Virtualization

Storm Clouds Ahead

It seems like every big vendor is pushing for business to “use the cloud.” Only now are we starting to see some questions arise in the general media about how secure cloud computing is.

The short answer is: it’s not. Intrinsically, whoever has physical ownership of your hardware has your data. It’s all very nice to say you will save money by outsourcing, but there are no hard and fast statistics to support that. What you save in outsourcing may come back in the form of increased costs for securing your data outside of your data center.

And you do know, of course, that the Feds can look at your data in that cloud without a warrant, don’t you?

So what CAN you do to save money and justify the “real costs” of keeping your data local to higher management?

First: Explore virtualization - Many organizations have realized enormous hard savings in electricity, storage space, UPS, etc by utilizing Virtual Machines to run their applications. The added bonus is that you can have immediate full backups stored elsewhere. It’s also marvelously easy to test a patch on a virtual machine, without having to worry about breaking something in production.

Second - Re-negotiate contracts - If a vendor isn’t meeting your standards, now is the time to switch. There is an enormous competition going on with this downturn of the economy. IF nothing else, get a better deal than the contracts you have.

There’s quite a bit on the web that can help you justify costs internally. But when the discussion about clouds comes up, make sure you ask the questions needed, such as:

1. How we will provide audit information from the cloud?
2. How do we control access to our data? (This will be the real question, because ultimately, the cloud vendor will control access, not your company. You may be able to control application access, but that does not address the server OS or underlying database controls.)
3. How will we monitor access to our data? Because there is no standard for thin-client computing security, the answers will be all over the map, and usually cost you more money.

The PCI standards council is currently looking at cloud computing with an eye to evaluating the security of credit card data. I’ll be interested to hear what they come up with. In the mean time, consider on of my Rules of Thumb: You can outsource data, but you can’t outsource data responsibility.

If you do find a vendor that says they can help you stay compliant, make sure you understand the contract very, very well. Your job could depend on it. I suspect the cost savings will be small, but it’s worth examining just for comparison’s sake with what your organization is doing now.

Watching Your Data Evaporate in the Cloud

“Cloud” computing continues to beat the drum of “cutting costs.” Although I must say that I am hard put to differentiate between “cloud computing” and data centers that host hardware, the emphasis seems to be on shared server resources and supposedly quick turnaround for new applications.

In my experience, “quick application development” is usually another way of saying “open everything up to make it work,” followed by “oops.” Or “ouch.”

The giants (Amazon, Google and IBM) are promising to customize security for their clients, but I have yet to see a price tag on that promise, or a standard for security in a cloud. I suspect that there isn’t one, and isn’t likely to be one.

Here’s some questions that keep me wondering:

How would they implement different levels of security on the same hardware/server OS?
How do I know who else is sharing my server?
How do I know that my confidential data is secure? (Think PCI and HIPAA)
How would I handle eDiscovery?
Who maintains logs - specifically audit trails?
How does handing off security to a third-party affect compliance?
Where is my backup data?
And, uh, what happens if the cloud vendor goes belly up?
Who is responsible for a data breach?

Faster, better, cheaper - pick TWO.

“Cloud Computing” Redux

I know I keep harping on this “new” concept. The only “new” thing about it is the marketing around the name. It’s still off-site data storage and third-party management of corporate hardware and data. It’s got a prettier face than the old green-screen connection to the mainframe, but the concept of thin client/thick client is exactly the same.

A lot of banks that I audit use contracted time and space on mainframes as a standard part of business. From what I’ve seen of this, there are both pluses and minuses:

One Plus:
No mainframe in the basement that requires at least two technically trained engineers.
One Minus:
You are entirely reliant on the third-party for coding changes, reporting and security implementations. They will most definitely charge you for every little and big thing they can. It’s death by a thousand fees. You are also at their mercy for when they are willing to make a change for you. “Security flaw? We’ll fix it in the next release.”

Is there actually a cost savings? It varies from bank to bank. A tiny regional bank may find it difficult to acquire technically skilled employees, in which case it can make a lot of sense and save money. Consider, however, that the larger the organization, and the more IT functions are needed, the more complex management of that third-party relationship is going to be.

Second Plus:
You rely on a SAS 70 for assessing the security of the service provider.
Second Minus:
You rely on a SAS 70 for assessing the security of the service provider.

Yes, I repeated myself. Right now we only have the SAS 70 as a way to assess service providers, and that applies ONLY if the service bureau is handling financial services for the company. The SAS 70 is meant to provide assurance for the financial auditors of the client companies, NOT test to a standard or any kind.

And then, only the controls that the service bureau says are in place are the controls that are tested in a SAS 70.

There is not an independent standard to test “cloud computing” environments for secure practices.

Cloud computing vendors tout the possibility of security: “Cloud computing can be as secure, if not more secure, than the traditional environment,” said Eran Feigenbaum, director of security for Google Apps. Which, in my mind, means that it will be an additional cost to the business.

Eigen’s Rule of Thumb - you get what you pay for. How many businesses will pay for security beyond what the vendor offers as basic services? How many businesses will skimp because they can’t afford it and there is no requirement for it?

Short answer: too many.

Don’t Be Seduced Just Yet

I had a co-worker ask me yesterday what my opinion on “cloud computing” is, and whether it should be something they could recommend to clients. He had seen announcements about cloud computing from Microsoft

According to a 2008 paper published by IEEE Internet Computing “Cloud Computing is a paradigm in which information is permanently stored in servers on the Internet and cached temporarily on clients that include desktops, entertainment centers, table computers, notebooks, wall computers, handhelds, sensors, monitors, etc.” Another criteria is that it be massively scalable.

“Cloud Computing” is almost the same as “SaaS” (software as a service), the difference being, according to Gartner, scalability.

What I found the most interesting was the statement from Microsoft: Windows Azure provides developers with on-demand compute and storage to host, scale, and manage Web applications on the Internet through Microsoft® data centers. (the bold emphasis is mine.)

So, a business runs all it’s core applications and stores all it’s data on Microsoft’s servers. Windows is actually developing Azure as a separate platform from Windows server and desktop apps. It’s all accessible anywhere from the Internet. I guess Microsoft has decided to get into the Data Center business arena along with IBM and HP.

This is probably a silly question, but what do you have if there is no Internet access? There seems to be a massive assumption that all business functions can be run over the Internet.

The ONE statement about security on their opening page was: Security supported by flexible Code Access Security policies and The built-in management services give monitoring and tracing capabilities.

That’s IT???? I admit it is a page pitched to software development, but shouldn’t secure software development and the security of data centers be in there anywhere? The FAQ offered up nothing on that topic, as well. It did, however, offer up pricing.

So, I’m going to be terribly cynical and say that this might be Microsoft’s approach to controlling the rampant software piracy of their products going on all over the world. How about promoting it as a “more secure platform?”

Other than being a marketing ploy, “cloud computing” sounds like “thin client” writ large. There may be some significant financial savings, if you have the right kind of business to use this platform. AND you want to turn your data security over to Microsoft.

Microsoft’s only mention of “risk” - Windows Azure provides you, the developer, with a scalable platform and a rich development environment that allows you to focus on the business logic of your application without worrying about operational constraints or lock-in,” didn’t get me to “wow.” How often has security lagged far behind software development and what is Microsoft doing to change that? From this announcement, nothing.