What you need to know about cloud computing
By Dave Tyson
In the early days of security convergence many questions arose about the usefulness, validity ”“ and even the legitimacy — of this new approach to enterprise security risk. Many sought to dismiss it as the next big fad, or little more than prescriptive twaddle, but today it is clear that convergence has withstood the nay-sayers and cemented its position in the security universe. But while this internecine battle was raging, “Moore’s Law” was marching on; a new and unstoppable force was meeting the immoveable object of innovation. The result? Cloud computing — further proof, if any were needed, that the future is well and truly converged.
By Dave Tyson
Of course, the very nature of computing is changing as we speak. Some may say that this is simply about the ever-present pace of technological change, but the realities of cloud computing — and their consequent impact on security — are quite staggering and constitute a true paradigm shift. If you are a traditional security practitioner, you might be tempted to dismiss such pronouncements as further evidence of the whimsical fantasy of The IT People (who often don’t make much sense anyway!). We urge you however, to keep an open mind on this topic as this is most certainly the real deal and, unless you have a strong working partnership with the IT security folks, you may fail to see this coming in your organization until it is too late!
Cloud computing has many definitions and presents varied possibilities, but let us consider the general premise: you take all of your company’s data, with all its intrinsic and proprietary value and all of its combined worth, and you give it to someone else to store and manage for you. No, not on your servers, but on the Internet! Now think about how you’re going to secure that data when there are no buildings to patrol, no alarms to set, no CCTV to monitor or no security patrols to conduct!
And in the case of a disaster, an incident or a breach, how will you handle the investigation? If you need to get the company’s data back, how will you know exactly where on the internet it is (or was) stored? Will you even have permission to go looking? The answers to these vital questions will all depend on the nature of the contract that has been negotiated by the IT group with the organization’s cloud computing providers.
Why cloud computing makes business sense
Driven by businesses’ need to remain cost-conscious and competitive, cloud computing offers the best economies of scale for technology processing that the industry has seen in years, enabling organizations to remain agile, innovative and cost effective. Imagine your CCTV storage — which today probably costs between $5,000-10,000 a Tb — being $700.00 a Tb. These are the kind of radical cost reductions we are talking about with cloud. The cost saving could literally be 10-fold at the same time as delivering enormously enhanced flexibility and efficiency. More significantly, cloud can be a dramatic revenue generator by simply offering up computing space on the Internet to anyone who chooses to locate their systems there; in effect, providing space and processing that you’re already paying for!
Cloud computing has been defined as “fluid capacity” computing or the separation of your data, applications, and services from your dedicated hardware, but, however you define it, it’s important to understand what it can mean for your organization. In simple terms, fluid capacity means only using the exact amount of storage and processing power that you need at any one time, and then using someone else’s storage and power. This means that an organization only pays for what it uses, not for the rest of the infrastructure that it normally has in place.”¦.like software and servers, networks”¦or the buildings and departments and staff”¦or, of course, physical security!
As security professionals, we all accept the logic and wisdom of building security into a program as an integral part of a process (as opposed to bolting it on afterwards), and similarly, if we are to meet these new challenges, we need to be proactive in identifying and defining the security issues surrounding cloud. To that end, the formation of the Cloud Security Alliance was recently announced at RSA in San Francisco. The Alliance has developed a guidance document that identifies and discusses 13 distinct and separate security domains. (It can be downloaded at cloudsecurityalliance.org.)
Much of the initial work undertaken on behalf of traditional security practitioners under this initiative has been led by former ASIS president and chairman Jeff Spivey. Make no mistake, this is the “bleeding edge” of physical security work, and Spivey is leading the charge for all of us.
Asking the Important Questions
There may still be a number of uncertainties surrounding cloud, but one thing is clear: if your role has any level of responsibility for the protection of data, for securing servers and hardware, for privacy or addressing the legal ramifications of gaining access to information, or even if you need access to data for investigations, your life is certain to get a lot more complicated.
Consider the following scenario: Let’s say that today your company’s servers sit in your data centre, or a co-location facility where you control access to your dedicated space. You can monitor your cameras, determine access to the space, respond to incidents, and vet the staff and contractors who enter the area. Under cloud computing, however, your data may be sitting on the Internet behind someone else’s firewall, in their data centre, on their servers, or may be backed up in a completely different country to the one in which your organization operates. How will your security policies apply in this environment? While many people across an organization may currently hold responsibility for protecting data both on the servers and in the buildings, the realities of cloud security force us to address an entirely new set of risks in the security risk assessment and controls planning process.
The Guidance Document prepared by the Cloud Security Alliance identifies a number of issues that need to be addressed and poses a number of questions for organizations and security professionals:
”¢ Your organization’s security requirements may be very different from other cloud customers, yet your data may be stored on the very same servers; it is important to ensure that your cloud provider meets your own security requirements.
”¢ You will almost certainly need to apply your firm’s security policies in the cloud provider’s environment. This may not be a simple matter. For example, data may be stored in, or moved to, a country where some of your controls (like encryption!) are not permitted.
”¢ Physical and logical access is not likely to be integrated in this new world. You will need to address this issue if you are to avoid undermining your new convergence access control system!
”¢ What new roles and responsibilities will you now inherit in your organization — and in the cloud?
”¢ The ability to audit security on the contract may be severely limited, or may demand a new approach to ensure the continued effectiveness of this function.
”¢ Outsourcing will most likely lead to the inconsistent application of security controls across environments. So how will you achieve conformity of approach and consistency in addressing risk?
”¢ How will the cloud affect your disaster recovery, business continuity planning, crisis and emergency management programs and, in the event of disruption, how will this impact on your company’s ability to get back on its feet and continue business?
”¢ How will you enforce your organization’s screening process for vendors, employees and sub-contractors? Again, will you be able to achieve conformity of approach and maintain adequate controls?
”¢ Is there an appropriate segregation of duties? And how is this implemented and policed?
This is far from an exhaustive list. As you can see, the questions are many and significant, but all will need to be addressed.
Preparing for the challenges of the cloud
The next big thing will most likely be a spin on the old and familiar “managed security services” for traditional security products and services- only this time in a cloud. Services like Z-scaler effectively offer information security monitoring in a cloud (http://www.zscaler.com), so it is probably just a matter of time until someone figures out that it is really inexpensive to offer alarm and CCTV monitoring as well as access control services from the Internet as a managed service, and do so at a significant discount. The question for providers will then be how one competes in this cost revolution and, for purchasers, what potential value an organization can gain from these economics of scale.
The recent financial crisis and economic downturn has placed even greater pressure on organizations to innovate and find new ways to reduce costs, sometimes in previously unpredicted areas. Cloud computing would seem to fit into that space perfectly. Such innovation can deliver the added benefit of freeing up staff to perform more high value tasks. Or it can bring with it further downsizing and job losses!
The early discussions on convergence saw many seek to dismiss, or ignore, the idea because few had actually done it and the benefits were not then immediately apparent. It would be unfortunate if we treated the cloud in the same way.
Sound scary or complicated? Start by asking a simple question of your IT leaders: are we ever going into the cloud?