Third-party data control


The legal implications of data and applications being held by a third party are complex and not well understood. There is also a potential lack of control and transparency when a third party holds the data. Part of the hype of cloud computing is that the cloud can be implementation independent, but in reality regulatory compliance requires transparency into the cloud.

All this is prompting some companies to build private clouds to avoid these issues and yet retain some of the advantages of cloud computing. For example, Benjamin Linder, Scalent System’s CEO, says: “What I find as CEO of a software company in this space, Scalent Systems, is that most enterprises have a hard time trusting external clouds for their proprietary and high-availability systems. They are instead building internal "clouds", or "utilities" to serve their internal customers in a more controlled way.

Third-party data control Threat #1. Due diligence

Due Dilegence - Third-party Data Control
 If served a subpoena or other legal action, can a cloud user compel the cloud provider to respond in the required time-frame? A related question is the provability of deletion, relevant to an enterprise’s retention policy: How can a cloud user be guaranteed that data has been deleted by the cloud provider?

Third-party data control Threat #2. Auditability

Auditability - Third-party Data Control

 Audit difficulty is another side effect of the lack of control in the cloud. Is there sufficient transparency in the operations of the cloud provider for auditing purposes? Currently, this transparency is provided by documentation and manual audits. Information Security Magazine asks: “How do you perform an on-site audit when you have a distributed and dynamic multi-tenant computing environment spread all over the globe? It may be very difficult to satisfy auditors that your data is properly isolated and cannot be viewed by other customers.

A related concern is proper governance of cloud-related activity. It’s easy, perhaps too easy, to start using a cloud service.

One popular auditing guideline is the SAS 70, which defines guidelines for auditors to assess internal controls, for instance controls over the processing of sensitive information. SOX and HIPAA are other well-known regulations. US government agencies generally need to follow guidelines from FISMA, NIST, and FIPS.

Certain regulations require data and operations to remain in certain geographic locations. Cloud providers are beginning to respond with geo-targeted offerings.

Third-party data control Threat #3. Contractual obligations

Contractual Obligations - Third-party Data Control
 One problem with using another company's infrastructure besides the uncertain alignment of interests is that there might be surprising legal implications. For instance, here is a passage from Amazon’s terms of use:
10.4. Non-Assertion. During and after the term of the Agreement, with respect to any of the Services that you elect to use, you will not assert, nor will you authorize, assist, or encourage any third party to assert, against us or any of our customers, end users, vendors, business partners (including third party sellers on websites operated by or on behalf of us), licensors, sublicensees or transferees, any patent infringement or other intellectual property infringement claim with respect to such Services.
This could be interpreted as implying that after you use EC2, you cannot file infringement claims against Amazon or its customers suggesting that EC2 itself violates any of your patents. It's not clear whether this non-assert would be upheld by the courts, but any uncertainty is bad for business.

Third-party data control Threat #4. Cloud Provider Espionage

Cloud Provider Espionage - Third-party Data Control
 This is the worry of theft of company proprietary information by the cloud provider. For example, Google Gmail and Google Apps are examples of services supported by a private cloud infrastructure. Corporate users of these services are concerned about confidentiality and availability of their data. According to a CNN article:
For Shoukry Tiab, the vice president of IT at Jenny Craig, which uses Postini and Google Maps, the primary concern is security and confidentiality. "Am I nervous to host corporate information on someone else's server? Yes, even if it's Google."

Note that for consumers, there were initially widespread confidentiality concerns about Gmail, but now those concerns seem to have faded. We believe this is an example of the Privacy Hump:
Early on in the life cycle of a technology, there are many concerns about how these technologies will be used. These concerns are lumped together forming a “privacy hump” that represents a barrier to the acceptance of a potentially intrusive technology…. Over time, however, the concerns fade, especially if the value proposition is strong enough.

Consumers at least seem to have decided that, in this case, the dangers of placing their data in the cloud were outweighed by the value they received.

Third-party data control Threat #5. Data Lock-in

Data Lock in - Third-party Data Control

 How does a cloud user avoid lock-in to a particular cloud-computing vendor? The data might itself be locked in a proprietary format, and there are also issues with training and processes. There is also the problem of the cloud user having no control over frequent changes in cloud-based services. Coghead is one example of a cloud platform whose shutdown left customers scrambling to re-write their applications to run on a different platform. Of course, one answer to lock-in is standardization, for instance GoGrid API.

Third-party data control Threat #6. Transitive nature

 Another possible concern is that the contracted cloud provider might itself use subcontractors, over whom the cloud user has even less control, and who also must be trusted. One example is the online storage service called The Linkup, which in turn used an online storage company called Nirvanix. The Linkup shutdown after losing sizeable amounts of customer data, which some say was the fault of Nirvanix. Another example is Carbonite, who is suing its hardware providers for faulty equipment causing loss of customer data.

Cloud Computing Security Pattern

Cloud Computing Security Pattern - Cloud Security Threats
Cloud Computing Security Pattern

Legend:
Services provided by the Cloud Computing environment are not under direct control and therefore a few control families become more significant. Controls in the CA series increase in importance to ensure oversight and assurance given that the operations are being "outsourced" to another provider. SA-1/4/5 are crucial to ensure that acquisition of services are managed correctly. CP-1 helps ensure a clear understanding of how to respond in the event of interruptions to service delivery. The RA controls are very important to understand the risks associated with the service in a business context, but may be challenging to implement, depending on the supplier and the degree of visibility into their operations.

Availability


These concerns center on critical applications and data being available. Well-publicized incidents of cloud outages include Gmail (one-day outage in mid-October 2008), Amazon S3 (over seven-hour downtime on July 20, 2008), and FlexiScale (18-hour outage on October 31, 2008).

Availability Threat #1. Uptime

  As with the Traditional Security concerns, cloud providers argue that their server uptime compares well with the availability of the cloud user’s own data centers.
Availability Threats #1: Uptime
Uptime

Besides just services and applications being down, this includes the concern that a third-party cloud would not scale well enough to handle certain applications. SAP’s CEO, Leo Apotheker said: “There are certain things that you cannot run in the cloud because the cloud would collapse…Don't believe that any utility company is going to run its billing for 50 million consumers in the cloud.”

Traditional Security

These concerns involve computer and network intrusions or attacks that will be made possible or at least easier by moving to the cloud. Cloud providers respond to these concerns by arguing that their security measures and processes are more mature and tested than those of the average company.  Another argument, made by the Jericho Forum is:  "It could be easier to lock down information if it's administered by a third party rather than in-house, if companies are worried about insider threats… In addition, it may be easier to enforce security via contracts with online services providers than via internal controls".
Concerns in this category include:

Traditional security Threat #1. VM-level attacks

VM Level Attacks - Cloud Security Threats
VM-Level Attacks
 Potential vulnerabilities in the hypervisor or VM technology used by cloud vendors are a potential problem in multi-tenant architectures.  Vulnerabilities have appeared in VMWare, Xen, and Microsoft’s Virtual PC and Virtual Server. Vendors such as Third Brigade mitigate potential VM-level vulnerabilities through monitoring and firewalls.

Fear of Security in Clouds


Organizations are rapidly turning to the Cloud to reduce costs, provide greater flexibility and quickly ramp up support of business needs. But as more data, applications and infrastructure move to the Cloud, security remains a top concern. In fact, according to the Cloud Security Alliance, security is cited as the number one barrier to adoption of Cloud services among organizations.

Organizations use the Cloud in a variety of different service models (SaaS, PaaS, IaaS) and deployment models (Private, Public, Hybrid). Regardless of how your organization leverages the Cloud, Cloud Security Threats can help your organization manage the security, risk and compliance concerns.

Cloud computing will reach mainstream adoption in the enterprise market by 2015


Cloud computing will reach mainstream adoption in the enterprise market by 2015 when key issues such as security, service availability and data sovereignty are expected to be ironed out.

Secured Cloud Computing
According to Simon Piff, associate vice president for enterprise infrastructure research at IDC Asia-Pacific, businesses today are still hesitant in utilizing cloud computing for much of their IT needs due to concerns over security, service reliability, data location and sovereignty, as well as vendor support.

Cloud Computing - An Introduction


Cloud Computing:

 Cloud Computing is a technology, which provides computation, software, data access and storage services, without requiring the client/end-user knowledge of the physical location and configuration of the system that delivers the service.

Types of cloud computing:

  Cloud Computing can be classified into 4 types based on hosting.