WHITE PAPER
Security in the Cloud: Is it Pie in the Sky?
Security in the cloud: Is it Pie in the Sky? Security is one of the most commonly-cited reasons why Enterprise and Public Sector customers are reluctant to embrace cloud computing, notwithstanding the many benefits it offers in other respects. In this white paper, we seek to explore the reasons behind the perception that cloud computing is somehow less secure than other Enterprise computing paradigms, to identify the real risks where they exist, and to propose ways that Enterprises can mitigate those risks.
Why is the cloud perceived to be insecure? On the surface of it, it would almost seem that the question doesn’t need asking. After all, the very term cloud implies a degree of opacity - a lack of visibility as to where resources (applications, data, compute, storage, network etc.) are actually located. It would also appear to apply a similar lack of transparency as to who controls those resources - who sets policy, who enforces policy, how compliance is audited, and so on. Furthermore, the fact that access to many cloud-based services can be provisioned through a browser in no more time than it takes to enter an email address and a credit card number adds to the impression that this is not Enterprise-Class technology.
Is there any merit in these perceptions? After all, businesses have been outsourcing computing to third-party providers since the first timesharing systems were introduced in the 1950s1. Is there anything intrinsic to cloud technologies or deployment architectures that makes them fundamentally less secure than other forms of outsourced computing services? Strange as it may seem, we can look for the beginnings of an answer at these early timesharing systems, which are, after all, some of the first examples of the multi-tenant deployment architectures that underpin much of the economics of the cloud - because the resource that was multitenant in these early architectures was compute, not storage. State-of-the art in storage in these early systems were decks of punched cards, which were later superseded by reels of magnetic tapes2 . Hence, although the compute was multi-tenant, the data storage was not. Although the reasons why data storage was not multi-tenant were technological, rather than security related, it is here that we will find the key to the reluctance of Enterprise and Public Sector users to migrate their applications to the cloud. Increased use of virtualization and later Private cloud technologies has made most Enterprises comfortable with the notion of sharing compute farms. However, the idea of sharing storage, or even
worse, of losing control of where data is stored and how it is managed is at the root of their concerns about the migration to cloud.
How and when will the data be backed up?
Data, of course, is the “crown jewels” asset in almost any Enterprise computing environment. The data, and the insights it provides into the performance of the business are far more valuable than the infrastructure on which they are stored and processed. In addition to the intrinsic value of data to the Enterprise, there are very frequently a number of regulatory issues to be considered:
How long will the recovery process take?
Location of data: in many countries, financial data must physically remain at all times within the jurisdiction of the relevant regulatory authorities. Access to data: only certain people may have access to sensitive personal and financial information, and this access must be monitored and logged such that it is auditable at all times. Ownership of data: The US, the UK, and much of the EU have divergent rules about ownership of data stored on corporate networks. In the US, it is generally the case that the company owns all data created by its employees and stored on corporate systems, while in France, the reverse is true. Thus, if a French company stores employee emails on a server in the US, and is subsequently subpoena’d by the authorities to provide access to the data, it is guilty of an offence in France, if it releases the data and guilty in the US if it does not. Intellectual property laws: protection of intellectual property varies widely from jurisdiction to jurisdiction. A company accustomed to operating within the IP framework of the EU who stored sensitive information about new products on servers in certain Asian or African countries might have little recourse when it found imitations of those products being locally produced as soon as the original product was launched. Privacy and confidentiality laws: as the recent spate of regulatory actions against the makers of a popular business smartphone has shown, authorities in different jurisdictions take widely different views of the degree of privacy and confidentiality that an enterprise can assume when its data is in transit3.
What are the real security risks? Given the range and complexity of the data-related concerns outlined in the previous section, it is evident that the number one concern of any enterprise migrating to the cloud should be the location of its data. But knowing where the data is physically stored is only the first step in ensuring that it is secure. There are a number of other questions that the Enterprise must consider before storing data in the cloud:
Who is responsible for initiating the recovery process when data is lost? Who, other than employees of my company, will have access to the data and what kind of access will it be? What kind of tools are available for me to audit the cloud provider’s handling of my data? Can I audit the service provider at any time, or only by prior arrangement? Does the service provider have the certifications typical for a provider of such services (especially ISO9001 and ISO27001)? Does the service provider have industry-specific certifications relevant to my industry (e.g. FISMA in the US, or NHS N3 in the UK)? Beyond the logical security of data, it is also important to understand the physical security, an area about which many cloud providers are notoriously reluctant to share information. At the most basic level, if an Enterprise does not know where its data is physically stored, it cannot claim that the data is secure. It is not enough to be assured that the data is physically separated from that of the service provider’s other customers (though few cloud providers are in a position to offer this assurance). Nor is it enough that the provider commits that the data will remain within a particular jurisdiction, particularly if there is no mechanism to audit this4 . In practice, few cloud providers are open about the physical architecture of their infrastructure, the location of data centers and the connectivity between them. Even if the information is available, without the appropriate advisory services wrapped around the cloud offering, it may be difficult or impossible for the Enterprise to develop a deployment strategy that ensures an optimal architecture from a security and availability perspective. There are too many considerations to cover in depth here, but at a minimum, the cloud provider should have ready answers to the following questions: Where are your data centers physically located?5 Which data center(s) will be used to store my data? Where will my backups be stored? Will my data be replicated to a remote location? If so, where? If my data is replicated remotely, will I be able to resume processing from there in the event of a complete data center outage? If so, in what timeframe?
What is the network architecture (a) between customers and the cloud? And (b) between cloud data centers? Are all the data centers in the cloud owned by the provider? If not, who owns them and what else is processed in those data centers?6 While there are many more questions to be asked, a cloud provider that cannot or will not share the answers to this sort of question is unlikely to be an appropriate partner for mission-critical production workloads7 though they may be adequate for development and test environments, provided that these do not require the use of live production data. In summary therefore, although many aspects of Enterprise cloud computing are “back to the future” and the industry has operated multi-tenant compute services for more than fifty years, the cloud does present some unique challenges in respect of data storage that earlier generations of outsourced compute and co-location services have not presented.
What can be done to mitigate those risks? As has been shown, it is entirely reasonable for businesses to be wary of the security risks posed by putting “crown-jewels” data assets in the cloud. Does this mean, then, that Enterprises should simply stay away from the cloud, in spite of its obvious and well-publicised business transformation benefits and economic advantages? In order to answer this, it is important to recognize that there is actually no such thing as “The cloud”. There are several well-accepted cloud paradigms and for each paradigm, there are multiple (and in some cases many) commercial service providers to chose from. The first thing that an Enterprise must do when considering a move to the cloud is to understand the business goals it wishes to obtain from the migration and then determine which, if any, of the cloud paradigms have the potential to fulfil those goals, while respecting the security considerations we have been discussing. So what, precisely, is it that Enterprise cloud providers offer that makes their environment more secure, in the sense that we have been using the term, than Public cloud providers?’ Paradigm
Highlyvirtualized
Description Applications run on highly- virtualized infrastructure
Types of application
Enterprise-Class (Y/N)
Almostany reasonably modern enterprise workload
Y
As above
Y
Non-mission-critical workloads such as development and test
N10
No dynamic provisioning of compute or data
Private cloud
Applications run on a highly- virtualized infrastructure with dynamic provisioning of compute and/ or data All infrastructure remains dedicated to a particular enterprise 9
Public cloud
Applications run on a highly- virtualized infrastructure with dynamic provisioning of compute and/ or data
Web-facing workloads requiring a high degree of dynamic scale out
All infrastructure is owned by the service provider and may be shared across multiple customers
Enterprise Cloud
Applications run on a highlyvirtualized infrastructure with dynamic provisioning of compute
Mainstream enterprise applications Y such as ERP, CRM etc
Special provisions are madeby the cloud provider for the storage and management of data to ensure security and availability to Enterprise standard
Hybrid
Any combination of the above
Implementation dependent
Implementation dependent
Very simply - they do not “cloud” the data. In an Enterprise-class cloud environment, although the compute will be multi-tenant, the data will not. From a data security standpoint, an Enterprise cloud provider will: Physically separate each customer’s data onto separate physical disks, even if using virtual storage solutions Only store that data in data centers known to and approved by the customer for that data Manage the back-up and/or replication of that data in a predictable manner, as set out in either published terms and conditions or a bespoke SLA Provide an advisory service as an integral part of the onboarding process to ensure that the customer’s security requirements are fully understood and reflected in the migration process and the deployment architecture Provide full audit capability at all times so that the customer can ensure compliance with the terms and conditions or the bespoke SLA As mentioned in the previous section, if an Enterprise does not know where its data is physically stored, it cannot claim that the data is secure - and if a cloud provider cannot guarantee the five pillars of data security outlined above, then its claims to be secure are indeed pie in the sky. But for customers who find a cloud provider with both an Enterprise-class platform and the consulting experience to help customers make the most of it, they can have their cake and eat it.
Footnotes 1. Interestingly, the Public Sector has an even longer history of outsourcing its computing needs. ENIAC, the first true general purpose electronic digital computer (and which also pioneered the Von Neumann bus architecture used by almost every other digital computer since) was outsourced by the US Navy to The University of Pennsylvania. 2. Though as this author can attest from his early days of programming on IBM System/38 and AS/400 equipment, the file formats used by most tape-based applications replicated the punch cards to a very considerable extent. Indeed the 80 character input/132 character output limitations of RPG/III and RPG/400 were directly related to the limitations of punch card readers and printers of the 1950s and 60s. 3. We have already seen lawsuits attempting to force cloudbased services such as TwitterTM to identify users to the authorities, and this author sees this as the beginnings of a long and slippery slope. 4. It is worth bearing in mind that most cloud providers are multinational or even global entities, with many routine operations management functions handled in lower-cost geographies. In this scenario, it is important to understand what safeguards the cloud provider has put in place to ensure that data is only accessed by people from within the appropriate jurisdiction
(and in some cases, with the appropriate certifications or government clearances). In practice, many public cloud providers have no answer to this, and it is up to the prospective customer to determine whether the risks are acceptable or not. 5. Depending on the nature of the application and the type of data involved, it may be necessary to provide a physical address. In most cases, however, it will suffice to know the general area (e.g. partial post code in the UK, six digit Zip Code in the US) as the main issue is to ensure that the data center is reasonably remote from natural hazards (e.g. fault zones, volcanoes) or man-made hazards (e.g. airport flight-paths) 6. Today, the majority of cloud providers own their own data centers, though this is not necessarily true for many cloudlike services like SaaS applications, which are often hosted on a co-location basis in a commercial hosting service. However, with the advent of commercial cloud operating systems it will become increasingly common for a multi-national cloud provider to run clouds within such commercial hosting services, particularly in geographies in which they are not yet well established. As cloud providers migrate to this type of architecture, a whole new set of security concerns will come to the fore. 7. I was recently asked by a journalist from a major UK newspaper whether cloud providers were not providing (and charging for) a higher service level than most businesses actually required in terms of real-time replication of data to remote sites, etc. The simple truth is that most businesses, even traditional bricks-and-mortar businesses such as fast-food delivery, are so IT-dependent that just about any production application is mission critical. Many businesses were seriously inconvenienced when a major cloud-based email service recently suffered a lengthy outage, and as businesses migrate more line-of-business applications to the cloud, real money will be lost if the issue of information security and availability is not properly considered during the migration. The problem will be many times worse as businesses migrate to an application landscape comprised of SaaS applications from multiple vendors hosted in multiple clouds. 8. I use the term “Enterprise-class” much as communications companies used to use the term “Carrier-class” to distingui 10 Unless additional features are purchased from the provider, or implemented by the customer, to bring the environment to Enterprise standard. 9. It is sometimes assumed that Private clouds must run in an Enterprise’s own data center, but there are many examples of Private clouds running in commercial hosting services on a co-location basis. The key distinction between Private cloud and other types of cloud is the lack of multi-tenancy, not the physical location or ownership of the infrastructure. 10. Unless additional features are purchased from the provider, or implemented by the customer, to bring the environment to Enterprise standard.