means that in general your frequency and duration of service outages (service windows) will be stipulated by the cloud provider and not you. Limits on traffic, transactions, users and other values may all be set by your provider. In some cases the cloud provider reserves the right to scan your data and present users with advertising based on what is sent in email. And if your hosted neighbors are a nuisance (think Wiki Leaks), your access may be impaired by denial of service attacks, or simply by overwhelming loads placed on the infrastructure.
Yet to me the most unsettling cloud security issue is the fraud perpetrated against customers by the SAS70 certification process. Customers implicitly rely on the security “being there” when a cloud vendor says they have been SAS70 certified.
What customers don’t know is what SAS70 certification actually says about that vendor since these reports are confidential. It is rare for customers to demand to see the SAS70 report before plunking down their money (don’t forget to sign that confidentiality agreement), and rarer for the customers to compare the SAS70 reports of multiple cloud vendors. It’s frightening to think how few auditors of cloud customers know to review these critical SAS70 reports or are being kept in the dark by IT departments regarding their usage of third party cloud providers. Even those auditors who know where to look for the data may have no experience or known processes to properly evaluate and report on the cloud solutions used by their clients.
“Trust me” is not a security strategy. Unfortunately many organizations seem ready to take big leaps into the cloud, naively trusting that the big-name companies who host these offerings will protect their backsides.