Migrating an organization’s data and assets to the cloud is not a decision that comes easily, particularly for enterprises that have legal and privacy concerns when outsourcing to a third party. Even in cases where the decision has been made to explore moving in that direction, the process should be diligently undertaken because of the complexity of understanding what it all means, say cloud security experts.
This usually requires asking questions that would first determine what need the cloud service would fill, and then understanding the implications involved, according to a white paper published by the Cloud Security Alliance (CSA). In assessing the pros and cons of moving data to the cloud, the author, Sichao Wang, cited the Amazon and Sony meltdowns in 2011 that brought both of their respective cloud service infrastructures to their knees – at least for a time.
His point was that cloud service providers need to implement a performance management system that proves the delivery infrastructure can fulfill the service agreement with the client. This includes handling these types of outages by offering security monitoring and assessed recovery time to ensure that cataclysmic losses don’t ensue.
Simon Robertson, senior cloud consultant for PTS Consulting in London, agrees with the principles outlined in the white paper, titled ‘Are Enterprises Really Ready to Move into the Cloud?’ He suggests that an organization must first address the right questions internally before seeking out a provider.
“Each organization essentially has a cloud profile”, says Robertson. “Take their applications, servers, and infrastructure, and map those against the criteria to moving to the cloud. Doing that mapping would allow an organization to assess how ready they are to move to the cloud and the sort of approach they should develop.”
An example of this can be found with a large unnamed media organization Robertson consulted with. The company had a clear three-year road map on moving certain applications to the cloud, and wanted to make sure everything was in place with both the internal infrastructure and external services. Together with other resources and the teams in place to support the move toward the cloud, it was felt that a considerable migration could be undertaken.
“The way they went about it was to move the non-critical apps first”, he explains. “The benefits they achieved – such as being able to access information virtually anywhere, anytime and on almost any device – afforded them the capability to increase the level of collaborative work. They also moved their service desk and even some CRM apps to the cloud, providing certain employees access with far less constraints than they had previously.”
However, this scenario doesn’t quite play out the same way for other organizations, Robertson notes. He believes one thing that has the potential to either stifle migrations to the cloud or not deliver what end-users expected is the compromise between what is a traditional outsourced service and what the cloud can deliver.
Another organization he consulted for wanted to deliver cloud-based communication services, like phone, voice mail and unified communications, among others. The problems it experienced centered on the fact that the organization assumed it could get everything it wanted from the cloud provider.
|"Like anything in IT, security is usually the last thing people think about"|
|Michael Jordon, Context Information Security|
“They were surprised when they got back the results”, he says. “It was a case of: You can have what we’ve got to give you, you can have all these wonderful extensions to the service, but what we’ve got is the core bit, and we’ll give you the core service. If you want the extensions, you’ll have to pay a lot more for us to develop them.”
This highlights the compromise between what’s available and what the provider can actually deliver at an acceptable cost, he adds. This particular company didn’t complete the procurement, took a step back and decided to rethink how to proceed.
As director of security and privacy in the IT consulting arm of Protiviti, a global risk and consultancy firm based in London, Ryan Rubin has seen several of these cases himself. He adds that it’s important for a company to understand what kind of data it wants to migrate, to gain a better understanding of how dependent it will be on the cloud provider.
Outsourcing the Cloud
The legal requirements governing how data is managed after a cloud migration has taken place is another key factor. By using a cloud provider, an organization would ostensibly extend those requirements and responsibilities onto them, though the real risk remains with the organization.
“They can have standard compliance checks done against a provider, but because they’re using an additional layer of technology within a cloud space, there will be additional measures that need to be thought through”, says Rubin. “The other side of this is if cloud providers are outsourcing tasks to other third-party cloud providers, which brings up questions about access and transparency.”
He goes further in pointing out that some cloud providers will buy bandwidth or other resources from third parties. This raises an issue with compliance because it becomes difficult to pinpoint where the data actually resides, or which systems are actually being used as part of the cloud service when so many different dependencies come into play, Rubin says.
Things would become even more tenuous when data privacy and the provider’s viability are taken into account. In the event that they go out of business, there must be provisions in place to secure the data. This is a crucial contingency to address before any data is migrated over, Rubin argues.
Once it’s there, providers need to be thorough on the hardware and server infrastructure side as well, says Michael Jordon, research and development manager at Context Information Security, an independent consultancy firm also based in London.
He co-authored a detailed report posted on the company blog titled, ‘Dirty Disks Raise New Questions About Cloud Security’, wherein they examined and explained a number of vulnerabilities certain firms faced because of improperly provisioned hard disks from cloud providers.
Context was given permission to perform limited testing on their virtual servers for the report, and one of them focused on determining the level of separation between virtual servers, through memory and disk analysis.
|"Each organization essentially has a cloud profile"|
|Simon Robertson, PTS Consulting|
Unintentionally, the research discovered dormant data that wasn’t installed on the virtual server. Chalking it up to just a ‘dirty’ operating system image, a second virtual server was created and tested, yielding completely different data that was nowhere to be found on the server itself. The report concluded that the issue arose from how the providers provisioned new virtual servers and allocated storage space.
“We called them ‘dirty disks’ because they had other people’s data on them and hadn’t been wiped properly”, says Jordon. “One of the main drivers for cloud computing is that it needs to be as cheap as possible from a hardware perspective. Spending time cleaning disks has a cost, in terms of hardware performance and provisioning. Certainly one aspect was that the overhead of providing that level of security may have been neglected without fully considering the implications.”
He contends that the cost comes from the fact it could take many hours, CPU power and hard disk activity to wipe it properly, which adds to the overall price tag. He doesn’t believe organizations are cutting corners purposefully, since they view it more as an efficient, affordable and timely process, albeit without considering the security side of the equation.
“If you look at the range of different data they’re putting in the cloud, organizations need to think harder about more sensitive or critical data being sent over because of the risk of being compromised up there”, says Jordon. “The implications could be that a small informational website in the cloud could suffer reputational damage as the worst case, but an entire online bank going up in the cloud is putting the entire business at risk.”
He acknowledges that there is at least some understanding from some companies that cloud providers don’t necessarily provide full security, and some are even candid about it. Even so, these organizations need to understand what kind of security they will actually receive and how it’s provided.
The process of reviewing, testing and proper cleaning must be diligent, Jordon adds. There will naturally be a trade-off between convenience and vulnerability, except he warns that there could be an underlying issue of moral hazards that must also be considered.
Once data is migrated over, the risk and reward go up to the cloud with it, Jordon says. The key is to look at the technology, understand the security measures in place, determine who is responsible for any loss or outage, and ensure that testing underscore all those things.
“Companies, regardless of their size, have to ask the right questions when considering migrating data to the cloud safely”, he cautions. “But like anything in IT, security is usually the last thing people think about. Businesses operate based on the risk and reward associated with costs, so money is going to drive it all at the end of the day.”