The past 12 months I have spent more time wrestling with Cloud infrastructures, Cloud security plans, and Cloud audit controls then I expected… While a tremendous amount of material has been produced on the challenges of Cloud computing I feel a voice of “reason” is valuable related to actual usage of cloud environments and working in the here and now. More pointedly, too much of our focus within risk and security is on the problems of the Cloud Providers (insert any definition you wish) practices, and not sufficiently on the operator’s requirements and needs. So, let me consolidate my thoughts below and save greater detail for future posts and (I am certain) lively discussions.
Cloud Security Providers are just that – providers, and we need to work with what we are given to meet compliance, security, and operational targets. It is not prudent to spend time wishing for new security practices from providers (such as Amazon / Salesforce) – when we have (and have had) the tools to mitigate the risks that they present. I prefer to present this concept to colleagues that Cloud providers should be treated as the power company – trust them enough to get you power, and proactively plan for the rest. In this context we have breakers for our homes; power strips; battery backups, and a number of power cleaning solutions at the enterprise level.
The primary reality of Cloud computing can be thought of in this manner – if we were running our systems (full machines or the application) remotely what security safeguards would we put in place? This covers a significant number of the traditional risks that exist to the systems and functions. These are not the only risks however…
The second reality of Cloud computing is the new paradigm of cloud operations. This is an effect I spend the most time on with organizations and experts – not what is missing from XYZ provider, but how are business operations different? This difference creates a material change in the organizatoin’s business process; IT Controls; and ability to maintain agility in operations. Let me be specific on some of the areas that require prudent attention:
- Culture shift, job responsibilities and separation of duties collapse in most cases (the provisioning of servers was once operated by Jane is now also done by Bob for the virtual systems, but in a Shadow and less prudent manner)
- Assumptions of operations - Operators of systems assume that the systems will be updated; patched; secured; and managed. This is also true beyond the simple ‘is the server patched’ to include ‘how / who is securing the systems at the network layer’
- Direct / Console access to data – A concern related to Cloud service providers is the administrative capabilities that exist within the various Cloud deployments. This should be addressed through end-point security solutions that can be deployed on the given hosts (where applicable) and managed through data custodianship for data and application providers.
The first two bullets above contain the absolute largest challenges to auditors, operators, and the ongoing success of Cloud services. More on that later though…
An interesting result of the Cloud deployment is the velocity and fluidity of information demands better understanding and management of such information. Through proper data controls and maintenance the greatest risks can be reduced.
Of course… it depends on your intent, industry, data type, and business…but this is a great place for consideration and thought.
Challenges / Thoughts / Additions / Corrections,