Adrian Davis, research analyst with the Information Security Forum; and Mark Adams-Wright, CIO at Suffolk County Council joined forces to dispel some of the fear, uncertainty and doubt around cloud computing and services, while pointing out the genuine problems that can arise. “It’s just outsourcing with a few extra wrinkles,” said Davis, adding that for the user it’s a black box over which he has little control.
Adams-Wright agreed, but stressed that you should never allow yourself to be in a simple take-it-or-leave-it situation. “Ask questions,” he said. “Probe. Don’t just get brushed off.” The reason is simple. The cloud is an unavoidable proposition that can bring enormous benefits or cause serious problems. And it all comes down to understanding what you’re getting, and getting what you expect. ‘Due diligence’ was a term that both panelists repeatedly used – but due diligence on both the provider and the buyer’s own company. Companies with a high risk attitude shouldn’t be too proscriptive about their use of the cloud – so the people buying cloud services need to understand who they are buying it for.
One problem, said Davis, is that the cloud providers are often not as big as you think – they can be “just four men and a dog,” he said. That works when it works; but if the supplier folds, there is nothing left for you to hold liable. Going into the cloud is one thing, but due diligence also means you need an exit strategy if necessary.
Another problem with the cloud highlighted by Davis is the enormous range of cloud services, some of which can be very small and inexpensive. He gave an example. He knew a company where a member of staff simply bought into SurveyMonkey with the company credit card and started gathering personal data which was, “I’m pretty certain,” he said, “against the data protection laws.” Adams-Wright accepted the problem. His approach was to make it a disciplinary offense: no member of staff is allowed to purchase any cloud service without it first being officially sanctioned.
But the bottom line for most people considering the cloud is security. To put this into perspective, consider that a recurring theme at Infosecurity Europe was the idea that companies should consider their networks to be already compromised. Does that mean we should consider the cloud provider to also be compromised? This is where the FUD comes it. “I’m on record,” said Adams-Wright, “as saying, ‘should I care where my data is stored if it’s stored security?’ And, well, should I care?” The implication was clearly that he shouldn’t: it doesn’t (technically, not necessarily legally) matter where the data is located so long as it is safe.
The same basic principle applies to security in general. It doesn’t matter whether it is applied internally by your own staff, or externally in the cloud. What matters is that it is applied. “Consider whether you can protect your data,” with a couple of staff and a few thousand pounds budget, said Adams-Wright, “better than, say, Google, with its thousands of security experts and millions of pounds security budget.” Which brings the argument full circle. Going into the cloud successfully, reaping the cost benefits without the dangers, all comes down to due diligence so that you get what you expect.
| See Infosecurity magazine interview Adrian Davis and Mark Adams-Wright outside the keynote theater at Infosecurity Europe 2012 |