The Dangers of Cloud Computing

By jheary on Fri, 05/28/10 - 3:03pm. networkworld.com

Cloud services can be a huge money saver for businesses and looks to be the future direction of IT for many. I'm a huge proponent for cloud services as long as folks enter into agreements with their eyes wide open. To this end here are five things you need to be aware of before you move your data to a cloud service.

There are three types of cloud services: Infrastructure as a Service, Platforma as a service, and Software as a service. Most of the concerns I'll talk about will apply to all three types.

Right to audit your cloud provider - Many default contracts will not provide you with the right to audit your cloud services appropriately or in some cases at all. You need to make sure that you retain the same auditing rights as you would expect to have in your own data center. At least that is the ask for, the reality is you'll probably end up with something a bit less than that type of auditing access but aim high. Be sure to ask how they control privacy in a multi-tenant environment where everyone has the same right to audit policy. You need to make sure that your services are properly segmented from others so they cannot audit you as well. Be aware that there are no private or public regulations for auditing cloud services today. We need a trusted third party who will do this auditing for us and allow us to compare the security of similar cloud provider services. Until this happens we each need to fight independently to get the auditing rights we desire in our contracts.

Data Privacy Concerns - In almost all cases if you have a IaaS or PaaS service then you should be encrypting your data at rest. Be sure the Key server is not also stored in the cloud service as this would defeat the purpose. Have the key server be at your corporate site or some other site not related to the cloud provider. Why should your data you ask? Well, in a nut shell when you move data the question of "Is it still just your data" becomes a very real one.

Cloud providers are subject to law enforcement subpoenas, surveillance and data seizure activities that you wouldn't normally be subjected to in your own Datacenter. Loss of 4th amendment rights for US companies are also at issue. By moving data to a cloud service you may be decreasing your protection from search of your data by law enforcement and civil plaintiffs? A warrant with a gag order mean that’s that your cloud provider must provide your data without notifying you they did so. Ability to protest a warrant is also compromised because the warrant is issued to the provider not your business. There is no legal obligation for the cloud provider to inform their customers that data was given because of a court order, etc.
In one case the FBI seized assets the physical assets/servers from a co-location provider. Over 50 innocent companies were shutdown in the process because their data was intermingled with the FBI target. Read more here FBI raids Data Center . When one of the affected companies tried to sue the texas court ruled that the FBI had the right to do this.

Digital Forensics - Cloud services do not lend themselves well to the methodical collection of digital forensics. If you do have a security breach, digital forensics become critical to finding out how extensive the breach was. Several state and local governments now have "breach notification" laws on the books. In addition the healthcare hi-tech law and PCI require you to notifiy customers of a breach. The notification methods sometimes vary based on the size of the breach. Be sure your contract provides you with the necessary forensics capabilities you'll need. Chain of custody is also an issue. Be sure your provider will not hamper your ability to prosecute criminals. Ask them about how they handle log and other important data.

Penetration Testing - Penetration testing is usually prohibited in the default contracts of cloud providers. However, this is a requirement of PCI and most security policies. This is a trick problem for cloud providers. On the one hand they want to provide their customers with this capability but on the other hand providing this to them could cause damage to their systems and other customers service if used incorrectly. Several large cloud providers, like Amazon and Google, are letting customers scan their own equipment and services. This is a good step forward, but it still lacks the ability to scan the cloud providers infrastructure. You should ask for this capability or an equivalent (like a periodic report from a trusted third party scanning service) in your contract.

Natural disasters and end of contract issues - Be sure to ask your cloud provider how they deal with the following:
•Natural Disaster clean up
•Removal of data at contract end. Can you verify it's destruction?

Cloud providers are getting better at securely disposing of your data at the termination of your contract but you still need to ask or look in your contract to be sure it meets your needs. Ideally, they should either physically destroy hard-drives or perform an approved Department of Defense erase procedure.

An often-overlooked issue is how cloud providers deal with the protection of your data during and after a natural disaster. For example, if a hurricane hits their datacenter and rips it apart what are their procedures for keeping your data secure. In many cases the physical access controls will be rendered inoperable by the storm and worst case servers could be strewn throughout the site. They need to show you a comprehensive plan for securing the site and your data during the clean up effort. You don't want volunteers picking up the pieces.

Those are five of the things you should be aware of and check on before you sign a contract with a cloud provider. For more good info on what to ask for in a contract or service see the excellent guide done by the cloud security alliance here http://www.cloudsecurityalliance.org/

What other things are you making sure to look for when considering a cloud provider's services?