Tarak Modi, CISA, CISSP, PMP
Cloud computing has grown from being a promising business concept to one of the fastest-growing segments of the IT industry. Tough economic conditions and constant pressure to accomplish “more with less” are prime catalysts to the realization that tapping into the cloud can allow fast access to best-of-breed business applications and computing resources, storage, and other infrastructure at negligible cost.
But as more and more information on individuals and companies is placed in the cloud, concerns are beginning to grow about just how safe an environment the cloud really is. The most common safety concerns are the security (confidentiality, integrity and availability) and privacy of the data stored in the cloud. These concerns are not unwarranted, as evidenced by just a few of the headlines on cloud-computing-related breaches within a six-month period between February and July 2009:
Despite these headlines, the problem is not necessarily with cloud computing, since data security breaches and availability concerns such as these are not new. Furthermore, even though cloud computing has added a few more twists in the never-ending security saga, it has primarily served to bring the existing concerns to the forefront at a level at which even end users are thinking about data privacy. As Twitter founder Biz Stone said in a blog posting7 following the Twitter compromise, “It isn’t about any flaw in web apps; it speaks to the importance of following good personal security guidelines, such as choosing strong passwords.”
This article explores common-sense strategies to ensure an organization’s cloud computing endeavors are successful and unproblematic.
Cloud computing is an emerging pay-per-use computing model that enables convenient, on-demand network access to a shared pool of configurable and reliable resources.8 In other words, it allows users access to their applications from anywhere through any connected device. Although the applications reside in massively scalable data centers where computational resources can be dynamically “resized” to fit the user’s changing requirements, a user-centric interface makes this complex cloud infrastructure transparent to users.
The fundamental business model of a cloud facilitates more efficient use of existing resources. Since clouds require users to commit to predefined start and end dates for resource requests, IT organizations can more effectively plan, manage capacity, and repurpose IT-related investment and resources. Conversely, as users realize that they can get resources within minutes of a request, they are less likely to hoard resources, thus creating a virtuous circle of efficient resource request, allocation, usage and deallocation.
A cloud enables users to consume IT resources in the data center in ways that were never available before. A traditional procurement cycle (without clouds) could take several months from the time a request is made to the time the resource is available for use. The process involves many steps, such as procuring hardware; finding raised floor space and sufficient power and cooling; allocating administrators to install operating systems, middleware and software; provisioning the network; and securing the environment. Even in IT organizations that reprovision existing hardware resources, the process could still take several weeks. A cloud can dramatically alleviate this problem by implementing automation, business workflows and resource abstraction that allow a user to browse a catalog of IT services, add them to a shopping cart and submit the order. An administrator approves the order, the cloud does the rest, and the procurement cycle has just been short-circuited from months to minutes.
Therefore, it is evident that cloud computing touts many benefits. Simply stated, the user has access to a powerful yet simple, robust yet elastic, pay-as-you-go, self-service environment. IT shops benefit with a reduced total cost of ownership (TCO), higher agility with greater responsiveness to changing business needs and a reduced overall risk posture.
Despite its many benefits, cloud computing is fraught with business- and technology-related concerns. Three major areas include those around the cloud vendor itself, legal issues and security/privacy of data.
Vendor/Business-related ConcernsGartner puts the cloud services market at US $46 billion last year, jumping to US $56 billion in 2009 and US $150 billion by 2013.9 With so much to gain, it is no wonder that close to 100 vendors now offer cloud platforms to companies seeking to outsource their IT infrastructure, application and data storage/management. However, let the buyer beware, as many of these vendors are too niche-oriented and too small to expand significantly or act as consolidators. Simply put, will the vendor selected be in business several years from now? Answering this question requires careful examination of the vendor’s financial assets, its size, cash flow and stability (management and workforce).
While selecting a cloud vendor, the organization should not overlook a careful examination of the long-term strategy and commitment of the vendor. If the vendor is a company that came into existence solely with cloud computing, vendor viability might be suspect. On the other hand, there are vendors that have been around for a while with offerings in areas such as grid and utility computing that now claim to offer cloud computing as well. The question is: how serious is the vendor’s commitment to the cloud? And, can this commitment be measured tangibly in terms of development, marketing, sales and support resources allocated to the effort?
To get an optimum return on investment (ROI), the vendor selected must have a “buffet” of pricing options. Does the vendor selected have a flexible enough pricing model to support the organization’s needs as its business grows or declines? As an example, consider Amazon’s EC2 pricing model, which allows pricing variations based on both dynamic and reserved instances (of cloud computing capacity) as well as data transfer (in and out of the cloud).
Ever notice how things always seem to break or not work just when they are needed most? That is why evaluating the vendor’s professional services and customer service track record is of prime importance. Possible questions include: Is there adequate documentation? Is customer support 24/7, and is it based on a standardized model such as ITIL? Also, the organization should check existing customer references.
Finally, it is important to evaluate the vendor’s partnerships and community involvement. How actively is the vendor involved in standards organizations on cloud computing, such as the Open Cloud Manifesto and the Cloud Computing Interoperability Forum (CCIF)? Ascertaining this can help build confidence in the vendor’s commitment to keeping up with the latest advances (standards, technology and practices) in cloud computing. This, in turn, shows the vendor’s commitment to providing the client with a standards-based, secure and interoperable cloud computing platform.
Legal/Compliance-related ConcernsBy its very definition, cloud infrastructure (storage and servers) is expected to be spread across multiple geographical (national and international) boundaries. This raises issues around data privacy when data are stored and transferred across these boundaries. Complicating matters further is the tremendous diversity that exists in data privacy legislation, ranging from moderately regulated in the US to heavily regulated and rigidly enforced in Europe. Although a service level agreement (SLA) is a common risk mitigation tool that establishes a baseline service guarantee between the organization and the vendor, just how enforceable the SLA is depends on how “viable” the vendor is. Another factor affecting SLA and contract enforceability is where the vendor is “legally” located (remember it could be another country) and who has jurisdiction over legal disputes arising from SLA violations.
Yet another complicating factor is that investigating inappropriate or illegal activity in a cloud could be very difficult, as logging and data for multiple customers may be colocated and spread across many hosts and data centers. It is best to find out in advance whether the vendor has been able to support such investigations in the past and to get the appropriate contracting agreement in place prior to final commitment.
Security- and Privacy-related ConcernsProbably the most talked about area of concern around the use of cloud computing involves data security and privacy. To address this concern, the organization must look at two aspects of the cloud: management and technology. The management side involves examining the vendor’s security-and privacy-related policies for its cloud and evaluating how these policies are managed, decided upon and, most important, enforced via both management and technology-based controls. Also, the organization should be sure to ask for the procedures that implement the policies, as these will indicate how ingrained the policies are within the vendor’s organizational culture. Ill-defined procedures are typically a sign of lack of senior management support for the defined policies. The technology side involves making sure that adequate technology controls have been in place in support of the defined policies. Typical technical controls include encryption mechanisms, access control devices, authentication systems, virtual private networks (VPNs), firewalls and antivirus systems.
A key aspect of cloud computing is that of “multitenancy,” in which data in the cloud are typically in a shared environment alongside data from other customers. Encryption is effective but is not a cure-all. The organization must understand who its neighbors are in terms of who else is sharing the cloud infrastructure. The organization should find out if the vendor has good discipline over separation of data, processes and even infrastructure, if needed. The organization should try getting insight into the vendor’s employee hiring practices and subsequent training practices regarding privacy and security.
Finally, what happens in the case of a disaster? The organization should make sure that the vendor replicates the data and application infrastructure across multiple sites to ensure that it is less vulnerable to a total failure. The organization should always review the vendor’s business continuity and disaster recovery plans to understand whether it has the ability to do a complete restoration and how long it would take.
Figure 1 summarizes the areas of concern, possible threats, potential risks and optional mitigation strategies discussed here.
Granted cloud computing is not as mature as one would like, it is also no longer just a fledgling technology. As discussed in the beginning of this article, companies that successfully leverage cloud computing can reap many benefits. Understandably, taking the leap of faith in deciding to leverage cloud computing can be an overwhelming task, but it is a critical task that must be performed diligently to ensure that the organization’s trust in the cloud is not misplaced. Smart consumers are those who avoid the “gotchas” by asking the right questions, thereby ensuring that the cloud they are walking on is truly cloud nine.
1 A US-originated term that means in a state of blissful happiness.2 Google Inc., “On Yesterday’s E-mail,” The Google Docs Blog, http://googledocs.blogspot.com/2009/03/onyesterdays-email.html3 Electronic Privacy Information Center (EPIC), FTC complaint concerning Google data breach, 17 March 2009, http://epic.org/privacy/cloudcomputing/google/ftc031709.pdf4 Google Inc., “Update on Today’s Gmail Outage,” The Google Docs Blog, 24 February 2009, http://gmailblog.blogspot.com/2009/02/update-on-todays-gmail-outage.html5 Metz, Cade; “Google Evaporates Docs and Spreadsheets Cloud,” The Register, 8 July 2008, www.theregister.co.uk/2008/07/08/docs_and_spreadsheets_goes_down/6 Kaplan, Dan; “Intellectual Property Belonging to Twitter Exposed in Hack,” SC Magazine, 15 July 2009, www.scmagazineus.com/intellectual-property-belonging-totwitter-exposed-in-hack/article/140157/7 Stone, Biz; “Twitter, Even More Open Than We Wanted,” Twitter Blog, 15 July 2009, http://blog.twitter.com/2009/07/twitter-even-more-open-than-we-wanted.html8 National Institute of Standards and Technology, “Cloud Computing,” NIST definition, http://csrc.nist.gov/groups/SNS/cloud-computing/9 Gartner, “Forecast: Sizing the Cloud; Understanding the Opportunities in Cloud Services,” 18 March 2009, www.gartner.com/DisplayDocument?id=914826
Tarak Modi, CISA, CISSP, PMPprincipal architect at G&B Solutions, is a seasoned business leader, skilled enterprise architect and published author with more than 15 years of proven experience solving business problems by aligning business and IT. He has co-authored Professional Java Web Services and has written more than 80 articles related to IT management and transformation. Modi currently leads the cloud computing and security C&A practices within G&B as part of the CTO office.
Enjoying this article? To read the most current ISACA® Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2010 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.