A Consultant's View

Prairie Trail Software, Inc. ............................................................. June 2010

Cloud Computing Security

Cloud computing is the current rage among IT professionals. It is where someone else is hosting not just web pages, but whole business systems. The allure of moving systems to the Cloud is that things will be much better (and cheaper) than having to manage systems ourselves. Who can argue with "cheaper and better"? The problem is that all the issues have not been fully explored and one issue is security.

Security on "Cloud Computing" is a big issue. While we have not heard of people being hacked while their data is on the "cloud", that is only because the technology is too new for the big stories to leak out. Anywhere data is - it can be compromised. It can be compromised by an outside attack or from within the "cloud" provider. For an example of an inside attack, in January 2009, an engineer at Fannie Mae was indicted for trying to put in some logic that would have destroyed all 4,000 of their servers. Once there is enough important data on "the cloud", there will be people trying to get their hands on that data illegally.

Another problem is what will happen when the "Cloud" provider updates their system. It is possible to have a security hole opened when the system is updated. For example, Facebook updated their system and exposed a lot of data that people thought was secure. Other systems have had embarrassing security failures when making changes.

Other issues include government and regulatory issues. In many jurisdictions, you have less legal protection when your data is on the "cloud". For example, if your data is on a system inside your company; it takes a court order for a government body to look at that data. When it is at a service, it only takes a subpoena. In 2009, a Dallas hosting service was raided by the Feds and a number of computers taken. A number of "innocent" clients had their hardware and data seized in that raid. Where your data is can make a difference as it could be more secure when in one jurisdiction than in another. The other problem that this incident shows is that someone else using the shared hardware might do something that would bring the whole system down. It isn't enough to "vet" the supplier; you might need to "vet" all other clients on that hardware.

The final issue is that of the provider. Right now, much of the sales pressure is on price. That means that providers are pressured to offer the lowest price. In that environment, there will always be people who will cut corners. They will cut corners on staffing, on making sure that the security is tight, on actually meeting peak demand, etc.

When planning on moving your systems to the "cloud", it is important to not just include security in the Service Level Agreement, but also to monitor and manage what your "cloud" supplier is doing.