Skip to Main Content

(Editor’s Note: Security expert Donald Hester continues to assess the risk in the outsourcing aspect of cloud computing in Part 2 of this two-part opinion column. Part 1 was published on September 22, 2010.)

We need some protection.

You are looking for a place to store some of your belongings and you decide you need to rent a storage unit at a local self-storage company. You come across two different places. One of them has state-of-the-art motion sensors, alarms, security cameras, a security guard and they have the local police stop by to verify the guard is awake at night. The other place is an old dilapidated wooden barn with no locks, no cameras and no alarms. The one good thing is the owner sits on his front porch watching the barn. Who would you choose?

 

The questions we need to ask of service providers is what level of security do they provide. Do they follow industry security standards and how is their compliance with the standard verified. I would look for a company that follows one of the two main industry standards for IT security. Either ISO 27001/2 or NIST. ISO 27001/2 was developed by the International Stands Organization and is implemented mostly in multi-national corporations. NIST, the National Institute of Standards and Technology, has developed a number of standards to support Federal, state, local and tribal governments. These standards are used by many private organizations as well.

Once I know they follow some industry accepted standards, I would also determine if they have any regular third-party audits that verify they continue to follow those standards.

The painful divorce.

If there is one thing I have learned from some of my friends is that there is never a clean breakup or divorce. They are always messy and difficult. No matter how much you love a person when you first hook-up that love can fade over time. Now they are stubborn and you can't decide who gets the cat or the new 65' plasma TV. What do you do then? How do you move out gracefully?

The same thing is true for any service you outsource. You need to think from day one what your exit strategy will be. Think of it as a prenuptial agreement for your cloud computing service provider. Consider having provisions in your contract that stipulate when and how you can break out of the service and what they will do to help you transition your data or the service.

I want some privacy.

One morning I went outside to let the cat in and water the plants. I could hear my neighbor come out of his house to get his paper. To my surprise, he was wearing nothing but his boxers. All I could think of was that I really didn't need to see that and then I was wondering if I could plant some tall shrubs or bushes to give my neighbor some much-needed privacy.

Here, life's lessons hold true in the clouds as well. There are all kinds of data you have on your network that requires protection. Generally we call this data PII for Personally Identifiable Information. We are legally required to protect certain information such as student records, health information, credit card transaction data, certain financial records and social security numbers. Outsourcing any confidential information is, at best, problematic. The only way to guarantee control is to keep it in-house.

I trust you but I want it in writing.

Often, when organizations look to outsource a service, especially ones that seem to be commoditized, such as e-mail, the service often comes with contracts written by the service provider. Do you really expect the agreement to be in your favor and look out for your best interests? More likely, the contract is a CYA for the service provider, protecting them if you ever decided to sue.

Security professional Robert Gellman said, "Users should pay more attention to the consequences of using a cloud provider and especially, to the provider's terms of service." Make sure provisions and concerns are addressed contractually and that it actually protects you and not just the service provider.

How is their health?

Supply-chain management tells us to never do business with suppliers who can't consistently deliver or are not likely to be able to deliver in the future. Only a gold-digger would want to marry someone with one foot in the grave. If you plan to outsource for a long time, remember to evaluate the health of the service provider before you tie the knot.

I thought you knew.

I remember an incident I had when I was in high school. I borrowed my parents’ car one night and, on my way home, I accidently ran into the curb. I messed up the rim and the tie-rods on the car. I drove it home and left it in the drive way. My mother went out the next morning, got into the car to go to work and drove it a bit before she noticed it wobbling. I never told my parents what had happened until they came and questioned me about it. You can imagine how angry they were.

How would you like your cloud computing service to hide material facts from you? What if they had a security breach and your records had been exposed to the whole world? It is important to ensure that you have a Breach Notification clause in your contract with specific time limits for reporting. It is not unreasonable to require notification of 'suspected' breaches within 4 hours of discovery.

Trust but verify.

One of the other hats I wear is IT Auditor, and one of our principles is not to suspect everyone of elicit behavior. We can trust that they are doing the right things we just need to verify that they are. Think of it as protecting the innocent.

On a regular basis you should also verify who has access to your data out in the clouds. Ask the service provider to grant you access to real-time log data. As noted above, make sure this is in the contract. The audit logs should show you if anyone at the service providers company has accessed, altered or deleted any of your data.

Conclusion

As you can see, there are quite a few things you should do before you dive in the deep end. There are other considerations that I could not cover, given the length of this article. However, I have some resources you can review that will help you dive a little deeper into the risks and rewards of cloud computing.

Some helpful resources regarding IT clouds and security:

  • "Above the Clouds: Managing Risk in the World of Cloud Computing," by Kevin T. McDonald.
  • "Cloud Computing Implementation, Management, and Security," by John W. Rittinghouse and James F. Ransome.
  • "Privacy in the Clouds: Risk to Privacy and Confidentiality from Cloud Computing," a report by Robert Gellman.
  • "Seven Cloud Computing Risks," a Gartner report.

 (Editor's Note: Part 1 of Risk In Clouds was published as part of the TechEDge eNews Update on September 22.) <>