Cloud Security - Five Things that Should Never Go Into the Cloud (Part 1)

by [Published on 21 April 2011 / Last Updated on 21 April 2011]

In this article, we'll start off with a short discussion about what cloud services are all about, and then look at five things that shouldn't go into the cloud.

If you would like to be notified when Deb Shinder releases the next part of this article series please sign up to the WindowsNetworking.com Real time article update newsletter.

Introduction

Unless you’ve had your head in the sand (or in the clouds?) for the last few years, you’ve been hearing a lot about cloud computing. The “public cloud” is the name given to a collection of servers and services that are hosted in data centers that don’t belong to you and aren’t on your premises. The “cloud provider” who owns and controls the servers can provide a number of services, typically divided into the following categories:

  • Infrastructure as a Service (IaaS)
  • Platform as a Service (PaaS)
  • Software as a Service (SaaS)

IaaS, PaaS and SaaS have their own distinct advantages and disadvantages.

Note:
There are many other definitions and descriptions of cloud computing. The “private cloud” is a term that refers to company-owned, on-premise datacenters that use the same technologies (such as virtualization) that cloud providers use. In this article, we will be talking about the public cloud.

The most common vision of cloud computing is that it provides an on-demand, elastic computing resource that can be provisioned and de-provisioned automatically to meet the need of the consumer of cloud computing services; the end result is that the purchaser of cloud computing services receives a “metered service” and only pays for what is used.

Sounds pretty good, eh? Think about it. Your company isn’t an IT company, and your core competency isn’t in IT or information services. Why are you maintaining your own datacenters? Wouldn’t it be better to outsource the management of the IT services you need to run your company instead of trying to maintain them yourself? If you outsource your computing services, you can move the dollars you spend for capital expenditures to operational expenses, and this smooths out your balance sheets, gives you a more predictable cash-flow pattern, and you don’t have to make a big capital outlay for what quickly becomes “yesterday’s technology.”

This is why so many people have their heads in the cloud these days. They claim that IT is “growing up” in the same way that public utilities have evolved over the years. It’s more cost effective and more reliable for a central power company to manage the delivery of electricity to cities, compared to having each home maintain its own generator. The same goes for water and gas utilities. Why maintain your own propane tank and water well when the utility companies have the expertise and financial resources to provide a highly available, world class service?

With “growing up,” however, comes growing pains. There is still a lot of distrust of the cloud in the business world, and for good reason. Probably everyone who’s reading this article has lost some important information at some point in time, because you trusted some online service to store your data and keep it always available. In our family, one of the worst experiences we had with this related to MSN music. When MSN music went away, all the songs that Tom and I had bought from the service over the years were no longer playable on any machine other than the three that were authorized – and there’s no way to unlock these songs, so as these machines got old and died, that music became completely unavailable.

Thus, while there are some great things that the cloud can do for you, there are also some things that you need to be very careful about when you start thinking about a cloud strategy for your organization. In this article, we’ll look at five things that I consider to be too important to trust to the cloud, at least as it exists today.

Identity Management Systems

Your identity management systems enable you to confirm that when a person claims to be a someone, he/she is actually that person. If you’re using Active Directory, then the Active Directory database is part of your identify management system. You might also be using smart cards, biometrics, or one-time passwords as well, as part of a multi-factor authentication system. And you are most likely hosting your identify management systems in-house.

Your identity management system, although not as sexy or cool as some technologies, is the life’s blood of your organization’s security. If the integrity of your identify management system is compromised, everything in your organization is “up for grabs”- and I do mean everything. The entity that compromises your identity management system will be able to claim the identity of anyone in your organization and carry on a wide range of activities under the guise of the person whose identity has been compromised. If that person happens to have administrative privileges, you’re in deep trouble. From the point in time when the identity management system is compromised to the time when incident response is completed, all user activities during that interim must be considered suspect and any information that was touched, as well as any activities carried out on the corporate systems, must be considered to be invalid until an audit is completed.

Are there identity management systems in the cloud now? Sure. Facebook, Windows Live, Google, and Yahoo are just a few, and there are many other smaller players. The big question is: Do you trust these entities and the security of their identity management systems? How many times have you heard about some compromise of each of these providers’ identity management systems that ended up with user names and passwords of accounts being compromised? Given the critical nature of identity management to all of your business processes, you should be very wary of trusting identity management to the cloud.

Core Intellectual Property

When you consider storing critical data in the cloud, there are a number of questions you need to ask:

  • How does the cloud provider secure your data?
  • Do they use NTFS?
  • Do they use EFS?
  • Do they use some other method of encrypting information while it’s on the disk?
  • What about information existing in memory on the servers? Is there a way to compromise the data while in memory?
  • If a machine crashes, does it dump memory contents to disk which can be retrieved by an attacker?
  • How do they protect the information when it’s in transit between your clients and their servers? Are they using SSL? TLS? IPsec? Some other encryption protocol? Can an attacker located between you and where your core intellectual property is stored intercept that information “on the wire” and replay the sessions and gain knowledge of the contents of the communication?
  • Is the data itself secured? What if an authorized user gains access to core intellectual property and then decides that he wants to derail the company by sending that data to a competitor? Does the cloud provider enable rights management for all information stored in the cloud?

Unlike your intranet, where you are using IPsec, TLS, NTLS, EFS, BitLocker, and Rights Management Services, you may not know whether all of these security features are available when information is hosted by a cloud provider. There are too many vectors of attack for any data stored in the cloud, which makes it a less than ideal place to store any core intellectual property.  After all, compromise of core intellectual property can put you out of business.

Customers’ Personally Identifiable Information

Many of the regulations you may have to deal with, depending on your industry, relate to protection of personally identifying information (PII) of your partners and your customers. There can be some significant negative consequences in the event that someone gets hold of your customers’ private information. This data could be something as simple as the customer’s name, or something as dangerous as compromise of a customer’s social security number or credit card numbers.

This can be challenging. For example, let’s say you provide products or services that can be purchased online. It’s clear that, by the very nature of online sales, customers are going to have to interact with a cloud service to participate in the transaction. In this context, the important distinction is whether it’s your own cloud or someone else’s cloud that is storing this information.

If it’s your cloud, then you have tight command and control over what PII is obtained, what PII is stored, and the lifetime of the PII that is stored in an Internet accessible location. If it’s a cloud provider, you have to ask yourself what they’re doing to secure your customers’ and partners’ PII. Do they have a published policy? If there is a compromise, is there any kind of indemnification? What if you are fined or sued because of mishandling of PII? Does the cloud provider pay the fine, or are you left on the hook for the whole thing? What about damage to your firm’s brand equity? Is there anything the cloud provider can do about that? And does it really help for you to blame your cloud provider?

This is why I believe PII should remain in-house. When something goes wrong, it doesn’t matter whose “fault” it is; all the fingers are going to be pointed at you, so you should make sure that you do everything you can to ensure that PII is protected. When you have the control, you can do everything possible to keep PII safe; if you give it over to the cloud provider, you are limited in what you can do to protect PII.

A Single Copy of Anything

Cloud providers should and in almost all cases will perform due diligence when it comes to backing up information. In fact, many of the cloud providers have very sophisticated methods to duplicate information, not only within their datacenters, but across geographically dispersed datacenters. This means that your information could be located in several locations across the globe, so that if a single datacenter (or several) are taken down, your information will still be available.

Of course, it’s possible that the entire infrastructure of a particular cloud provider can be taken down, so that the entire system becomes unavailable. Of course, this is highly unlikely, since the infrastructures of the better cloud providers are designed for an exceptional level of availability. But it could happen. A more likely possibility is that the cloud provider goes out of business, is acquired, gives up on its cloud ventures, or is attacked by a disgruntled employee.

The key takeaway here is that, as with your on-premises datacenter, you don’t want to have only a single copy of anything. I often see people who should know better, leaving a single copy of important information in a cloud service provider’s systems. They think that the cloud provider has some kind of magic that will make sure that data is never lost, mostly because of the size and reputation of the provider. But I’m sure you’ve seen many reports in the media about email and other data that one cloud provider or another has lost and never was able to restore.

If you use a cloud provider, make sure that a copy of everything that’s stored in the cloud is also stored in your own datacenter. I guarantee that you’ll be able to bring your own systems online much faster than the cloud provider, who must service thousands of customers, can bring your information back online after a disaster.

Any Information that Must Always Be Accessible

In the United States, we have long had the concept of “dial tone” access. What we mean by this is that no matter what, you would always be able to get a dial tone so that you could make a call. The power might be out, but you would always be able to get a dial tone on your POTS (Plain Old Telephone System) line so that you can call for help. There are a number of historical, political, and regulatory reasons and background for the “dial tone” concept – but the bottom line is that dial tone meant that the telephone line was always available. The reality of this is changing with the advent of Voice over IP (VoIP), but the expectations remain the same.

Cloud computing, at its base, makes the (currently false) assumption that the Internet provides a similar dial tone experience. In order for cloud computing to work for a business, that business must always be connected to the Internet and the cloud provider must always be connected to the Internet, too. The cloud providers are more likely to always be connected to the Internet because they are generally pretty sophisticated when it comes to high availability for Internet connectivity and they also are going to have multiple and distributed points of presence. The problem with the lack of dial tone for Internet connectivity is for the businesses that need to connect to the cloud provider. Many businesses’ Internet connections are nowhere near “dial tone” quality.

If you have information that must always be available (for example, patient charts that include the patient’s drug allergies), you should never put that information in the cloud. It’s not a matter of whether the Internet connection is going to go down; it’s a question of when and for how long. If someone dies or is seriously injured or loses a large amount of money because the Internet was not available, that irate customer is not going to seek redress from your cloud provider – they are going to go after you. And as with the PII issue, it will do you no good to blame the cloud provider, as it will be assumed that, as part of your due diligence, you knew (or should have known) that the Internet connection was not “dial tone” quality and that a disconnected state would be inevitable at some time. For this reason, never put information that always needs to be accessible into the cloud.

Summary

In this article, we started with a short discussion about what cloud services are all about, and then took a look at five things that shouldn’t go into the cloud. Like all opinions, the opinions shared in this article are my own, and you’ll find that other experts in cloud computing may have different opinions. I recommend that you read articles by authors with divergent opinions and then come to your own conclusions regarding what your level of risk tolerance is when it comes to the cloud. Then work from that point to create your cloud computing strategy. And lest you think I’m anti-cloud, in the next article in this series, we’ll look at five things that you should put into the cloud – sooner rather than later. See you then! –Deb.

If you would like to be notified when Deb Shinder releases the next part of this article series please sign up to the WindowsNetworking.com Real time article update newsletter.

Advertisement

Featured Links