Who Watches the Watchmen, Part 2: Uncle Sam, Are You Naked?
The current U.S. presidential administration is committed to the cloud, and Washington has targeted about one quarter of its US$80 billion IT budget for potential migration to the cloud.
The federal government’s General Services Administration has also set up the Apps.gov website, which it describes as government agencies’ “source for cloud computing applications.”
Many enterprises making efforts to move at least some of their assets to the cloud, move often made to costs and take advantage of the flexibility of cloud-based systems.
However, with several recent well-publicized breaches of cloud systems and the recent crash of the Amazon EC2 cloud, is it really safe for enterprises and the federal government to go boldly into cloud computing? Or is this another example of high-tech Babbittry gone wild?
Hole-y Cloud Computing, G-Man!
The federal government has come late to cloud computing; many firms in the private sector, most notably heavy hitters like Google and Facebook, have been built from the ground up on cloud-based systems.
However, the cloud is not infallible.
Sony’s PlayStation Network, a cloud service, has been hacked repeatedly in the past few weeks.
Facebook is a favorite target of hackers, who seem to be using it as a malware distribution service, and Google’s systems were hacked into last year during the well-publicized Aurora attack that hit several large major U.S. corporations and led to a standoff between Washington and Beijing.
“Once you’re in the cloud, information doesn’t belong only to you but also to the provider of the cloud service,” Sorin Mustaca, a data security expert at Avira, told TechNewsWorld.
The risks involved in moving to the cloud include the possibility that the cloud provider could be hacked by external cybercriminals or rogue employees. There’s also the risk of the cloud provider going bankrupt, causing customers to lose their data, Sorin pointed out.
Being Clever About the Cloud
“The cloud is a generic concept which can’t actually be used without personalizing it,” Mustaca said.
Enterprises and government agencies should only move to the cloud after they have identified what they need and expect from the cloud service, and have set security and privacy policies.
“People think that if they move their computers and services to the cloud, they make the problems disappear,” Mustaca remarked. “But the problems don’t vanish; they simply move to the cloud.”
Cloud service providers must guarantee a minimum level of security and privacy, but the differences between vendors’ offerings “are sometimes significant,” Mustaca warned.
Going to a big provider doesn’t necessarily mean you’re any safer than if you went to a smaller one.
“It doesn’t matter how big the provider is; it can still be hacked if the correct security policies aren’t set up,” Mustaca said.
Before signing up with a cloud service provider, enterprises should ask certain core questions of them, Frederic Kerrest, president and cofounder of Okta, told TechNewsWorld.
“Some key examples include what kind of controls the provider has in place over its computing infrastructure; how it secures the storage and transmission of your data across different domains; whether you have to reconfigure your network — meaning punch a hole in your firewall — to use the provider’s service; and whether the provider uses third parties to do security testing,” Kerrest said.
Security in the Cloud
Granted, moving to the cloud can save enterprises money. However, they should think twice before accepting the lowest bid when cloud service providers respond to their RFPs (requests for proposals).
“By choosing the lowest bidder, you often end up with weak or nonexistent security strategies,” Chester Wisniewski, a senior security advisor at Sophos, advised.
“The cloud is just a fancy word for outsourcing,” Wisniewski told TechNewsWorld. “We’ve been doing it for years, and the risks that come with it are the same as for outsourcing.”
Enterprises should have their contracts with cloud service providers state that their data is being handled the way it would be in-house, Wisniewski suggested. They should also reserve the right to audit their providers.
“There are risks when moving to the cloud in that you are depending on someone else to provide security on your behalf, and it’s more difficult to verify the work has been done properly,” Wisniewski said.
The Cloud Can Fail, Too
In April, Amazon’s Elastic Compute Cloud (EC2) cloud service suffered a crash, taking down the websites of dozens of high profile companies for several days, in some cases.
Victims included Foursquare, Reddit and Cydia.
Some clients permanently lost their historical data. Chartbeat for example, couldn’t recover about 11 hours’ worth of data.
“We recovered nearly all of the affected volumes, but a small number — 0.07 percent of the volumes in our U.S. East region — were not recovered,” Amazon spokesperson Kay Kinton told TechNewsWorld.
That’s well within the published annual failure rate for volumes in the Amazon Elastic Bloc Store, Kin pointed out.
Such losses do occur on-premise, but then someone’s head often rolls, adding to the incentive to improve services.
“Cloud solutions tend to be more transparent than their on-premise counterparts in general,” Okta’s Kerrest pointed out. So when a breach occurs in the cloud or there’s a crash, news of the problem is disseminated faster than it would be if the problem occurred on-premise.
Then again, an on-premise breach impacts only one company while a breach or system crash in the cloud impacts a lot of businesses.
The bottom line: Tread cautiously when going to the cloud and don’t let your desire to save money or go faster override your common sense.
Who Watches the Watchmen, Part 4: The Mobile Device Maelstrom