According to a recent report from the Cloud Security Alliance and ISACA, which examined enterprises' attitudes toward cloud computing, the market has reached a new level of maturity at which enterprises can benefit greatly from adopting cloud infrastructure, platform or software service offerings. Nevertheless, issues around regulations, international data privacy and exit strategies top the list of concerns that undermine confidence in cloud computing.
The CSA/ISACA survey also found that CIOs and IT managers understand the cloud best and are the most involved in driving cloud innovation and decision making within their organizations. Unfortunately, this limits the potential for growth and innovation by perpetuating the view of cloud computing as a technical solution and not a business enabler.
One of the key reasons cloud computing services are growing so fast in popularity is the ease with which they can be implemented. They make it easy to avoid the formal channels that would normally be in place to authorize a new IT service.
The downside of this is that business managers contracting with cloud computing providers may have little or no idea that they are, in effect, implementing a new type of IT service that is unapproved and circumvents existing company policy. Research carried out by the ISF has found that cloud computing services have been implemented ‘under the radar’ by many organizations, with little or no senior management involvement or approval.
Organizations would be wise to pause and consider whether they are unnecessarily exposing themselves to threats regarding information security and data integrity, availability and confidentiality. It is vital that such information security implications are addressed, not purely from a technical perspective, but from a broader business perspective as well.
Business-driven Approach
From a business perspective, cloud computing is a transformational technology that has the ability to provide easy and cheap access to IT services on demand. From an IT and information security standpoint, cloud computing could equally be viewed as a disruptive technology with a potentially significant impact on already overstretched security resources.
The issue is not just that business managers are signing up to cloud services without regard to information security requirements, but that ¬there is a lack of clear guidance on how to secure these services.
In view of this, the ISF report, ‘Securing cloud computing: addressing the seven deadly sins’, outlines a business-focused approach to addressing ad hoc, unplanned cloud implementations. It offers practical guidance and solutions for tackling the following ‘seven deadly sins’ of cloud computing:
- Ignorance – implementing cloud services without the knowledge or approval of senior management or the IT department, and without a full understanding of the potential security risks
- Ambiguity – agreeing to contracts with external cloud service providers without proper authorization or review, and without addressing the security risks or requirements
- Doubt – obtaining little or no assurance regarding cloud providers’ security arrangements and how they will protect a company’s information, leading to difficulty in auditing such arrangements
- Trespass – putting data in the cloud is potentially illegal, and by storing data in unknown locations, organizations may be in breach of privacy legislation and data controller obligations
- Disorder – information placed in the cloud is not classified correctly, stored appropriately or destroyed completely. For highly regulated industries, like finance and pharmaceuticals, this lack of formalized access control procedures could be very damaging
- Conceit – a misguided belief that enterprise infrastructure is ready for the cloud when it is not. There is no corporate security architecture defined for cloud services and no standard approach to identity and access management. The security of organizations’ encryption solutions could also be compromised, as keys are also stored in cloud providers’ systems
- Complacency – most purchasers of cloud services assume they will have full availability, but experience shows that a variety of incidents can, and often do, cause cloud outages.
Make No Allowances
Organizations need to ensure they individually tackle these seven deadly sins, as well as adopt a broad, holistic approach to ensuring all aspects of their security are addressed, as they would with any other IT service.
The reality is that cloud services are just like other third-party supplied services, and should be treated as such. In many cases, there is little or no difference between cloud-based services and those provided under an outsourcing agreement with a third-party supplier. The same processes and procedures should apply.
Experience from the outsourcing world has demonstrated that a consistent approach in areas such as choosing a supplier, contracting, monitoring and information security is critical. Cloud services need to be covered by the same form of contract.
Organizations cannot afford to ignore the information security implications of cloud computing services; they need to adopt a practical business-led approach to dealing with cloud providers without delay.
Steve Durbin is the global vice president of the Information Security Forum (ISF). His main areas of focus include the emerging security threat landscape, cybersecurity, consumerization, outsourced cloud security, third-party management and social media across both the corporate and personal environments. Durbin has considerable experience working in the technology and telecoms markets and was previously senior vice president at Gartner. As global head of Gartner’s consultancy business, he developed a range of strategic marketing, business and IT solutions for international investment and entrepreneurial markets. Durbin has served as an executive on the boards of public companies in the UK and Asia in both the technology consultancy services and software applications development sectors. Durbin is currently chairman of the Digiworld Institute senior executive forum in the UK, a think tank comprising telecoms, media and IT leaders and regulators.