Dangers in the cloud

For all the trumpeting of the potential benefits of cloud computing, there's no denying the existence of a widespread caution about the environment among IT professionals. Most are ready to acknowledge that it can provide some big savings, give customers plenty of flexibility and improve an organisation's green credentials, but many still see an array of risks. The Information Systems Security Association (ISSA) has made a useful contribution to the debate around the issue with the publication of a white paper, The Security Implications of Cloud Computing. It does not amount to a warning against using the cloud, but it provides a clear guide to the risks and outlines a few strategies for dealing with them. It makes an assertion that the supporters of cloud may not want to hear, that its applications are inherently more vulnerable to external threats than those managed inside well protected organisations. The potential rewards are real, but it's necessary to strike a balance in dealing with the risks, of which there are several: Loss of information governance – If you transfer data and applications to a third party you're also transferring some governance issues. Service level agreements and compliance with common security policies have their value, but you are essentially blind to what's going on. Compliance – This could be a particular problem if an organisation plans to store any sensitive data outside the reach of EU data protection laws. It is unlikely to be an issue in using the G Cloud, but anyone tempted to use a competitively priced service in a public cloud infrastructure would have to look at it carefully. Isolation failure – By definition, cloud services are multi-tenancy, with customers sharing common systems, storage and networks. There is scope for problems in any security vulnerability or flaw in the hypervisor (the software programme that manages the multiple operating systems), misoperation of network management systems or malicious activity by other customers. The report says that malware presents a particular risk, as many of the endpoints in the cloud set-up are beyond the customer's control, and there is a danger of others letting it in. The large quantities of data that could be obtained from a breach is no doubt making cloud operations a tempting target for potential attackers. Legal and political risks – Under the Data Protection Act (DPA), organisations in the UK have an obligation to find information when required by a DPA subject access request, and a similar obligation applies under the Freedom of Information Act. It is difficult to do this quickly when you don't know where all of your data, including the back-up, is physically located. It should also be remembered that many governments assume the right to see or intercept all information held and processed within their borders. Just look at the US Patriot Act. There is also the fact that many countries don't have effective data or intellectual property legislation in place, and this could make it harder to safeguard valuable information. Capacity overrun – A commercially successful cloud operation is going to be highly utilised. This provides the savings and green benefits, but the flip side is the risk that the overall capacity, and a customer's share, may not be able to cope with spikes in demand. Insufficient encryption – In the case of software as a service, it is not possible to keep information encrytped throughout the process, as it has to be unencrypted to be processed or used. If any processing is required in the cloud, there is no certainty that nobody outside the customer organisation will see it. Back-up and recovery – Cloud providers should guarantee that data is safe and recoverable in the event of a failure, but it is often unclear how frequently it is backed up, and whether full recovery would be possible after a major incident. The risk in this area is compounded by the fact that business continuity and data recovery plans can only really be proven when there is an incident that causes data loss. Reliance on public networks – The report says the internet is inherently insecure, although this may not be such an issue for public bodies with dedicated networks and secure connections. Critical infrastructure – It also suggests that, in line with a broader trend in the IT industry, one or two vendors could become dominant to the point of becoming the de factor supplier(s) of cloud services. The potential to wreak havoc on the national critical infrastructure could make it a target for cyber terrorism. So what are the best ways to deal with all this? One of the key steps outlined in the report is to avoid testing cloud services using critical applications and processes. Cloud is still an uncharted territory for most organisations, and it's better to begin with smaller, non-critical applications where the repercussions of problems would not be so severe. It also needs a set of clear organisational policies on cloud computing, and a firm process through which approval is needed to move in-house applications to the cloud. The worst thing that could be done is to let managers and staff take the law into their own hands. Safeguards can be created by including a 'right to audit' in agreements with service providers, something the report describes as "an obvious must have". In future, it may be possible for the vendors to commission an independent audit review, the results of which could be the basis for a certification of the service. This would be a lot less expensive and time consuming than leaving every new customer to carry out their own full reviews. As things stand it is some way off, but as the market matures it could become a regular customer requirement for cloud services. Understanding where data will be processed and stored, and the relevant legal and political jurisdictions, can also help. This can be needed to demonstrate compliance with EU and international law, and to address any questions about the whereabouts and security of personal information. Then there is a case to have a clear back-out plan, quickly returning data and applications in-house, if things go wrong. Of course, dealing with the risks comes at a cost, and it is possible that it could outweigh the anticipated benefits. This makes a necessity of a full assessment of costs and benefits before a decision is made. The report doesn't pretend all this is definitive, and there's no doubt this is all being taken into account in the development of the G Cloud, but it will provide some serious points to think about for organisations looking to make more use of the cloud. They can make their own judgements about the balance between the promised benefits and the risks. The ISSA UK will be taking part in Kable's Information Security and Identity Management in the Public Sector conference, scheduled to take place in London on 3 November. The organisation's president will be chairing the event, which will investigate several aspects of the subject. It will combine a look at the high level issues with case studies and sessions on how to deal with specific threats. Among the speakers currently confirmed are information commissioner Christopher Graham, Belinda Lewis, the head of information policy at the Ministry of Justice, and Pete Armstrong, head of identity management at CESG, the National Technical Authority for Information Assurance. More details from www.kable.co.uk/events.