ben.eficium is the blog of Ben Slack, citizen and principal consultant at Systems Xpert.
All posts are Copyright © Ben Slack on the date of publishing.


30 November 2009

Managing Cloud Risk

A friend and client said to me the other day that “hell would freeze over” before he moved his key business data to the cloud. I was surprised by his firm resistance and asked him to explain his reasoning. It boiled down to a lack of trust in:
  1. the ability of the cloud provider to protect data from being accessed and possibly stolen by the staff of the provider and their agents; and
  2. the ability of the provider to protect against malicious external attacks.
These risks are the same risks as in any outsourcing contract and I believe they are the fundamental risks that any organization should consider in either outsourcing generally, or a move to the cloud.
The first risk, agency risk, is amplified in the cloud because it is so easy for supply chains to lengthen to a point well outside a customer's control, and it is very easy to move virtual machines between cloud providers. Backup copies of your data could end up with a multitude of cloud providers over just a few years.
Supply-chain contracts
For example, (see figure right) you may buy access subscriptions to a CRM SaaS application (1), that is hosted by a third party ISP (2). The ISP, in turn uses an IaaS provider (3) for the virtual servers the application is hosted upon. Additionally, the SaaS provider may use an offshore outsourcer (4) to support and maintain the application, whose own infrastructure may similarly be provided by a chain of third-parties (5-7). In this situation you have might have 7 (or more) different organizations with access to your data, only one of which you have a binding contract with.
The answer to mitigating agency risk is twofold. Firstly, ensure that the contract you enter into with a cloud provider or outsourcer ensures that all sub-contractors of the provider are covered by the same confidentiality, privacy and professional liability conditions your provider guarantees and that the sub-contractors are forced to guarantee these same conditions are contracted down the supply chain. Secondly, you should encrypt all sensitive data, possibly all data, in the database using the encryption methods supplied by your RDBMS or, industry-standard 2048-bit public-private key encryption. This way, even if someone does maliciously access your data, it is encrypted to a level impossible for an individual acting alone to decrypt.
Addressing the risk of hacking is always problematic. Given the security flaws that are regularly discovered and addressed in Microsoft Windows and that may exist in other operating systems, this is a problem for everyone with an IT system connected to the internet. The first thing you need to do is research and investigate the security practices of your provider. Most of the big providers, such as Amazon, Google, Microsoft and SalesForce have large security teams dedicated to protecting their cloud systems from hacking attempts and have the best firewalls money can buy. Their ability for success is likely to be much greater than smaller organizations and those who do not have IT as their primary competence. Even smaller cloud organizations are likely to have devoted much time and money to security. If you're in doubt of an organization's ability to protect your data from hacking attempts, you need to make them demonstrate that their security practices are robust. Ask them about the firewall they have implemented, how many security staff they employ and what measures they take to actively detect and protect against malicious attacks.
Following these few simple rules will ensure your cloud experience is as secure and risk-free as it can be and should ensure that security in the cloud is as good as you could provide yourself.