Cloud computing - Border controlsWhile the traditional early adopting countries, such as the US and UK, have taken the lead in cloud computing, the rest of the world is catching up fast… and, with that, arise a host of complications in compliance across multiple jurisdictions. Keri Allan investigates
Cloud computing may still be in its infancy, but we’re already entering an era of ‘clouds without borders’. Businesses and IS/IT teams are therefore having to understand what cloud entails, while also getting to grips with the issues arising from what is essentially a new form of outsourcing on a global scale.
To be more precise, it’s virtual outsourcing … and a range of problems arise from this, including issues surrounding data control. Using clouds means your data could end up anywhere in the world, giving managers a welter of new security issues to address.
Some industry insiders think the negative attitudes towards cloud computing are over the top, that one simply needs to follow standard outsourcing practices. If you do so, your data is no less secure than through any other outsourcing method, they say. Simply put, the issues people consider specific to cloud aren’t actually new, they’ve been with us for as long as we’ve been outsourcing.
There are also those who look at cloud very positively, seeing it as a new and improved way to keep IS management costs down: “There are big advantages for start-ups to take advantage of all over the world, as cloud minimises capital investment,” highlights Paul Simmonds, board member of The Jericho Forum.
Even so, worries still remain about access and control of an organisation’s data, many due to concerns as to where it is actually stored and the different data protection laws each country has.
“In theory, the concept of cloud computing can be more secure than DIY computing, since shared costs allow a larger overall investment in security processes and infrastructure,” says Ferenc Szelenyi, vice president EMEA public sector services, Dell Services. “However there are the issues of data privacy over border lines, data integrity and corruption, 24-7 availability of services and local versus international priority on quality and requirement of service.”
Competition around the globe
Even though there are problems that still need to be ironed out and standards set, the traditional early adopting countries, such as the US and UK, are taking the lead. But it won’t be long until they’ve got competition from around the globe.
“As economic opportunities come into play, one should expect this interest to spread over to any major economic nation which possesses the required levels of infrastructure to support sustainable services,” says Professor John Walker of the Cloud Initiative Common Assurance Maturity Model.
Interestingly, one region that is starting to stand out as a cloud data centre hub is Scandinavia. Google, for example, is building data centres in Finland and Sweden in order to use the cold climate to help cool servers, while still being able to access high-speed data connections. An Icelandic start-up, Greenqloud, is setting up what it claims is the first green cloud computing provider in Iceland, benefiting from some of the cheapest and greenest energy available.
“In the US, the federal government has made early moves into cloud computing with heir Apps.gov storefront, operated by the General Services Administration (GSA). Through Apps.gov, CIO Vivek Kundra hopes to make it as easy for federal agencies to provision cloud as commercial companies using cloud services from major cloud providers such as Amazon and Google, who are making moves to provide their services to the US Government,” highlights Steve Smith, managing director of IT security firm Pentura.
“International public sector departments such as The Ministry of Internal Affairs and Communications in Japan have already made the move into cloud computing. The department has announced plans to migrate all government agencies into a private cloud environment by 2015,” he continues. “The UK is following this trend with its plans for G-Cloud, especially as communications minister, Lord Carter, has said that ‘substantial savings’ can be made in public spending by building a government-wide cloud computing platform.
“Finally, Oleg Petrov of the World Bank’s Government Transformation Initiative recently completed a project looking at active cloud computing around the world. IN Europe, he identified cloud initiatives under way in Sweden, France and Spain. He found that, in addition to setting up internal, private cloud environments, European nations were beginning to explore the use of cloud-based computing in areas including health and education services and economic development.”
As industry as well as government interest grows in the use of clouds, IT/IS managers need to understand the security issues involved and how to deal with them. Many organisations are already using clouds without their knowledge, and therefore are non-compliant. For example, if end-user staff use external services such as Survey Monkey, then they are using a cloud-based service.
“They fundamentally don’t realise that they’re already using a hybrid mix of cloud and traditional computing,” says Adrian Seccombe, research associate at the Leading Edge Forum. According to Seccombe, there are three things to consider when looking into a cloud provider: the contractual, legal and technical aspects.
Although it’s impossible to have total control of your data when it comes to clouds, security can be better managed by being hands-on when it comes to contract negotiations. The key is due diligence and to make sure you negotiate a contract that fulfills your data and security needs, focusing on covering legal and technical bases.
“The best solution to cloud security issues is to negotiate your business’s exact requirements into the specific service level agreement (SLA) you sign with your cloud provider: make cloud security their problem. Then plan to follow-up with your provider using a procedure and tools to verify your specific SLA and have a migration strategy in mind if your cloud provider fails to meet your SLA,” says Jonathan Lampe, vice-president of product development at Ipswich File Transfer.
“It is essential to have strong SLAs in place, no matter what country you operate in,” continues Garry Sidaway, director of security strategy, Integralis.
“Organisations should always know where their data is stored ~ this has become an important issue as more and more data privacy restrictions government legislations enforce companies to keep their data within country boundaries.”
Looking at the legal apsects, you need to make sure you’re complying with any national data protection laws you might come under. For example, if you move data on a Californian citizen to a cloud hosted in India, there may be some interesting laws you need to comply with. Make sure you know exactly where you stand that you will be compliant before signing any contracts.
Finally, in terms of technology, the sector is still trying to pin down the best way to audit and ascertain technical security. It may not be enough to simply see that the provider is ISO27001 compliant, as one specific server may have been certified rather than the entire operation. Here, due diligence comes into play; be sure to check for yourself that the provider is indeed secure.
Some of these questions might be hard to answer, however, due to the international angle of cloud computing. If a server is down the road, it’s easy to get a team member to check on it. If it’s the other side of the world, however, it costs a lot more to send someone to check the security of your information.
In addition, currently cloud providers aren’t legally contracted to tell you where they hold your data, which can be another issue. As it is early days, both sides are still learning how to work well together, and so the solution is putting together a contract you are both happy with.
“Many of the cloud providers actually won’t tell you where your data is going,” explains Seccombe. “You haven’t got a right to know where the data will physically reside. You can put into the contract that you want to know where your data will be held, but many vendors will go quite a long way to try and avoid you constraining them in terms of where they can put their data.
“It could turn out data got moved to Iceland because they found out that was a really cost-effective place to do processing: it’s geothermal there, so there’s easy access to power, and air conditioning costs are lower because the temperature is cooler. The problem is that there’s an awful lot of earthquake activity in this area and transatlantic cables to Iceland can get broken very easily. So you could find your data in a place where you can’t gain access to it, and you didn’t even know it got moved there,” he cautions.
“There’s a number of different dynamics about contracts, so make sure you write into the terms all of the things you’re wanting to manage the risks of. Be sure you can comply with laws and compliance and that the hardware is secure,” he adds.
Over time, services and contracts will evolve to please both sides, and its clear that moving forward, a high standard of security will be needed. Especially with the kinds of highly secure information governments will be passing through clouds.
“Let’s face it (a higher level cloud) could be a very big target; every single hostile intelligence service and criminal will want to get their hands on that data,” highlights David Lacey, author, researcher and honorary fellow of the Jericho Forum. “The main difference between cloud computing and major outsourcing is that from a threat perspective it’s a much, much bigger and more attractive target and will be heavily attacked ~ there’s no doubt in that.”
Indeed, your data might not be the target, but it could be at risk due to other organisations with whom you share your cloud.
“The simple fact is that within cloud environments you have some of the highest profile companies imaginable, which is like waving a red rag to a hacker bull,” says Sunbelt Software CEO Alex Eckelberry. In response to such a point, providers are already upping the ante in terms of security.
“With more and more sensitive data being stored on clouds, measures are being brought in to protect that data and its users,” notes Christopher Jenkins, security line of business manager, Dimension Data UK. “Currently, most cloud providers offer a two-part authentication process. As clouds are starting to become a larger target for hackers, within the next two to three years, it is likely that you will start to notice additional levels of security being implemented in the form of an access management services.
“Credit card companies or even mobile phone providers will provide a validation level with there being a focus on personal information questions. These ‘gatekeeper’ companies will present authentication questions that only a genuine user will know the answer to. These additional levels of security mean that information should stay secure and makes the account harder to hack, even if initial login details have been compromised.”
Security visibility worldwide
Lacey takes the concept of cloud computing security a step further: “Cloud technologies are actually great for being used for security. A cloud supplier has visibility across his customer base… maybe even worldwide. He knows what’s going on and so a cloud security service provider could provide that added value of greater visibility and can respond faster to developments as they see them happening somewhere else in the world first. I think this has a real edge over in-house security.”
Still a young entity, many industry experts believe that now is the time to learn from our earlier outsourcing mistakes and get security right from the outset. It is of course a learning process but, as Sidaway says, we’ve got the chance to get it right now.
“It is an opportunity to architect security into a solution and not bolt it on after the fact. We are in danger of replicating in the virtual world what we have done in the physical world. We have the opportunity to have a good security reference model to define the data and user access to the virtual services, and with the addition of hardware modules and extensions we can remove some of the security concerns with software hypervisors,” he concludes