In the rush to take advantage of cloud's benefits, businesses must properly manage the risks of handing over data, systems, and infrastructure to a third-party. As with any risk management process this is a challenge for the board as much as for the technical security team.
Security keeps cropping up as a (if not the) major obstacle to cloud adoption — whether it’s applications or infrastructure that is hosted in a private, hybrid or public cloud environment.
But are concerns about security in the cloud misplaced? Evidence in the 2013 Data Breach Incident Report from Verizon (which also owns cloud provider Terramark) suggests it is. Based on 47,000 breach investigations in 2012, Verizon notes that "attacks against virtualisation were not present, but attacks against weakly configured devices that happened to be hosted in an external location were common — but not more common than among internally hosted ones."
Do CIO's agree with these facts? Yes and no. For every CIO who believes cloud security concerns are overrated, there's another who believes cloud security issues are very real.
However, whether security concerns about the cloud are exaggerated or not isn't the question under discussion here. The key issue for businesses considering moving a workload to the cloud is to quantify and address risks; from assessing which applications or infrastructure can be moved to the cloud with an acceptable level of risk, to how they will be protected once moved.
Cloud security: Same concept, different implementation
While the same concepts behind on-premise security management apply in the cloud, there are nuances in their implementation that may escape the board-level view, but could nonetheless be vital.
For example, customers may find security tools they're familiar with on-premise are stripped back in the cloud. Network access controls are just one example.
"Network access controls are typically far more basic in the cloud compared to physical architectures, and the tools used to manage the access controls are also more basic. This can lead to poorly implemented network access controls that lead to unnecessary access to systems and services," said Ty Miller, founder of security firm Threat Intelligence.
"Physical security appliances ensure high performance and can be made highly scalable with low level networking to load balance packets across multiple security devices. Cloud environments are designed to be scalable, but some virtual security devices don't have the same performance as their hardware equivalent."
So how should businesses go about security risk management when considering cloud service providers? Those considering the cloud can be confronted by providers that only offer opaque visibility into how they manage security and data. But isn't that scenario also true when assessing a provider of closed-source software or an outsourcer that offers assurances based on service level agreements?
The customer needs to build a framework to assess a provider and compare them with rivals but not overburden the provider with assurance requirements. In the end, the rigour of the risk assessment process comes down to the depth of research a buyer is willing to go into ahead of making a commitment.
"The first thing we're talking to clients about is that not all clouds are equal," said Intelligent Business Research Services security analyst James Turner.
"A prospective buyer should research what the cloud vendor is prepared to commit to. Most cloud vendors have realised that committing to SLAs has to be a token gesture that immature buyers will pay attention to."
Different maturity levels on the buyer-side explain why, in a recent survey (pdf) by cloud-management vendor RightScale, a third of 'cloud beginners' saw security as the major obstacle to moving to the cloud, but only 13 percent of 'cloud focused' organisations (those that make "heavy use' of cloud) shared that view.
"Mature buyers will know that no amount of service credits can ever replace the business impact of a cloud failure. Cloud vendors are in the unenviable position of offering to provide outstanding business service and at the same time, putting themselves on the hook for protecting their customer's information assets," said Turner.
The mega-bug outlier and the perennial question of data sovereignty
Last week's discovery of a security hole, dubbed Heartbleed, in OpenSSL should give pause for thought to anyone weighing up risks in the cloud. Implementing OpenSSL on a web server should have provided encrypted communications over the internet, but instead, could be abused to leak user passwords, private keys and session tokens.
The flaw affected components of on-premise systems, private clouds and public cloud providers. But it has different ramifications for the buyer, signs that a service provider supports good security practices turned out to be a major vulnerability. How does a buyer asses that?
Before Amazon Web Service applied the Heartbleed patch, its elastic load balancers were vulnerable to the bug.
Microsoft's popular web server IIS is immune to the bug, but it's not uncommon today to rely on a cloud provider for backup services, such as Amazon Web Service's (AWS) Elastic Load Balancer.
"There are definitely lessons that have been learnt via the Heartbleed vulnerability in relation to risks introduced by cloud providers," Ty Miller, CEO of Threat Intelligence told ZDNet.
"The AWS load balancer could still be exploited to capture your private SSL certificates, and potentially usernames, passwords and session cookies."
Fortunately, bugs like Heartbleed don't come along every day. A more persistent issue has been data sovereignty and the fuzzy legal risks that come with shifting data to a different jurisdiction. It's a deal-breaker for many government agencies and some regulated industries, particularly for those outside the US.
Sweden's Data Inspection Board last year undertook legal action against one municipality and several schools that migrated from on-premise systems to Google Apps. In addition to data sovereignty concerns, Google's standard contract, in the Board's view, gave too much leeway for it to do as it saw fit, which conflicted with the organisations' duties as a "data controller".
The Swedish cloud cases occurred against the backdrop of a much bigger shift within the European Union, which updated its Data Protection Directive amidst calls by some Members of European Parliament to cancel the US-Europe Safe Harbour Act that had allowed some US firms to process data about EU citizens outside the continent.
"As part of any migration to the cloud, enterprises need to ensure they are aware of and comfortable with the locations where the data will be stored and the legal implications associated with those locations," said Craig Searle, head of cyber for BAE Systems' Applied Intelligence in the Asia Pacific region.
These are weighty issues that go past the technical and into the legal and management sphere, and demonstrate why it's so important board level executives are on top of cloud security challenges and exposures.