Businesses Need to Read Their Service Level Agreements
Security Risks Impact Even Businesses That Stay Out of the Cloud
SANTA CLARA, CALIF.Theres a lot that businesses still have to ask their cloud service providers before signing up for service, especially about how secure their cloud environment is, the chief operations officer of the Cloud Security Alliance said at a cloud conference here.
John Howie explained the security risks associated with cloud computing and the ways businesses can protect themselves and their data at the Cloud Leadership Forum held June 13 and 14. Howie warned that some cloud providers actually turn around and have customer workloads managed by yet another cloud provider. He also warned against using free consumer-grade cloud services for enterprise-grade computing.
The Cloud Security Alliance is a nonprofit organization that provides free information to its membership of 150 companies and 35,000 individuals on how to choose cloud servicesprivate, public or hybridwisely and with a focus on data security in the cloud.
Howie sought to dispel the notion that the IT department or other managers can claim that they dont need to worry about cloud security because they dont use cloud services. Typically, individual employees subscribe to cloud services on their own. He gave the example of a businessman he met who was on the phone and couldnt send an email because the size of the attached file was too large. The man said he would upload it to DropBox, a cloud-based file-sharing service, instead.
You use DropBox? Howie asked the man. Well, not officially, came the reply. Thats what youre finding in your organizations today.
Theres another reason to avoid consumer-oriented cloud file-sharing or storing services such as DropBox, Google Drive or Microsoft SkyDrive, he continued. They are free because theyre advertising-supported and they index the user data to glean information from it on what ads to deliver.
They are probably indexing your data, not because they want to know what your data is at a human level, Howie explained. But at the machine level, they want to know what advertisements to send to you to increase the click-through.
It may be harmless enough for consumers to have their data indexed but an enterprise should not take that risk. There are paid file-sharing services that are better designed for enterprise users and their important security needs.
A related issue is how businesses can remain compliant with government and industry regulations for the security and privacy of company data in the cloud. Not only are there varying regulations on the state and federal level in the United States, there are myriad regulations globally and, increasingly, both companies and cloud service providers operate globally. What regulations a company has to comply with depends on where the cloud service providers data centers are located as well as where the companys data centers are located, Howie said.
Businesses Need to Read Their Service Level Agreements
He said in-house legal counsel, not the service provider, needs to determine what regulations a company has to comply with when moving to the cloud. Increasingly, in-house legal counsel hires an outside law firm that specializes in electronic records security and privacy compliance.
Also, the fundamental security issue that businesses have to understand when contemplating a move to the cloud is that in a public cloud, the customer has no control over security of the computing environment, despite any assurances from the provider that they have firewalls, intrusion prevention systems or anti-malware protections in place.
But customers can secure their data, said Dan Reis, director of US product marketing at Trend Micro, who also spoke at the conference.
If you store data in the cloud you dont have control over exactly where it is, who else may be on that storage device or the medium on which that data is traveling. Thats a lot of exposure to your data, said Reis.
Because the public key infrastructure (PKI) method of encrypting and decrypting data is so complex, Trend Micro offers a service called SecureCloud, which does the encryption as a service so that when a companys data is in the cloud and theres a breach or other problem, the data is protected, he said.
While adoption of cloud computing is growing, Reis said many companies are still on a learning curve as to what cloud computing is and how safe it is to use it. A lot of them hear the term cloud, but there are a lot of different definitions of it ¦ so theres a lot of confusion from that standpoint.
The CSAs Howie says a thorough reading of the cloud providers service level agreement (SLA) is needed to specify how the service is being delivered, including whether the service provider in turn, contracts with yet another service provider.
The SLA that you get from your cloud provider can only be as good as the SLA from their cloud provider, Howie said.
And despite assurance from cloud providers that they offer security and reliability, incidents still happen. Amazon Web Services (AWS) customers were impacted by an outage at an Amazon data center in northern Virginia in April 2011. AWS advises customers to spread their workloads across multiple Amazon data centers for backup, but those worst affected by the Virginia outrage were the customers who failed to take that advice.
Another failure occurred in Microsofts Azure cloud servicethe cloud version of Windows Serverin February. Microsoft said the service outage impacted Windows Azure Compute and dependent services: Access Control Service (ACS), Windows Azure Service Bus, SQL Azure Portal, and Data Sync Services. It did not impact Windows Azure Storage or SQL Azure. Microsoft traced the outage to a software bug, specifically a timing miscalculation related to the Feb. 29 Leap Year day, which only comes around on the calendar once every four years.
Editor's Note: This story was updated to correct the number of companies that are members of Cloud Security Alliance.