This tip is a part of the SearchCloudSecurity.com learning guide, Cloud computing risk management: Assessing key risks of cloud computing.
Based on the interview requests and emails I have received recently, I bet many of you are wondering what the significance is of the recent incidents of downtime at a couple of cloud providers. Will this have a chilling effect on cloud adoption, or is it completely overblown? I have talked to several organizations with pending cloud deployment projects since these cloud outages occurred, and I believe a trend is apparent: proceed with caution.
At the Cloud Security Alliance, we often discuss a “sliding scale” of responsibility for security within the cloud. For simple Infrastructure as a Service (IaaS) solutions that consist of basic virtual machines and storage, you as the customer have most of the responsibility for implementing security solutions to meet your control objectives. You typically have to figure out how to encrypt data, detect attacks, etc. From an availability perspective, you need to think of IaaS similarly to how you would think about a single hard drive. It contains some level of risk that may need to be mitigated by a redundancy option.
What I found in the wake of the outages was that a few companies deploying cloud services took a closer look at their plans and switched their configurations to HA (high availability) options, which were either obtained from their cloud provider or from a third-party solution. In no cases did I find projects cancelled or put on significant hold. I did find a few appalling cases of a lack of appropriate security measures for fairly critical applications, and even one situation where the customer forgot to think about backups for their cloud application!
Since the CSA’s very beginning in our initial guidance, we have expounded the concept that adoption of cloud does not relieve a customer from the responsibility of risk management. It becomes a cumulative process of incorporating the provider’s inherent risks and their risk management plan into your own plan. Some of our “old school” outsourcing instincts fail us because we used to outsource an entire application, much like Software as a Service (SaaS), and get a little sloppy in our due care when we are only outsourcing the operating system.
One thing that’s interesting in the public cloud providers’ availability and security breach incidents is the forced transparency inherent in them. You can’t hide the problem -- Twitter won’t let you!
Unfortunately, we will see more of these kinds of incidents. However, I do have hope that on the customer side these cloud outages are driving a more rigorous systems architecture and risk management approach to cloud rather than just expecting the provider to manage it. On the provider side, my hope is that the public “sunshine” is driving a greater sense of urgency to demonstrate confidentiality, integrity and availability as a competitive advantage.
About the author:
Jim Reavis is co-founder and executive director of the Cloud Security Alliance.