Posted by: Arian Eigen Heald
Admins and Auditors, cloud computing, Cloud Security, PCI, Privacy
It seems like every big vendor is pushing for business to “use the cloud.” Only now are we starting to see some questions arise in the general media about how secure cloud computing is.
The short answer is: it’s not. Intrinsically, whoever has physical ownership of your hardware has your data. It’s all very nice to say you will save money by outsourcing, but there are no hard and fast statistics to support that. What you save in outsourcing may come back in the form of increased costs for securing your data outside of your data center.
And you do know, of course, that the Feds can look at your data in that cloud without a warrant, don’t you?
So what CAN you do to save money and justify the “real costs” of keeping your data local to higher management?
First: Explore virtualization – Many organizations have realized enormous hard savings in electricity, storage space, UPS, etc by utilizing Virtual Machines to run their applications. The added bonus is that you can have immediate full backups stored elsewhere. It’s also marvelously easy to test a patch on a virtual machine, without having to worry about breaking something in production.
Second – Re-negotiate contracts – If a vendor isn’t meeting your standards, now is the time to switch. There is an enormous competition going on with this downturn of the economy. IF nothing else, get a better deal than the contracts you have.
There’s quite a bit on the web that can help you justify costs internally. But when the discussion about clouds comes up, make sure you ask the questions needed, such as:
1. How we will provide audit information from the cloud?
2. How do we control access to our data? (This will be the real question, because ultimately, the cloud vendor will control access, not your company. You may be able to control application access, but that does not address the server OS or underlying database controls.)
3. How will we monitor access to our data? Because there is no standard for thin-client computing security, the answers will be all over the map, and usually cost you more money.
The PCI standards council is currently looking at cloud computing with an eye to evaluating the security of credit card data. I’ll be interested to hear what they come up with. In the mean time, consider on of my Rules of Thumb: You can outsource data, but you can’t outsource data responsibility.
If you do find a vendor that says they can help you stay compliant, make sure you understand the contract very, very well. Your job could depend on it. I suspect the cost savings will be small, but it’s worth examining just for comparison’s sake with what your organization is doing now.