Posted by: David Schneier
cloud, cloud computing, compliance, regulatory, Regulatory Compliance
Years ago while working on SOX in its early days the team I managed started getting just a little tired of hearing that very term. It seemed that everything was “SOX-this” or “SOX-that” as everyone was trying to attach themselves to the massively intrusive new regulation and establish that they were in the know. One of the members of my team started playing with the concept and began using terms such as “Good SOX morning” and “Excellent SOX point”. And while it seemed sophomoric it was actually quite fitting and helped people in our environment start pulling back a bit on their SOX-isms.
I’m reminded of this phenomenon courtesy of the latest and greatest technology to revolutionize the business world – Cloud Computing.
Over the past three months the cover of every industry rag had something Cloud-related on its cover. Every respectable technology website I know of has Cloud-something splashed all across it’s pages. Almost every audit and compliance source I frequent seems to only want to talk about Cloud Computing. But I knew I’d reached SOX-ish proportions when I recently visited a community website for my former hometown and right there amongst the neighborhood goings on and local news bits was a blog post by someone offering to explain the phenomenon of Cloud Computing. Right next to the story “Main Street Bistro offers live music this Friday” was a blog post titled “What is Cloud Computing?”.
Wow! I haven’t seen such lunacy over a new technology since the iPad2 came out earlier this year. Seriously, this isn’t just about corporate data centers and hosted business solutions, this is also about small town Main Street (or so I’d have to think based on the blog post).
Am I the only one finding this all just a bit odd? Remember when Microsoft started running those commercials touting Windows 7 software and the Cloud (every problem people in the commercials were confronted with segued to a solution elsewhere, “To the Cloud” went the line)? What exactly was that supposed to even mean? There’s a huge difference between accessing your home desktop via a remote PC connection and having all of your digital world stored in some amorphous conflagration of servers. My kids would stare at the TV and ask aloud if we could use the Cloud. Holy Hype!
I’m not sure who exactly is behind this awesome marketing strategy but I have to tip my hat to them, they’ve outdone themselves this time. When children are asking their parents if they can use the Cloud you know something went very, very right.
But as someone who makes his living trying to build controls around things and testing them to make sure they’re working properly I have to tell you, when I think Cloud I don’t think Computing, I think storm. I think of huge thunderstorms and heavy, ear-splitting rain. I think of hail the size of baseballs smashing down on everything and winds whipping up and destroying anything in its path. When it comes to Cloud Computing you may see fluffy, white pillowy images but I see nasty dark skies ahead.
How do you secure the Cloud? How do you back-up the Cloud? How do you know where your data passes through or resides in the Cloud? You don’t, that’s the thing. If one server in the Cloud configuration gets hacked, if one virus infiltrates somehow past the anti-virus filters, if somehow someone with ill-intent gains access to that one server or is able to install a sniffer of some sort how would you know if it affects you? Again, you wouldn’t. You might know that your at some risk but you wouldn’t know for certain. It’s a controls nightmare for people like me.
And to be fair I’m not as concerned about private cloud configurations as I am about those that are offered out in the public domain; I’m concerned but not as much. But for those Cloud offerings that promise cheaper storage, email and web-hosting I have to ask, how can you assure me that my data is safe? What happens if one component in the Cloud configuration is compromised, how would you know who is impacted and who to contact? And what if some or all of your infrastructure is seized by law enforcement as part of an investigation, who’s impacted and how do you know for certain (that was a question raised on a LinkedIn board I read)?
There have always been too many moving parts in a heterogeneous network design and the industry has never been able to completely build out solutions to lock it down sufficiently (thus the reason for the “Breach of the Week” announcements we read about). Now we’re being told to migrate what’s on that network to an ever-changing virtual infrastructure where many hands makes light work. Where your digital world resides today is potentially/likely different than where it will be tomorrow and you have no real control over that. How does that appeal to anyone? Seriously, how much money do you think you’re saving by rolling these dice?
You know who I think is behind the push for Cloud Computing, the criminal element. Seriously, think about it. They offer a big virtual sandbox where you can host all your files and applications on the cheap. They sexy it up by running creative ads and getting vendors to back them up and voila, people are running to it like moths to the light. And for what, to save a few bucks? How much is your sensitive data worth? Probably a bit more than what you’d be saving by running in the Cloud. Now that I think about it I’m certain I’m on to something. I think that people who are looking to find easier and more efficient ways to gain access to sensitive data not theirs are behind this. If you’re information is compromised how can you ever prove it happened in the Cloud? This may be the perfect crime.
If you want to have your head (and data) in the Cloud so be it. For my money… no, wait, for my personally identifiable information I’m taking a pass on the Cloud. I know too much about how technology things work and don’t work and I can’t even begin to figure out how these configurations can be properly secured.