Andy Smith FBCS considers the use of cloud services and the sometimes false sense of security that they can give to those that take them on as part of their organisation’s normal day-to-day operations.

The theory of cloud computing has been around since the 1965 Rough Type article on Western Union. But it is only the culmination of high-speed networks, virtualisation and modern computing architectures that have made cloud viable for the mass market.

So what are the risks with cloud computing? Cloud computing can mean different things to different people. For some it’s a set of applications and services hosted outside of their organisation and shared with others to save cost and improve flexibility. For others it’s about shared applications and the processing of data outside of their remit and the control of the organisation, thus increasing risk. For some it’s seen as a chance to get things very wrong.

Use of cloud services within an organisation can allow significant savings including hardware, electricity, administration overhead, and licensing costs. Private cloud can also help improve the organisation’s security posture by allowing all the servers to be housed in secure environments and properly managed by a few trusted staff, rather than having servers hidden in closets throughout the organisation.

However, public cloud services can offer even more significant savings by sharing the environment with other organisations. Services such as Google, Amazon and Oracle allow organisations to outsource management and operation of key applications and services, reducing IT overheads while offering better productivity. However, as with anything in life, it comes at a price, in this case an increased risk profile.

Risk factor

There are significant risks with putting the organisation’s crown jewels in a cloud service. As long as these are understood and managed correctly, outsourced cloud services are a viable option. However, get it wrong and the organisation could be open to unexpected costs from legal actions, fines or clean-up costs, that render moving to cloud nugatory.

There are a few key things to consider when using cloud services. Legal and regulatory compliance is obvious, however evidencing due diligence and duty of care to customers and staff are also important. You need to be able to answer questions such as:

  • Who is liable if things go wrong?
  • Do the contracts place the risk on the supplier; do they cover all of the risks and can the contracts be enforced?
  • Do the laws in the country where the cloud services are hosted allow the government access to your data (e.g. Patriot Act)?
  • Can you evidence due diligence and duty of care to regulators and customers?
  • Is the audit and accounting information available and sufficient to be used for evidential purposes in legal proceedings, both to prosecute and defend your organisation?
  • Can you perform all required functions such as fulfilling a subject access request?
  • Does the insurance cover data being stored in third-party systems and other countries?
  • Is the infrastructure between the organisation and cloud provider up to the job?
  • Is the access control still completely under your control?
  • Are there full business continuity and disaster recovery capabilities in place and have these been tested?
  • Who has access to your data? Does the cloud provider use follow the sun support with administrators in multiple countries; are these full-time staff or contractors, do they have full background checks, and are they working in the cloud suppliers office or from home?
  • Has a full risk assessment been conducted?

So let us look at some of the key risks with cloud services. The first aspect is legal and regulatory compliance. In the UK, the rest of Europe and, increasingly, the rest of the world, data protection and privacy are a key compliance requirement. Some countries such as Russia are now mandating personal data is collected in country, which renders cloud services hosed in another country unusable.

This is in addition to other compliance requirements such as those from financial services. If an organisation has any element in the United States it may be subject to Sarbanes Oxley (SOX) for the whole organisation, for example. There are also requirements around retention of data which need to be considered. Compliance is a very complex area and needs to be checked as part of any project initiation.

Managed services

Managed cloud services help alleviate some of the risks associated with public cloud services. For instance, a virtual private network (VPN) can be configured between the organisation’s offices and the managed cloud data centre, allowing secure communication even over the internet.

The chances are that moving to a cloud service will mean that all of the organisation’s applications and data will reside in one or two countries. If this covers human resource and finance systems, housing them in Europe or the United States makes evidencing regulatory compliance relatively straightforward.

Hosting cloud services outside of these jurisdictions can become quite complex. Before outsourcing to Asia or other areas it is critical to understand the evidential requirements, including the audit overhead of demonstrating compliance to regulators.

This is not only critical with the actual hosting of the cloud services, but also with the support and maintenance. Some cloud providers will host their services in the UK, but the helpdesk’s and the administration staff are in India or other countries. Given that administrators may have access to all of the organisation’s data it is critical to make sure the contracts, access control and accounting are all in place to ensure the cloud provider’s staff do nothing nefarious with your information.

Retaining control

One aspect to note here - While you may choose to outsource some or all of your applications - you should not outsource the access control. It is really important to retain control of the keys to the castle. This can be done using single sign-on capabilities and federated identity. The key aspect is to retain adding and removing user access in-house and controlled by your own staff.

It is also critical to understand that you can outsource responsibility but you cannot outsource liability. Making a cloud provider responsible for protecting your information in a hosted environment and using security controls to manage the risk all helps. But at the end of the day, if something goes wrong, you will still be held legally liable and it’s your organisation that will end up on the front page of the paper, not the cloud provider.

Insurance is another corrective control, but this needs to be carefully checked to ensure that it covers data being moved to a third party provider. It has been known for organisations to have insurance which covers all of their systems within the organisation, but when they moved to cloud services they have failed to update the insurance to cover this. The result is claims being rejected because the insurance did not cover the information being stored in other countries.

Redraw the boundaries

Another concept that has been around for a while and is clearly prominent with cloud services is the idea of disappearing borders. Years ago when all computing services were within the organisation it was very easy to draw a scope boundary around all of the computing services, with clearly defined boundary connections to third-party networks and the internet.

With the move to cloud services, outsourcing and offshoring; it is now very difficult to draw a scope boundary. It, therefore, becomes much more important to protect the data elements rather than trying to protect the boundary. There is still a need for secure gateways where the organisation connects to the internet or other public networks, but even here VPNs can be tunnelled over the internet, providing cost-effective connectivity between locations, but extending the boundary as a result.

Encryption is an excellent control for the protection of data and encrypting data elements means that wherever they are stored they should be protected from unauthorised access. VPNs are a good example of data in transit encryption and it is relatively straightforward to configure encrypted tunnels over public networks (e.g. the internet) or even private networks. Basically, unless a network has some form of formal assurance, then encryption should be used.

Encryption: When and why

For data at rest encryption there is one simple question: ‘If this information gets compromised or stolen, will it remain encrypted?’ This is the first thing most regulators will ask if personal information is lost. However, it does not only apply to personal information, it also applies to financial and other regulated information.

If the business requirement is to ensure any information that is compromised remains encrypted, there are a few things to consider. With modern computers, there is no excuse for the storage and any removable storage not to be fully encrypted. On most modern operating systems, encryption is provided as standard. With most smart devices the same is true. These should always have encryption enabled and strong user authentication configured.

There are a number of products available to ensure that email is encrypted both in transit and at rest. Using such tools ensures that emails sent to the wrong person or emails stored on a cloud service remain protected. Even if the email system does not support encryption, standard tools such as WinZip and PGP can be used to encrypt attachments before they are sent. This also means that files stored on a cloud service remain encrypted and can only be accessed by authorised users.

Some encryption, however, can give a false sense of security. For example, when using a cloud service, it may seem sensible to encrypt databases. However, if the applications have unrestricted access to the data and the administrators have authorised access, then encrypting the database will not provide the protection expected, no one will steal a 60kg SAN.

It is much better and usually more cost effective, to ensure that any reports or extracts from the applications or database are encrypted and that unauthorised data mining and extracts are not possible. In conclusion, cloud services can provide significant cost savings, but it does change the risk landscape in unpredictable ways.

It is vital that a comprehensive risk assessment is performed and the whole service looked at holistically, covering: physical, personnel, governance, contractual, compliance, policy and process and technology risks.