cloud computing

A Not-So-Great Use of Cloud Computing

As I’m sure you know, I’m not yet a big fan of “cloud computing,” known by various acronyms. I have yet to see a really comprehensive approach to audit and security. Ultimately, you don’t know where your data is in the “cloud.” And the Feds have access to it without a warrant.

So you can imagine my dismay when recently reading someone’s suggestion that the shared computing power of the “cloud” could be used to crack encryption algorithms ever so much faster. How will we address this risk?

The risks of audit and control issues, physical security and secure storage of backups, in my mind, outweigh the over hyped benefits. When I see a strong standard implemented by “cloud” vendors, subject to outside independent verification, I’ll get to wow.

Not until then. Where’s the beef?

Who REALLY Owns Your Data

I had an up-close-and-personal experience today of “cloud computing.” It’s worth thinking about.

I had just finished reading Bruce Schneier’s essay on cloud computing, (which is a great read, by the way) and was considering the following point he recently penned in his Cryptogram:

As we move more of our data onto cloud computing platforms such as Gmail and Facebook, and closed proprietary platforms such as the Kindle and the iPhone, deleting data is much harder.

You have to trust that these companies will delete your data when you ask them to, but they’re generally not interested in doing so. Sites like these are more likely to make your data inaccessible than they are to physically delete it. Facebook is a known culprit: actually deleting your data from its servers requires a complicated procedure that may or may not work. And even if you do manage to delete your data, copies are certain to remain in the companies’ backup systems. Gmail explicitly says this in its privacy notice.

What if those companies delete your data because they don’t like it? Or some copyright is at issue and they “can’t” let you keep it, such as Amazon’s now notorious “removal” of the Orwell books due to copyright issues (How ironic is it that Orwell’s books were deleted???)

So, I’m logging into Skydrive this morning because I’m building an online collection of tools I can access when I’m on the road or someplace where I don’t have my computer or USB drives with me.

I’d uploaded about 3 gigs of tools, which might be considered by some to be “hacking” tools, including Cain and Abel, which (AV constantly tries to delete). But today, those directories and programs are nowhere to be found.

Big Brother Microsoft evidently doesn’t approve. And this is why we should all consider that if our data in the “cloud” doesn’t pass the vendor’s muster, our data will be deleted.

I’ll stick with my computer, for now.

Storm Clouds Ahead

It seems like every big vendor is pushing for business to “use the cloud.” Only now are we starting to see some questions arise in the general media about how secure cloud computing is.

The short answer is: it’s not. Intrinsically, whoever has physical ownership of your hardware has your data. It’s all very nice to say you will save money by outsourcing, but there are no hard and fast statistics to support that. What you save in outsourcing may come back in the form of increased costs for securing your data outside of your data center.

And you do know, of course, that the Feds can look at your data in that cloud without a warrant, don’t you?

So what CAN you do to save money and justify the “real costs” of keeping your data local to higher management?

First: Explore virtualization - Many organizations have realized enormous hard savings in electricity, storage space, UPS, etc by utilizing Virtual Machines to run their applications. The added bonus is that you can have immediate full backups stored elsewhere. It’s also marvelously easy to test a patch on a virtual machine, without having to worry about breaking something in production.

Second - Re-negotiate contracts - If a vendor isn’t meeting your standards, now is the time to switch. There is an enormous competition going on with this downturn of the economy. IF nothing else, get a better deal than the contracts you have.

There’s quite a bit on the web that can help you justify costs internally. But when the discussion about clouds comes up, make sure you ask the questions needed, such as:

1. How we will provide audit information from the cloud?
2. How do we control access to our data? (This will be the real question, because ultimately, the cloud vendor will control access, not your company. You may be able to control application access, but that does not address the server OS or underlying database controls.)
3. How will we monitor access to our data? Because there is no standard for thin-client computing security, the answers will be all over the map, and usually cost you more money.

The PCI standards council is currently looking at cloud computing with an eye to evaluating the security of credit card data. I’ll be interested to hear what they come up with. In the mean time, consider on of my Rules of Thumb: You can outsource data, but you can’t outsource data responsibility.

If you do find a vendor that says they can help you stay compliant, make sure you understand the contract very, very well. Your job could depend on it. I suspect the cost savings will be small, but it’s worth examining just for comparison’s sake with what your organization is doing now.

Watching Your Data Evaporate in the Cloud

“Cloud” computing continues to beat the drum of “cutting costs.” Although I must say that I am hard put to differentiate between “cloud computing” and data centers that host hardware, the emphasis seems to be on shared server resources and supposedly quick turnaround for new applications.

In my experience, “quick application development” is usually another way of saying “open everything up to make it work,” followed by “oops.” Or “ouch.”

The giants (Amazon, Google and IBM) are promising to customize security for their clients, but I have yet to see a price tag on that promise, or a standard for security in a cloud. I suspect that there isn’t one, and isn’t likely to be one.

Here’s some questions that keep me wondering:

How would they implement different levels of security on the same hardware/server OS?
How do I know who else is sharing my server?
How do I know that my confidential data is secure? (Think PCI and HIPAA)
How would I handle eDiscovery?
Who maintains logs - specifically audit trails?
How does handing off security to a third-party affect compliance?
Where is my backup data?
And, uh, what happens if the cloud vendor goes belly up?
Who is responsible for a data breach?

Faster, better, cheaper - pick TWO.

“Cloud Computing” Redux

I know I keep harping on this “new” concept. The only “new” thing about it is the marketing around the name. It’s still off-site data storage and third-party management of corporate hardware and data. It’s got a prettier face than the old green-screen connection to the mainframe, but the concept of thin client/thick client is exactly the same.

A lot of banks that I audit use contracted time and space on mainframes as a standard part of business. From what I’ve seen of this, there are both pluses and minuses:

One Plus:
No mainframe in the basement that requires at least two technically trained engineers.
One Minus:
You are entirely reliant on the third-party for coding changes, reporting and security implementations. They will most definitely charge you for every little and big thing they can. It’s death by a thousand fees. You are also at their mercy for when they are willing to make a change for you. “Security flaw? We’ll fix it in the next release.”

Is there actually a cost savings? It varies from bank to bank. A tiny regional bank may find it difficult to acquire technically skilled employees, in which case it can make a lot of sense and save money. Consider, however, that the larger the organization, and the more IT functions are needed, the more complex management of that third-party relationship is going to be.

Second Plus:
You rely on a SAS 70 for assessing the security of the service provider.
Second Minus:
You rely on a SAS 70 for assessing the security of the service provider.

Yes, I repeated myself. Right now we only have the SAS 70 as a way to assess service providers, and that applies ONLY if the service bureau is handling financial services for the company. The SAS 70 is meant to provide assurance for the financial auditors of the client companies, NOT test to a standard or any kind.

And then, only the controls that the service bureau says are in place are the controls that are tested in a SAS 70.

There is not an independent standard to test “cloud computing” environments for secure practices.

Cloud computing vendors tout the possibility of security: “Cloud computing can be as secure, if not more secure, than the traditional environment,” said Eran Feigenbaum, director of security for Google Apps. Which, in my mind, means that it will be an additional cost to the business.

Eigen’s Rule of Thumb - you get what you pay for. How many businesses will pay for security beyond what the vendor offers as basic services? How many businesses will skimp because they can’t afford it and there is no requirement for it?

Short answer: too many.