Get your head in the Cloud
Cloud computing may be too new a technology to know yet how secure it is compared with traditional systems. But a few recent, well publicized attacks involving celebrities have highlighted the risks of Cloud storage. In addition to data breaches caused by hacking, information security officers have many risks to consider, including issues raised by trans-border data flow.
For some, the business advantages clearly outweigh the security concerns. For others, a bit more wary, the choice is more difficult.
“I believe companies have to invest in the Cloud,” says Suzie Smibert, director, information systems security and CISO, at Vancouver-based Finning International, a distributor of Caterpillar equipment that employs more than 14,000 people globally. “This is our direction.”
For businesses that are local and have a limited geographical footprint, she says, it may make sense to have gear on premises: they don’t need to consider purchasing equipment in various countries. For multinational organizations, however, such as Finning, going Cloud-based offers significant advantages.
“It’s reducing the headache of having, for example, to ship gear to South America. Embracing Cloud allows us to be innovating and service our customers much faster because we don’t have to deal with the commodity of maintaining servers and hardware in the various data centres. It becomes costly if you have multiple locations and you need to put things on premises,” she says.
Gordie Mah, CISO at the University of Alberta in Edmonton, says, while the Cloud presents security risks, he believes it does provide definite business benefits, says. In addition to lowering costs, the technology offers ease of management, administration, initiation and deployment.
“For the university, for example, there are very reliable, stable and effective solutions that are essentially turn-key in the Cloud. And it precludes the need to attain that expertise in house and to have to expend resources to develop that infrastructure and maintain, manage and upkeep it.”
Owen Key, CSO and CISO for the City of Calgary, says the benefits of the Cloud depend on the organization and maturity level of the information technology platform of that organization. Small organizations will adopt Cloud technology much more easily and seamlessly than larger, already mature organizations, such as the City of Calgary.
While the city has a robust IT department, there are pressures to move to Cloud solutions to take advantage of their ease of adoption and to meet business needs more quickly.
“I think for larger organizations such as ours, there is a hybrid model to be had. Certainly, we have pressures from business units who want to look at Cloud solutions, and there is a push from large vendors to the City of Calgary to push our services onto the Cloud. But we have challenges in terms of personal information, intellectual property and critical systems,” he says.
“So, am I anti-Cloud? No, certainly not. I am a realist and think it inevitable that we will have that large hybrid solution between on-premises and off-premises solutions.”
A recent study by Microsoft reflects a reluctance of Canadian companies to move their systems to the Cloud. It found that 85 per cent of Canadian businesses have not moved “beyond very early incremental adoption” of Cloud-based technologies. The study also concluded that security concerns were a central reason for this reluctance: 52 per cent of executives surveyed had concerns about data security in the Cloud.
Reliability and security, Mah says, depend on the service provider. The larger, more experienced and well known Cloud-service providers have proven to be extremely reliable in regards to availability, failover, backup management and to resistance against cyber threats and attacks.
“There’s a wide range of providers and various scales and levels. And there are more and more that are rising to the top and becoming known; it shows in their large list of customers and the growth of their organization.”
Smibert agrees that reliability depends largely on the service provider the organization selects. Cloud providers can be very reliable, but organizations must do their due diligence, evaluating service reports and using SOC (Service Organization Control) report and the SSAE 16 (Statement on Standards for Attestation Engagements) to assess the provider. They should also make sure they have good contractual agreements with the provider.
“Putting your data in the Cloud doesn’t eliminate your accountability in ensuring security. But you have to increase your vendor management practice and include an information security component when you select your Cloud vendor,” she says.
Tom Jolly, VP, managed IT and Cloud services at Vancouver-based Telus, says Cloud technology is as, or even more, reliable than on-premises data management. However, it’s a mistake for customers to think that, once they’ve subscribed to a Cloud service, their provider will handle all their security concerns. There are many different service models, and security responsibilities often fall to the customer. It’s essential to draw a very clear demarcation with the service provider about who’s managing what.
“It’s about understanding what you’re subscribing to and making sure that potential areas of risks — like making sure your operating system is patched on a regular basis with the latest patches — is actually occurring and you’re not just thinking the service provider is doing it when in fact they think you’re doing it.”
Jolly says businesses should also distinguish between their data that must remain secret and other kinds of data that could become public. For the former, it will be worth investing in the highest level of security, while the business may not want to spend a lot securing the latter type.
“Make sure you understand the choice that’s in the Cloud, whether it’s private/public, whether it’s on shared infrastructure and whether, in some cases, the data may need to be on dedicated infrastructure. Understand how you and the service provider are managing the risk,” he says.
Mah, who agrees with the study that Canadian companies are reluctant to invest in the Cloud, says it is largely because many of the data centres where data is hosted are located in the U.S., not in Canada.
“One of the key critical showstoppers is still the legislative and compliance aspect,” he says. “The current legislative climate is still very adverse to trans-border data flow, where data in another jurisdiction may be subject to unauthorized and inappropriate disclosure and access to their government and law enforcement bodies.”
Reluctance to adopt the Cloud comes more from security professionals and IT departments, Key says, than from business units within organizations. For IT departments, the technology represents an erosion of their kingdoms. From a security perspective, he says, while concerns are partially mitigated by measures such as proper indemnification and insurance (which transfer risk from the organization to the service provider), other risks remain.
“There is a reputational risk to mitigate if we lose data because our clients — in our case, our citizens — don’t care whether we’ve subcontracted to an outside party. It’s going to be the city that lost their data,” he says.
Smibert, too, believes much of the reluctance to move to the Cloud can be attributed to IT departments. Internal business stakeholders want to procure a Cloud-service offering, and, often, they bypass IT and buy it directly.
“And your business might already be in the Cloud, and you don’t know it,” she says. “I believe Canada is behind. The Canadian IT are behind. We’ve been too scared of embracing the Cloud.”
There is also fear-mongering about the Patriot Act, she adds, a product in part of lack of education. IT personnel often don’t understand privacy law or are not working closely enough with their internal privacy office to understand measures they can take to protect their data, like having proper contractual agreements or leveraging data centres in different geographical locations.
“If the privacy and security officers don’t work together to understand the regulatory landscape, they might be absolutely risk averse to embracing Cloud,” she says.
One way for companies to safeguard against disclosure risks, and thus reduce the reluctance to move to the Cloud, Mah says, is through the encryption of data stored by the service provider. This control requires that encryption is adequate and strong and that the organization retains sole control of the decryption key.
This solution, however, he adds, is often cost prohibitive and may involve too many extra steps for an organization or employees to make it practical.
“It’s one thing to say on paper the solution lies in Cloud encryption and management of the decryption key. It’s another thing to find transparent solutions, to actually achieve it,” he says, adding there are today many vendors working to try to develop those solutions.
“They know that it’s definitely a niche that can be profitable, and there’s certainly a need.”
Linda Johnson is a freelance writer based in Toronto.