X
Innovation

Cloud security? Better get a lawyer, son!

Moving your data into the cloud creates a raft of security challenges, but, according to information security specialists, those challenges are less about hackers and more about data availability and signing the right contracts.
Written by Stilgherrian , Contributor

orn-02.png

Table of Contents
  1. Raising the stakes

    When data is resides in a company's own datacentre, the onus on protecting that data from outage or breach falls upon that company. Cloud turns that on its head.

  2. What to look for

    Customers need assurance from their supplier that it can maintain the three pillars of security: confidentiality, data integrity and data availability.

  3. Who's responsible?

    A lot of cloud security is about contract management, something that has traditionally been handled by a company's purchasing and legal teams.

  4. Crossing boundaries

    Hosting your cloud services on Amazon's servers might make for high availability and redundancy, but that very redundancy can be a problem.

cloud-security.png
  1. Keeping the bastards honest

    Contracts are all well and good, but how do you know whether the cloud services are actually being provided as the contract specifies?

  2. The sharks are circling

    The increase of the amount of linked data which is held in the same cloud sanctum makes a fatter target at which hackers can aim.

Raising the stakes

When data resides in a company's own datacentre, the onus on protecting that data from outage or breach falls upon that company. Cloud turns that on its head.

"With a datacentre, that's just somewhere to stash your gear — running your operating system with your software audited the way you want — in a place which might have better connectivity, better power etc," says Paul Ducklin, Sophos' head of technology for the Asia-Pacific region.

"The issue with a pure-play cloud service is it's almost as though you really are betting the whole farm — and buildings, and all its equipment and how the fertilising is done every year — on somebody else. They get to decide how it all works."

The sharks are circling

The farm metaphor almost became real for Crispin Harris, currently the head of network security for a fast-growing Australian resources company. He has previously worked for law enforcement agencies and other demanding environments. A vendor recently showed him a software-as-a-service contractor management system that claimed to be based "in the cloud". It was intended to contain all of the company's interactions with external contractors and consultants, including whether they'd completed the safety inductions needed to work at a mine, or held a Maritime Security Identification Card to allow them access to the port.

"We finally managed to pin this company down to find out where they were, because they were saying 'We're in the cloud, we're in multiple locations around the world'," Harris told ZDNet Australia. "Yes, they have salesmen in seven different cities in three different continents. Unfortunately the datacentre was in a small shed in the back of Penrith in western Sydney. Not in a Tier 1 datacentre, not backed up over multiple places. Just two redundant ADSL links, both to Telstra."

"We really don't want that kind of database stored in shed," he said.

When you don't have the means to be directly responsible for the technology and protections, you find yourself relying on what has been agreed.

"It's a subtle thing, because the customer is still absolutely responsible for any damage caused. You cannot outsource that piece of risk," Harris says. And because you no longer have hands-on capability, "it all has to be in the contract".

What to look for

"The word in the end is 'assurance'," says network security head Crispin Harris. "We wanted assurance from the supplier that they could maintain the three pillars of security: confidentiality, data integrity and data availability. Each one of those had multiple parts, and the one that most people didn't look at was the data availability."

Data availability is of course one of the cloud's big selling points. In theory all you need is an internet link, any internet link, and off you go. But ensuring data availability has many subtleties.

The key metric is the familiar percentage of uptime often seen listed in service level agreements (SLAs) and marketing materials.

The term "three nines", or 99.9 per cent uptime, for example, means a total permissible downtime of 8.76 hours per year or 43.2 minutes per month. Is this enough for your business? Or do you need 99.99 per cent ("four nines") at 52.56 minutes downtime per year or a mere 4.32 minutes per month? Does your IT department actually know the business' real data availability needs?

According to Harris, most businesses can't answer those questions. "More often than not, much more often that not, an organisation has never seriously looked at what their critical business processes are, and how they relate to the information that drives them."

As an example, an accounting system might not need five nines reliability if invoicing can wait until the next business day. But a customer relationship management or stock control system going down could mean lost orders, idle staff and angry customers.

Suppliers sometimes refer to availability levels in relation to "unplanned outages". But what about planned outages, which might be needed to perform maintenance?

"I've seen one environment not that long ago that stated four nines of availability for unplanned outages. But that was fine, they took five hours out each week to do planned maintenance," says Harris. That reduced actual data availability to 95 per cent.

If availability is "guaranteed", what does that actually mean in practice? Will the service absolutely, definitely perform at the stated levels? Or will the supplier merely refund your money if service levels are not met? Refunding a monthly service charge of, say, $5000, wouldn't be much consolation if being offline costs your business $50,000 an hour in lost sales or running costs.

The sharks are circling

How quickly can you recover your data in case of a failure? A system might still be available under the terms of the SLA, but running with the wrong data.

What happens when the contract ends? Is your data returned? If so, how and when? Does the supplier guarantee that deleted data is actually deleted, not just from the live system but all archives and backups?

Who's responsible?

A lot of cloud security is about contract management, something that has traditionally been handled by a company's purchasing and legal teams.

In the experience of network security head Crispin Harris, IT departments are usually poor at ensuring purchasing knows what service levels are important to the business.

Often, for example, IT departments forget to conduct financial due diligence on their suppliers. Is there a risk that the supplier could run into financial difficulties and disappear, taking your data and operations with it?

"When you're dealing with a supplier like Amazon with their S3 services, you can see immediately that they're an American listed company, they've got a very large book value, they've got lots of customers and they've got a good reputation for service," says Harris. "But when you start talking to some of the other cloud suppliers, this is not quite so obvious."

"There's not enough interaction and not enough understanding between purchasing and IT. They're both corporate support groups. IT supports the company just as much as purchasing supports the company, but somehow these two groups seem to fight all the time," he says.

Harris recommends building direct personal links between the IT department and the legal team, rather than relying on the purchasing team to translate. And it's the IT department's job to educate the lawyers.

"It's absolutely core to the effective use of cloud services that IT and legal discuss frankly and in a reasonable amount of depth the cross-disciplinary effects both their decisions," he says. "They'll both learn quite a lot about what is important to the other side.

"It's very much about the relationship, not just between IT and purchasing, but IT and all the way into legal. Talk with your counsel directly, person-to-person, not even email. Go and talk to them face-to-face and explain where you think the risks are and where the benefits are."

The sharks are circling

Crossing boundaries

Hosting your cloud services on Amazon's servers might make for high availability and redundancy, but that very redundancy can be a problem.

"There is less certainty about the geopolitical location of that data," Ajoy Ghosh, chief information security officer for Logica Australia says. "In the case of outsourcing to a physical datacentre, you know that the datacentre is going to be at this particular place. Unfortunately, with the advent of the cloud, that particular case can move around fairly easily at the whim of the provider."

That means your data could end up in a different legal jurisdiction, which changes the risk profile. Indeed, for some industries it might create compliance problems — especially as some major cloud providers, including Amazon and Microsoft, don't have datacentres in Australia at all.

"If you happen to be in a jurisdiction with mandatory [security] breach reporting, and you are using the same shared services, whether it's in an outsourcing scenario or a cloud scenario, if Company B is breached Company A also has to report it," Ghosh says. If nothing else, Company A's reputation is damaged by something completely out of their control.

Both Amazon and Microsoft, as well as other providers, attempt to reduce these problems by dividing their global clouds into regions.

"Amazon Web Services (AWS) customers have full control over their data whereby they choose which region they want to place their data and which particular set of resources to operate," Amazon told ZDNet Australia in an emailed response. These regions include the US East Coast, the US West Coast, the European Union, and a Singapore Region for Asia Pacific.

"The selection of a region within an acceptable geographic jurisdiction to the customer provides a solid foundation to meeting location dependent privacy and compliance requirements, such as the EU Data Privacy Directive. Data are not replicated between regions unless proactively done so by the customer, thus allowing customers with these types of data placement and privacy requirements the ability to establish complaint environments."

The sharks are circling

Similarly, Microsoft can arrange for customer data to travel only within several specific geographic regions, including North America and the EU.

"The problems are really contractual," says Ghosh. "For example, making sure there are clauses in the contract that limit the provider to certain jurisdictions, and making sure there are clauses in the contract that say the provider needs to notify the customer prior to moving that data."

Keeping the bastards honest

Contracts are all well and good, but how do you know whether the cloud services are actually being provided as the contract specifies?

The sharks are circling

"I'd actually argue, in the case of traditional outsourcing, that the customer needs to be conducting regular on-site audits anyway," says Logica's Ajoy Ghosh. "That doesn't change in the cloud scenario, except perhaps that you may choose to do it more frequently."

However Microsoft, to choose just one example, does not permit visitors to its datacentres. Even Microsoft's own staff are banned unless there's an approved business need. The company is secretive about the locations and even the number of its datacentres, saying publicly only that there are more than ten but fewer than a hundred.

"How do you audit something which is part of somebody's private infrastructure?" asks Sophos' Paul Ducklin. He points to Google's Wi-Fi privacy disaster, where even Google didn't know that its code had breached regulations.

"When the provider themself says, 'Hey look, that was just a blunder', it does start to raise questions," Ducklin says. "How can I put my hand on my heart to my customers and say, 'I am looking after your data to the standard X or Y or Z?' All you can do is take the word of your cloud provider for it and, as experience suggests, even they may come up short in understanding exactly what's going on where because of all that nimbleness and flexibility."

Microsoft's response is that openness, or at least partial openness, builds trust.

"The thing we do to allow that trust is to publish our compliance framework," says Mark Estberg, who leads risk and compliance management for Microsoft's online services. "You can see the specific control objectives and control activity we measure ourselves against, and we bring in a third party to measure ourselves against that."

In the case of Microsoft's ISO 27001 certification, for example, that measurement is conducted by the British Standards Institute, and the documentation is published online.

Both Amazon and Microsoft run SAS-70 auditing standards certifications. However, all that says is that the organisations are meeting their own standards. Whether those standards meet your business needs is a separate question, and again it points to your purchasing team having a good understanding of the details.

Ducklin, meanwhile, is sceptical of these audits.

"I'm just not sure how you can have that same level of what you might call 'scientific comfort' with a pure cloud service, where you're trusting the provider, and the provider's network, and anybody who's ever had a look at how that service works," he says. "So I think it's great to have that external scrutiny, much better than 'Hey, trust us, she'll be right.' But on the other hand the idea of maintaining that certification and correctness with everybody's data, it does seem to beggar belief that that sort of promise could reasonably be made by a pure-play cloud provider."

The sharks are circling

The increase of the amount of linked data which is held in the same cloud sanctum makes a fatter target for hackers to aim at.

"One of the things that we're increasingly seeing, both in cloud provisioning as well as in outsourcing provisioning, is the increased use of shared services," says Logica's Ajoy Ghosh. "And the increased use of shared services results in greater aggregation, and that's what I think is one of the fundamental changes in attack profiles."

In other words, a bigger concentration of data represents a more lucrative target for the bad guys. If an attacker gains access to one company's data they might incidentally gain access to more. And with companies running some systems in the cloud and others internally, it's hard for anyone to have an end-to-end view of the entire system's security.

"For example, if I'm tasked with managing company A's cloud, typically someone else is tasked with managing company B's cloud. I won't always know what that person looking after B's cloud is doing. And that can lead to gaps, because sometimes I'll assume that he or she is covering something," Ghosh says.

But while bigger data pools represent bigger targets, they're also defended by bigger security teams. As Amazon's spokesperson put it, "Amazon's scale allows significantly more investment in security policing and countermeasures than almost any large company could afford themselves. In fact, we often find that we can improve the companies' security posture."

For SMEs in particular, the cloud could well offer far more security than what they already have in place.

"Seeing MYOB files with thousands of credit card numbers sitting on hard drives in small business offices has taught me that many small business owners don't know where their risks lie," says Marc Lehmann, founder of cloud-based accounting provider Saasu. "In the same breath they ask us if our security standards are up to scratch."

The sharks are circling

The bottom line is that security is all about balancing risk. And when you move to the cloud, it's all about contracts, service levels, and getting value for money.

Front page image credit: heavy cloud no rain image, by Robyn's Nest, CC BY-SA 2.0

Editorial standards