Manage Learn to apply best practices and optimize your operations.

Cloud computing vendor lock-in: Avoiding security pitfalls

Unscrupulous cloud providers can use security controls to make it hard to switch vendors. Know the questions to ask to avoid cloud lock-in.

Most of us already know from personal experience that changing from one service provider to another can be challenging.  Think about, for example, the level of frustration you may have experienced in the past changing your telephone company,  Internet provider or cell phone service.  The process of ending a service provider relationship is always likely to be rockier than other interactions you have with them -- that’s a natural consequence of business dynamics. 

Let’s face it, a service provider isn’t usually inclined to provide a seamless process for sending business to competitors.  But what customers may not realize is that less-scrupulous service providers can -- and actively do -- build in roadblocks with the specific intent of locking in customers.   Meaning, they make the process of transitioning more difficult by design to help increase customer retention (i.e., “stickiness”). 

This happens in the cloud, just like it happens in other service provider relationships: Cloud service providers  -- again, the less scrupulous ones --sometimes make transitioning off their platform harder than it could be.  One way they do this is through security controls.   The purpose of security controls is to limit access to data; this fact makes it easier for a service provider to invoke “security requirements” as an excuse for why they’re unable/unwilling to provide critical pieces of data to enable a smooth transition. 

It’s important to ask a few questions about how your security controls are architected so you can prevent  cloud computing vendor lock-in.  Below are some questions to ask and a few strategies for keeping the services you buy --not to mention your data -- unencumbered. 

Cloud vendor lock-in question 1: Who owns your data?

An important topic -- and one that isn’t by any means unique to this discussion -- is ownership of the data you send to service providers.  Unless you’ve contractually established that ownership of the data is specifically yours, the answer to “who owns it” might be less clear than you think.  Reputable service providers recognize  the data is yours without needing to be asked,  but not every service provider is equally reputable.  Establish contractually that ownership of the data stays with your organization throughout the lifetime of the engagement. 

Cloud vendor lock-in question 2: Will your service provider give your data back to you?

Assuming that you retain ownership of the data, the question then becomes how  and in what format  your service provider will give it back to you.  Finding out at the conclusion of a relationship that they’ll give it back to you only in a format you can’t easily use, such as backup tapes made by tools you don’t own, isn’t useful.  Negotiate contractually that you want them to provide you with the data in a format you specify, ideally whenever you feel like asking for it.  Test to make sure the provider can actually meet your   requirements beforehand  to avoid any mishaps in the middle of a transition.

Cloud vendor lock-in question 3: Can you access the data?

Be aware of any security controls applied to the data like encryption that could prevent you from gaining logical access to the data even if you physically possess it. For example, if the data is encrypted, do you have access to the decryption keys?  Again, test the process to make sure you can actually get to all data elements.  Pay particular attention to database structures that may have column-level encryption applied to particular elements since these a) may not be immediately apparent in a raw export, and b) may require effort from the service provider to supply keys if encryption is done at the application level.  It can also be useful to escrow keys on your premises (secured of course) in case a provider ceases operations; that way you’re not reliant on its newly unemployed and unmotivated staff to track them down after the fact.

Cloud vendor lock-in question 4: What about resource access?

In Infrastructure as a Service (IaaS) situations, when the data in question includes virtual images, make sure you have the capacity to gain administrative-level access to both applications and the underlying OS.  It’s not always trivial to gain access when you don’t know the administrative password, even when you have physical access.  So if your provider is giving you back VM images, make sure you can get access to the OS and application levels of the services they run.

Cloud vendor lock-in question 5: Do you have access to user data?

Keep in mind:  You may need other ancillary information over and above the raw data for your services to continue uninterrupted.  For example, if your service provider leverages a data store that contains information about users (e.g. their ID, roles, entitlements and authentication information), you’ll need that too.  Make sure you can get back data as well as supporting user information, since this data may be stored separately from application data.

It goes without saying that service providers can be disinclined to make transitioning off their platform easy.  However, being mindful of ways that service providers might try to lock you in – or at least where they might be less helpful to transition – and testing the processes that support a clean transition is a solid strategy for avoiding cloud computing vendor lock-in down the road.  

About the author:

Ed Moyle is a senior security strategist with Savvis as well as a founding partner of Security Curve.

Next Steps

Podcast: Do cloud service providers scare you?

Dig Deeper on Evaluating Cloud Computing Providers

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.