Chance of Clouds

They (the ubiquitous THEY) are still concerned about the security of the Cloud.
They are missing the point. There isn’t One cloud.  There are many.

Some clouds conform to NIST’s formal definition of cloud, some don’t.  Some are rebranded hosting or application services.  Some are extensions of network-based services.  I have gotten over issues of semantics and nomenclature.  Let’s agree there are many forms of cloud-based services. But, let’s also recognize the diversity of services available in the cloud-space.   There are different providers and much variety of service models and security to consider. This is true even in the context of clouds in the formal definition by NIST of IAAS, PAAS, SAAS.
So, is “The Cloud” secure?

It depends.

And the answer comes down to asking the right questions of the cloud provider and doing the requisite diligence to determine that answer.  However, the determination of the answer of whether a particular cloud offer is secure will not be answered just by looking at the provider’s answers, SAS70, or marketing material. It won’t even be answered by a deeper dive investigation.  Whether or not any outsourcing activity is secure, and let’s face it, using “The Cloud” is just another form of outsourcing, also depends on questions you have to ask (and answer) yourself and your organization. Not every function belongs in the Cloud and some are secure or more secure in the cloud depending on the context. Let’s look at some examples:

1)      You have an organization that produces brochures. Maybe it’s the PR function of a company or the Public aspect of a government agency. You want to make this public material available over the web to make it easier on your constituency/target audience… they won’t have to come to your offices to pick up a free brochure. For this function, “The Cloud” is appropriate and relatively secure.  i.e. the security is relative to the risk and privacy of the material in the system; and it’s relative in the sense that the most likely threat is defacement of the website or denial of service – neither of which triggers regulatory or organizational issues (other than clean up or fixing the problem).

2)      You have top-secret classified unique eyes-only military material.  The Cloud is probably not the place to put this.

Somewhere in between these examples are the majority of cloud services. The key is to examine the approach from a risk management perspective.   Start by asking yourself/your organization some questions, such as:

  • What is my/my-organization’s risk tolerance?
  • How sensitive are the data, information, operations?
  • How is sensitive data defined? By our own measures or by legislated or regulatory measures?
  • What are the likely risks? Consider loss of reputation, legal repercussions, ROI (risk of incarceration), and others.
  • How likely are these risks to be exploited?
  • What is the value of the information?
  • How often would an exploit or breach occur?
  • What are the ramifications or penalties if the system is breached, the data lost, the systems compromised?   What are the Legislative, Punitive, etc considerations?
  • Also consider regulatory elements such as location of data, national origin or citizenship of the support personnel, etc.

When considering Cloud security, remember that “security” is often considered as a triad: CIA – confidentiality, integrity, availability.   While most people considering risks to data think of keeping sensitive data confidential, and some consider making sure data is not inappropriately modified, they must also consider the availability of data.

One example of making sure data in the cloud is available is to make sure that the cloud provider can handle DDoS – or a distributed denial of service attack.  Another element of availability is one of business continuity or disaster recovery.  Your cloud provider should have clear descriptions of how this is handled for each of their services.

Stuff happens—things eventually go wrong.   Disaster recovery can handle some of these events. But there are also malicious elements in the cloud. Another consideration of cloud security is one of incident response.   Make sure your provider has clearly defined incident response processes.

Finally, keep in mind that cloud services form a spectrum.  The spectrum is defined at a very high level according to the NIST definitions for cloud services.  They are Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS).  These are shown in the diagram below.  The arrow points in the direction of increasing responsibility for the cloud user.  For SaaS the provider has more control of the risk management, for IaaS the cloud user has more responsibility.  And while the user has ultimate responsibility for protecting the data they consider sensitive, there is also more of the work done or delegated to the provider as the service moves toward the SaaS model.

So, what do you think?  Please leave your comments about what you’ve experienced with Cloud services and how you decide what to put on the Cloud and what should not be there.  Your insights will be helpful to others.  Thank you for your participation.
Jeff Huegel Cyber Security Chief Architect AT&T About Jeff