BCS, The Chartered Institute for IT, held a Thought Leadership debate entitled ‘Cloud Security - Cloud Cuckoo Land?’ on 23 November 2009. This report is based on it.

David Miller, Managing Director of ITDYNAMICS; Sadie Creese, Director of e-Security, International Digital Laboratory, University of Warwick; and Andy Smith, Chief Security Architect for the Identity and Passport Service gave short speeches at the outset of the debate to set the context.

The business perspective

David Miller began with a reference to the Cloud Computing World Forum in London, where it was evident that to many enterprise organisations cloud computing has become mainstream. Cloud security is a concern - but it must be addressed because it is a part of a much bigger change taking place in business and IT.

Sir Winston Churchill said we have to decide whether we see ‘difficulty in the opportunity’ or ‘opportunity in the difficulty’.

From the business perspective there is a big opportunity in the cloud. The economic difficulties of the last 18 months have created a need for business to make changes. It doesn’t want to get caught out again; business is looking to IT as the enabler.

One of David’s clients is looking to reduce costs by more than £1billion. Another has £1.5billion of new work. IT is key to the success of both but in both cases is seen to be an inhibitor.

It is not uncommon for IT to be seen to be an inhibitor to change because of the mish-mash of new and old technologies, new and old apps, databases, middleware and process. In some organisations it takes a long time to do anything, and often the benefits just fail to materialise.

Since 1970 we have introduced process throughout the life cycle, which may have helped us to manage IT, accelerate the introduction of cloud computing and has moved IT up the notional maturity curve. But there are cost implications (associated with training and demonstrating compliance) and there is a loss of business agility (associated with bad process). So this has had little effect on business outcomes - failure rates are still running at the same high rates as they were in 1970, only now businesses are far more dependent upon IT.

The closeness of IT to the business is the most significant factor contributing to successful business outcomes. By making closeness an integral part of what we deliver we can radically increase our chances of achieving a successful business outcome. Thus the business need and hence the service excellence model are more important than just the IT requirements and the total business experience as a measure of closeness is far more important than just the traditional IT measures of performance.

Whether we like it or not, IT is changing: Conventional maturity models have always maintained that the future looks much like today except that processes will be more efficient and somehow business-driven. (Unfortunately it’s not clear what this means or how we will know we have got there.)

Continuous improvement of the CMMI or lean models will continue to have relevance but they both disguise what is actually happening to IT.

The new maturity model (derived from the service excellence model) is not just predicated on improved efficiency but on the eventual ‘disintermediation’ of IT as a result of the convergence of business and IT and of the commoditisation of IT service delivery. The eventual end state is defined by the ‘ultra-efficient service engine’ where, instead of identifying service gaps, we measure the time delay involved in responding to a new business need. Convergence and commoditisation are for real.

New developments in the BMP world are driving convergence and the cloud has rapidly emerged as the most significant manifestation of commoditisation so far. Convergence and commoditisation, and thus the cloud, will be popular with business because convergence enables the business to take back its responsibility for processes and to rapidly re-engineer itself and commoditisation enables the business to access IT resources ‘on demand’ and at low cost. Both convergence and commoditisation improve business agility.

Convergence and commoditisation should also be popular with CIO’S because IT becomes central to the business, streamlined, and measured in business terms. IT and the business combine to become a complex adaptive system that responds efficiently and effectively to the needs of the market.

Convergence and commoditisation will also be popular with the IT industry because the investment in cloud computing is vast and the IT industry will not want it to fail.

However, engaging with the cloud calls for a different style of management because the commoditised IT world is one where we may neither own nor control the IT resources or the IT processes fundamental to COBIT and ITIL. Instead we manage the business needs and the business outcomes, so the service excellence model and the total business experience emerge once again as important - the very same things that help us to make closeness an integral part of what we deliver in order to improve our success rates.

Security in context

Security should be at the front of everyone’s mind as the process of convergence and commoditisation unfolds - but, if history is anything to go by, it seems unlikely. Business has always assumed that IT security would be taken care of by IT and hence it is treated as a technical problem.

Personal data (financial, healthcare, and child-related) and processes have been exported to countries outside of the data protection zone. People have lost and sometimes sold information about us or our company for personal gain. The industry itself and legislators have to do a lot better.

In a cloud world, just as in a business-focused world, business must take responsibility for what is theirs and the rest has to be agreed in conjunction with the service providers. However, as IT disintermediates, the responsibility for all aspects eventually shifts to the business.

Remedies to cloud security issues will be found but as the different technologies are massively scaled up (and clouds become interconnected) more security concerns will arise.

In a cloud environment, as in any other, there is a need for a business risk assessment so responsibilities must be absolutely clear and safeguards may include placing geographical limitations on the storage of data and on processing.

Some organisations will embrace cloud with no security concerns and they are entering the market now, some will embrace it as a cost cutting measure at a time that suits them, but others will hold back until the known risks are at zero.

A fuzzy concept

Sadie Creese began her comments with the view that the cloud is currently an ill-defined concept. Taking as an illustration a literal weather system, we need to understand rain, the activity of lightning, nice white fluffy clouds and so on. This dictates when we fly, how we fly, what direction we take, whether to take a parachute and the like.

There are also different types of cloud: virtual private clouds, private clouds, public clouds, hybrid clouds and others. The abilities of cloud users will also differ enormously - particularly in their assessment of risk.

Cloud and outsourcing similarities

Current outsourcing best practice is relatively fit for purpose - it’s about service level agreements, shared culture, relationship building, a common ethos with your provider and similar things. But the key attribute of the cloud will be the ability to switch suppliers quickly - making it more about agility and cost saving. This means there will be no time for long procurement cycles and relationship building.

This idea of agility versus the current longer methods of handling risk, coupled with the factor of where data is geographically presents enterprise with a challenge. The way current outsourcing best practice deals with these issues will not be good enough.

These are not just technical problems, there will be a big issue in managing the business - in understanding the new threats of the cloud, reducing potential impact surface, governance issues, training and the maturity of the IT industry.

The citizen’s perspective

How much should we expect individuals to do for themselves in the security area? Perhaps an ethical consideration is that the industry should do more to help people understand the implications of their actions and help them do things more securely. Many individuals already use the cloud without even knowing it and many not only don’t know the risks, but don’t have the intuition to assess the potential for risk.

As there are economic models at work too, are people educated enough? Given that the cloud will be one big system it does make a difference how each individual behaves. A possible approach would be a greater interface between enterprises and individuals to help manage both their needs from the cloud.

These threats cannot be mitigated without a more thorough definition of the cloud.

What about government?

Andy Smith showed how we have been using cloud ideas for many years, pointing out that he had his BT email address 12 years ago, but with no idea or interest in where it was hosted. BT was an organisation he could trust.

But things change. BT joined with Yahoo, and they took over hosting the address, something that was impossible to avoid as the Terms and Conditions changed. So this data could just as easily now be in the US, outside of the Data Protection legislation of the UK.

A company may not want this - but UK government definitely couldn’t operate with this uncertainty.

Government is currently working on a cloud application: G-Cloud. The prevailing view is that, philosophically, the cloud is a great idea. For example, a government department could ask for 4,000 new email addresses for a particular domain and let the provider get on with it. The cost savings could be huge.

But what is the liability model? A government department needs to show due diligence. A customer wants to know the protection mechanism for their data. A customer would want the assurance that anyone misusing their data could be traced and prosecuted. And of course the government department would then need a guarantee of the quality of its evidence. How can an evidential quality audit be undertaken in a cloud context?

In government personal information is covered by the Data Protection Act and the Official Secrets Act - there are stronger controls than the norm this data. Is this even possible in the cloud environment? It could lead to the requirement for three types of cloud: a confidential cloud, a restricted cloud and a secret cloud. Are these three clouds, or one? What are the connections between them and how can they be managed?

An additional problem would be who a cloud provider subsequently contracts to. If a provider outsources to places outside the UK or EU then data could be outside an organisation’s control. If something went wrong the UK provider may be able to be sued, but the front page news would still be damaging.

You can outsource responsibility, but not liability.

The debate

The similarities between the security of an outsourcing arrangement and a cloud arrangement were highlighted several times in this debate, which at first glance would seem to be a help in addressing cloud security issues.

However some differences were noted. In a cloud scenario the relationship between client and supplier is more distant than in the outsourcing field. And the granularity of relationships is different. In a cloud environment SMEs could get great benefit, even getting relatively minor services via a cloud, but outsourcing is often a much larger scale endeavour.

This may require the development of different levels of security from a cloud provider.

SMEs could easily benefit from greater security than normal in this situation, but enterprises could actually experience a change of protection as they have so many more variables to consider: in-house staff training, technical training, differing risk assessments and the like. What approach to take could well be a judgment call.

An interesting angle here is that while SMEs have a different risk profile and security approach many of the Fortune 100 organisations have data looked after by SMEs - giving them a leverage in the corporate world but also providing a potential weak point.

It’s often true that individuals tend to lead in adoption of new approaches and enterprises are more conservative. Generation Y, sometimes called digital natives, will probably be less concerned about data integrity and assurance, though. But individuals will still need to ensure they have sufficient good information to make security decisions on.

In the enterprise it seems that even now many don’t understand how valuable data is - to them and their customers. Traditionally it seems that enterprises are not that good at buying IT services.

Unlike individuals, enterprises may want to control where and how their data is held - just as UK government organisations won’t want their data held outside the UK, some companies may have geographical considerations too.

New security threats

When broadband was introduced a new form of criminal activity followed - phishing - which was enabled by the technology. As cloud applications are more widely used a similar threat is there. The attack surface for organisations on a cloud could be much larger and a large cloud provider with a number of high profile clients would offer a natural target for cyber criminals. The aggregation of assets in the cloud makes it a higher value target.

The fact that to make the cloud scalable it would require a utility and standardisation approach also adds a security threat. The standardisation means criminals would have a common problem to address.

From this we could see that security through obscurity would be a difficulty counter measure to use. One commenter said that Bernie Madoff had used this approach by using the relatively unknown IBM AS400 system to secure his enterprise. But this wouldn’t work for the cloud environment.

Always to be borne in mind are the civil liberties issues and the fact that risk in a certain cloud could increase as it gains clients. If, for example, an organisation takes into account that a provider has only 10 major clients, but because it is so competitive it picks up another 50 over the subsequent year, the risk profile will change hugely.

Unscrupulous users/ customers of cloud computing, perhaps where the service provider is honourable and trustworthy but one of the users is not so inclined, could also lead to problems. One commenter mentioned a recent case with a well-known cloud provider demonstrating an offering that enabled the harnessing of 10, 20, 100 or many thousands of CPU’s together to run your own applications. The Terms & Conditions stated that users must not use its services against the cloud, but within a week of the demonstration someone had used that service to completely map the cloud in question.

We are left with a number of questions: While the business case for the cloud is good, could the complexity and risks of the security invalidate it? Is data the key thing? Do we need to know where data is before we can make rational decisions on these issues?

Additionally, other risk areas in exploitation of the cloud would be speed of responsive from suppliers, the capacity available could also still be an issue and availability would be a vital area for any enterprise to be sure about.

Possible solutions

The information security economics argument says that security professionals who are appropriately incentivised - by their cash or reputation being on the line for example - are much better at providing good security services. In the cloud scenario the provider would need to be heavily incentivised. Perhaps they should contractually incur a substantial financial penalty in the case of failure not just for one client but all of them - like a class action in law.

Although the FSA failed in the recent economic meltdown it could be that a similar model could work to audit cloud providers.

BCS, as the Chartered Institute for IT, could have a big role, starting with education, openness and a simple communication of the issues. Legislation will also be a difficult area, particularly for individuals, so the Institute could champion their needs.

What about guarantees for the cloud services buyer? Perhaps the Institute could define what makes a good cloud provider, what security controls should be in place and what information should be made public.

Another protection could be a new taxonomy of risk - highlighting the new issues of the cloud or the old issues that may come in new guises.

The cloud is attractive to organisations for different reasons – whether they be governments, enterprises, SMEs or individuals. But this doesn’t negate the need for conventions for cloud computing and security. This could be as simple as a combination of checklists, standards and certifications. Suppliers could be engaged on the basis of checklists - perhaps at differing levels of security, starting from a gold standard, silver, bronze and so on.

A possible approach would be to apply an ISO 27001-type standard to the cloud, although that could just add complexity.

Another possible approach would be to bound the cloud in some way. However this would undermine the purpose of the cloud and cost and management considerations could limit what could be done anyway.

There are some things that appear to be prerequisites for success in the cloud:

  • A common legal framework between the user and supplier environment;
  • Open standards;
  • A clear understanding of service model needed between client and supplier;
  • Clear governance to underpin it all.


Cloud computing as a term could be seen as marketing hype - but it is a real way of working that can be utilised correctly. The principles of good governance don’t change.

The drive is apparently very simple at the client end: lower costs and increased agility.

There are potential problems to address though. The cloud definitely has a low entry cost, but the whole life calculation hasn’t really be done. At the moment the key players in the cloud have gone into it for very specific and differing reasons, which may bring later standardisation problems.

Cloud computing is a significant opportunity along the road of convergence and commoditisation, operating the business as a complex adaptive system, and achieving the ultra-efficient service engine.

It is time to become resourceful once more and manage not just technology and process but also [and most importantly] business needs and outcomes. We need to go into these developments with eyes open, so what do we need to know?

  • We must protect business, so;
  • We must know enough to assess the risks;
  • We must agree safeguards and establish responsibilities;
  • We must negotiate guarantees from providers, and;
  • We must derive business value from the new opportunities being presented;
  • We must protect citizens through better legislation (which must be globalised or at least countries that do not embrace commercial legislature should be excluded from the globalisation process);
  • Service providers must protect themselves through process, standards, standardisation and certification.

Those in the debate had a generally positive view: it will be the opportunities and not the difficulties that will prevail.

Further reading: http://www.roughtype.com/archives/2009/11/cloud_computing_1.php