Full Contact Computing
Bare knuckles, no holds barred computing

Cloud Computing – Heavenly or Stormy?

Cloud computing is the new buzzphrase now, and for those that haven’t been keeping up, it simply means that the server/software/platform is located “somewhere else” and managed by “someone else”. It has some advantages, mainly with being able to increase or decrease one’s usage whenever needed without buying/selling hardware and reducing the cost of an in-house IT department, but it comes at the cost of giving up control. Is it worth it? Is it, as one articles asks, “the answer to all our IT problems” or “a sucker’s game that merely shifts responsibility for IT infrastructure to different hands, leads to performance issues of its own and leaves your data more open to theft”?  http://www.itbusinessedge.com/cm/blogs/cole/a-tale-of-two-clouds/?cs=40604

The Cloud Security Alliance has published a paper entitled “Top Threats to Cloud Computing V1.0”  http://www.cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf  in which they detail seven areas of vulnerability. These include botnets, spammers, insecure interfaces, malicious insiders, the inherent insecurity of shared technology, data loss/leakage, account/service hijacking, and a catch-all “unknown” threat category.

Looking at the malicious insider threat, the 2010 CyberSecurity Watch Survey http://www.cert.org/archive/pdf/ecrimesummary10.pdf shows that 51% of the attacks were from insiders, that only 56% of the participants have a plan for reporting and responding to a cybercrime, and that a whopping 72% of the insider incidents are handled internally without legal action or the involvement of law enforcement! What does this say about the companies that host cloud computing environments? Mainly it says that there is a good chance they won’t detect if they have a malicious insider on staff, and they sure won’t report it if they do catch one. The simple fact is that you have no control over the hiring procedures of the cloud provider, have no control over any disciplinary procedures for their employees, will probably never be notified if there is a security breach, and may have no legal recourse (due to foreign laws) to prosecute or sue the offender. In addition, you have no access to the logs that would show any intrusions, so you can’t even proactively scan them, but have to rely on the vigilance (if any) of the cloud provider to do so.

How about the insecure interfaces? In a survey of 637 companies conducted last month by Symantec and the Ponemon Institute  http://www.switched.com/2010/04/29/new-security-concerns-floating-around-in-cloud-computing/  , almost 75% “did not employ procedures to approve cloud applications that use sensitive or confidential information. Over half of them simply take a provider at its word when it comes to security procedures, never asking for proof or assessing the service themselves”. That sounds pretty insecure to me.

Combine this with the “biggest target” syndrome – if someone is looking for something to shoot, they will likely shoot at the biggest target available. Therefore, people who create computer viruses, worms, and malware target Windows much more frequently than Macs because Windows has such a vast percentage of the market. So with cloud computing – fewer companies with server farms means that more shots will be taken at the remaining ones. Rather than hiding in a sea of obscurity, small companies that go to cloud computing will be setting themselves up as a target for hackers.

Still want all of your sensitive data in the cloud?

If so, conduct exhaustive research on the cloud providers you are considering. Test them. Hire a security consultant to evaluate them. Have the contract examined in minute detail by an appropriately-skilled attorney. Think of anything that could go wrong and write that into the contract – natural disaster that wipes out the cloud computing center, slow performance, data loss, upgrades, and ultimate responsibility. Look at the financial stability of the cloud provider – how long are they likely to stay in business? How about your ability to pay – will they cut off your access if you are late on a payment? What happens if other users on the same server slow your access down?

This isn’t a decision to be made lightly.

And good luck.

Advertisements

No Responses to “Cloud Computing – Heavenly or Stormy?”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: