Digital Newsletter
Each week our editor Phil Alsop rounds up the most popular articles, videos and expert opinions. We compile this into a Digital Newsletter and send it straight to your inbox every week.
Digital Magazines
We'll let you know each time a new edition of Digitalisation World is released so that you're always kept up-to-date with the latest and greatest news and press releases.
Video Magazines
The Digitalisation World Video magazine contains the latest Zoom interviews with experts in the industry.
‘CLOUD SECURITY’ – what does this mean to people? Are we talking about security available in the Cloud – ie Security-as-a-Service – or are we talking about the security/safety of the Cloud where end users may or may not choose to store and access their data? While the Cloud Security Roundtable was very firmly focused on the latter topic, the ambivalence of the term ‘Cloud security’ is, perhaps, a good example as to the confusion surrounding the Cloud as a whole, and Cloud security in particular. And, if there was one theme running through what proved to be a very lively and entertaining morning’s discussion, it was the existence of much misinformation and misunderstanding as to how the Cloud can or can’t be used to store data of varying degrees of importance.
Maybe the most surprising revelation of all is the fact that, despite an almost universal belief to the contrary, there are few, if any, pieces of legislation or industry-specific regulation that specifically forbid the use of a Cloud to store data – no matter how sensitive that data might be, and no matter where the Cloud is located.
The roundtable started with consideration of the question as to whether end users are actually ‘desperate’ or not to be in the Cloud? It seems that customers perceive the Cloud to be cheaper than on-premise solutions – but this is, perhaps, the first misconception. Indeed, all the participants agreed that, although Cloud might appear to be a nice and easy, cheaper alternative to in-house IT, the reality of comparing like for like applications would often reveal this not to be the case. It also seems that CXOs are keen to be able to tick the Cloud box – under pressure to be seen to be doing something. However, at a technical level, there seems to be a significant level of resistance to Cloud – the simple explanation being that people are worried about their jobs.
All of the roundtable participants agreed that the overwhelming reason for end users to consider moving some or all of their activities into the Cloud (regardless of any perceived cost advantages or the pressure to ‘be in the Cloud’) is the reality that Cloud security is superior to on-premise security. As one participant put it: “There a general assumption that on-premise IT is secure, but most in-house security teams are inept.”
Whereas, Cloud Service Providers (CSPs) have a significant motive to be more secure and more transparent than the in-house team, after all, it’s their reputation on the line.
To back up this assertion, the simple example of corporate email was cited – with the suggestion being that the Cloud is very secure for email – ‘365 or Gmail is much more secure than the average in-house email system’.
Specific reference was made to the recent Sony security breach, with all the evidence suggesting that, if Sony had held the data offsite, it would have been much more difficult for the miscreants to pivot off a desktop into the data centre. Cloud by its very nature defines the separation of the desktop and the data centre.
Discussion also covered the fact that, for many companies, their IT infrastructure is the result of many years of not so planned development, including mergers and acquisitions and, as a result it’s virtually impossible to guarantee in-house security. The more so, when one considers that it is very difficult to secure, say some 400,000 endpoints – Cloud offers the opportunity to have a defensible network, and it may well be that customers come to realise that they are unlikely to do any better at security than a Cloud provider. As one participant observed: “Where do most people secure their most important home/personal documents and possessions? In a bank vault. And it should be the same with security, and Cloud.”
The simple likelihood is that a CSP has more insight and more knowledge than an end user, who might have access to IDS logs, server logs and the like, but is unlikely to be able to correlate all this information. Handing over security to the Cloud might seem like losing control, but end users need the assurance that, by using a CSP, they are actually gaining control.
Not all Cloud security is
created equal
Having established that, for almost all end users, Cloud security is likely to offer a better security solution than anything in-house, the debate moved on to how the Cloud is being used by customers and, more importantly, how it should be used by them. In simple terms, it seems that, while the potential benefits of Cloud are huge, these need to be accessed in a diligent fashion. It’s not good enough to either let everyone in an organisation ‘do their own thing’ in terms of accessing Cloud services, nor to hand over everything to a Cloud/service provider and trust them to do everything for you.
One participant quoted the example of a client who ended up a victim of Cloud ‘sprawl’ – where business teams were going out and doing their own thing, with very little central control, and when a particular credit card expired, Amazon killed the corresponding service.
And then there’s the issue of who is responsible for what parts of any Cloud service. And this is where the due diligence kicks in. It’s not good enough to move various IT functions into the Cloud and assume that they will be alright. It’s essential to understand just what the CSP is offering in terms of performance and service levels, any liability and/or compensation if things do go wrong, and, perhaps most important, transparency – so the customer can see and understand where corporate data is and how it is being protected and accessed.
Unsurprisingly, there’s no such thing as a free or even cheap Cloud service that is enterprise-fit. If that sounds obvious, maybe less so is the fact that the nuances of the many different Cloud offerings are little understood by end users. For example, the basic enterprise Cloud providers are happy to offer a really secure IT infrastructure, but don’t provide much, if anything, in the way of specific data security – but will deny that they have any ability to cause data to be leaked or lost (and certainly no liability) – it’s down to the end user to protect the data. Core Infrastructure-as-a-Service offerings provide compute, memory and storage and little else.
Furthermore, many of these ‘basic’ offerings won’t advertise the fact that their admin employees can see the customer’s data – a distinct lack of security. They seem to operate on the basis of: ‘If you don’t ask, we won’t tell you’.
So, the starting point is to ask any prospective Cloud provider: ‘Just what do you assure me?’ And the answer should include a mixture of compliance certification and supporting policy documentation to demonstrate the level of security being guaranteed. In reality, the answer should involve a discussion between the CSP and the customer so that both parties understand what needs to be secured and by which party. For example, in securing an application layer and how employees access it via a mobile device, the CSP and end user need to agree as to where the data is going to reside and also understand where the privileged users are based.
Auditability
To demonstrate the complex nature, and potential pitfalls, of this process, one participant (a security vendor) gave the example of a FTSE 100 defence contractor who was concerned to investigate potential industrial espionage. The defence contractor asked the vendor for the firewall logs, but the security contract had been outsourced to an MSP and nowhere in the contract did it say that the firewall logs had to be provided by the vendor. In the end, the firewall logs were provided for an agreed (extra) cost. The lesson here: as the customer, make sure you have access to auditable logs!
Asking the right questions up front is crucial to understanding what any particular Cloud service actually offers. As one participant explained, many end users are more than happy to use Salesforce.com, but how many of them know exactly what access controls are in place ‘behind the scenes’, where their data is hosted and who provides the security around this hosting?
In the Public Cloud, where there’s a multi-tenant environment using shared infrastructure, is there a security issue or not? In general, the answer seems to be not – there are very few proven guest to host liabilities, and the CSPs do isolate workloads from each other, and many of them use Fibre Channel, which is more secure than Ethernet.
All the participants agreed that the ‘data controllers’ – the end users responsible for data security – need to take more interest in the security process, and understand what tools are available in the market. For example, it’s possible, and probably desirable, to encrypt data both in flight and at rest.
However, the participants also conceded that they and their peers do have a responsibility to go out and educate the market. This education needs to focus not just on what is possible for the end user in terms of accessing secure Cloud services, but also helping the customer to analyse and optimise their existing data practices. Some CSPs may well be happy to undertake this process as part of the bidding process. Others will charge a professional services fee – after all this discovery/education exercise could take weeks rather than days, and do they want to be giving their time for free when the prospective client is, for example, currently backing up vast quantities of spam?!
This education also needs to take account of the fact that some end users are Cloud sceptics, so need to be convinced of the reasons to embrace the Cloud model; while others are happy to move to the Cloud, but don’t understand exactly what it is they need and/or what they are allowed to do in the Cloud, depending on the industry in which they operate.
Legislation, regulation and procrastination
There followed a lively debate on the subject of legislation and industry regulation. The overwhelming frustration seemed to be that, whether a legal requirement, or an industry-specific requirement, the frameworks around security are, in many cases, too prescriptive. In short, they tell end users, step-by-step, what they must do to secure their data, ignoring the fact that, frequently, there are better ways of achieving the required security. As one participant explained: “There should be less prescriptive and more general security advice available – we need some general models. Everyone is worried about their own little bit but doesn’t see the bigger picture.”
Furthermore, much of this security regulation is not fully understood by end users. In particular, the participants were frustrated that many end users do not understand where their data can, or can’t be hosted. “Data can be harboured elsewhere – almost all of it, but frequently end users will tell us that the Data Protection Act prevents them from allowing their data outside the UK,” explained one participant. “With most companies it seems to be a case of them thinking that, if their data stays in the UK, then their safe. So there’s a significant difference between internal company policy and what the law requires – data can be moved around, although the perception remains that it can’t!”
Right now there’s a mixture of fear and uncertainty in the market. But how best to address this? Which leads on to the question: ‘Does Cloud need to be regulated?’
While conceding that, in the EU, regulators like to regulate, whether or not regulation is required, there was a general agreement amongst the participants that, if Cloud regulation helps customers to understand what Cloud they are getting, then it must be a good thing.
However, the suggestion was not to have prescriptive regulation that would quickly date itself, rather an industry standards body that would try and put together a list of requirements around Cloud and security, and put some kind of a framework around these. This would not lead to the creation of a standard Cloud contract or standardised SLAs, rather the coming together of the Cloud industry to define a set of Cloud standards that would help end users as they carried out the appropriate risk assessment process ahead of any investment in the Cloud.
While various attempts to address the issue of IT security management already exist, including the ISO 27001 and 27018 standards, the participants felt that it was important for the Cloud industry to create its own Code of – not least because the investment required to meet the ISO standards is substantial and might well be a deterrent to many end users, who, nevertheless, need some kind of reassurance around Cloud security. One participant summarised: “The Cloud industry has to be seen to be self-governing and agreeing on an approach to regulation – this will send a strong, positive message to end users.” The fear is that, if this does not happen, then there’ll be a ‘race to the bottom’ – with security levels actually falling.
Data privacy
The roundtable debate then moved on to the topic of data privacy. Clearly, the major fear in terms of the Cloud is the issue of data being stolen and/or destroyed and/or used maliciously, but there is a growing awareness amongst end users that any data they give to a third party IT service provider could well be used ‘against’ them – whether by a government agency, or by that service provider and its partners, to try and sell other products and services. Once again, due diligence is key. While many folks seem happy to sign up to various social media offerings without checking out the terms and conditions, such an approach is not recommended when it comes to Cloud contracts. End users do need to ask where their data is going to be held and who can access it.
End users also need to be logical in their approach to the issue of data privacy. In recent times, there’s been plenty of high profile news surrounding the US’s National Security Agency (NSA) and its apparent ability to demand access to data held by all manner of IT and telco-related organisations, so storing data in the US is a no-no for many (non-US) end users. However, if folks in the UK and mainland Europe think that their own security agencies are not busy snooping around, then that’s naïve in the extreme.
There seems to be a lot of ignorance surrounding data privacy and what does, or doesn’t go on. Ultimately, any decision as to whether or not to put specific data sets into the Cloud depends on an individual’s attitude to the trade-off between accessing all the benefits that Cloud has to offer versus the very remote possibility that some corporate data might well be viewed by some third parties. In simple terms – one either believes in Big Brother or not, and even if one believes, is Big Brother’s omniscience such a big deal?
SLAs
For many end users keen to embrace the Cloud, the Service Level Agreement is the peace of mind guarantee that makes all of the above debate an irrelevance. If something goes wrong, then the customer is handsomely compensated for the security breach/downtime/poor performance…Wrong! Firstly, trying to establish accountability for any security breach in, say a Hybrid Cloud model, where data is held on-premise and in an off-site Cloud, could prove extremely difficult. Secondly, even if the Cloud provider is proved to be responsible for the breach, it’s highly unlikely that they will want to offer, or be able to offer, an appropriate level of compensation. For example, if an end user’s data, stored in the Cloud, is lost, then the end user could be fined millions for this error, but the CSP won’t sign up to such a liability. This understandable situation has led to a rapid growth in the cyber insurance market, where end users can protect themselves from the financial penalties of a security breach. However, the reputational damage is not so easily dealt with.
Conclusion
A group of Cloud and IT security experts concluding that ‘there’s no such thing as perfect security’ might seem unsurprising (apparently the only secure computer is the one in pieces at the bottom of the ocean!), but the roundtable debate highlighted the fact this is not an excuse for either end users or CSPs to ignore their respective responsibilities. End users need to understand what it is they are signing up to when they move data to the Cloud – risk assessment and due diligence being crucial; CSPs need to be as transparent as possible, welcoming the chance to show potential customers how their IT infrastructure and services are designed to avoid security breaches wherever possible and, as importantly, how they will respond if a breach does occur.
Right now, security is seen as a major stumbling block when end users look at the Cloud. With a better understanding of the issues involved, it may well be that many of these end users come to realise that security is something of a red herring, especially when set against the many benefits that the Cloud has to offer. After all, as one roundtable participant put it: ‘If you were starting a business today, you just wouldn’t think of buying any hardware’.
Caption
From Left to right: Gordon Davey – Dell UK, Don Smith – Dell SecureWorks, Kurt Hagerman – FireHost, Scott Nicholson – Adapt, Phil Worms – iomart, Jamie Tyler – CenturyLink, Alex Hilton – Cloud Industry Forum, Frank Jennings – Wallace LLP, Phil Alsop – Editor, Data Centre Solutions
Mike West – (MD of Keysource) Representing the Data Centre Alliance
