Part 1 Technology, Risks, and Rewards
The European Network & Information Security Agency (ENISA) released a report two weeks ago covering Cloud Computing Risk and Security. The report highlights 35 risks to consider when making sourcing decisions that include private or public Cloud services. Several of the risks identified are not necessary new or unique to Cloud computing but nonetheless are important to consider as part of an IT risk management program.
Risk topics include:
- Vendor lock-in,
- Loss of governance,
- Loss of business reputation due to co-tenant activities,
- Supply chain failure,
- Resource exhaustion (under- or over-provisioning),
- Cloud provider malicious insider - abuse of high privilege roles,
- Intercepting data in transit,
- Data leakage on up/download, intra-cloud,
- Privilege escalation,
The Good and the Not So Good
The ENISA report is important for at least two reasons, one good and one not-so-good. Starting with the good, the report has a sufficient framework and level of detail for assessing security and control environments afforded by different Cloud service providers. For example, Unisys announced earlier this year its plan for delivering secure IT services through Secure Cloud Services Solutions. These includes secure infrastructure, secure platform, security software, and application offerings as their baseline of service. Available before year-end 2009 will be the Unisys Security Private Cloud solution, providing all the features of is secure public Cloud offerings for private Cloud implementations. The Unisys leading message on Cloud computing appears to be security, providing a level of differentiation through a commitment to an overall decrease in risk through improved security protocols and tools for data in motion, data at rest. and data in process -- a data-centric approach to security in the cloud. But of course, security and risk management is not only about protecting data.
In contrast, others that provide Cloud services and enabling technologies have been less open about security capabilities but instead lead with more traditional messaging of cost take-out, demand-based elasticity, self-provisioning, and reduced complexity. The assumption must be that users expect security to be engineered in.
The not-so-good reason is all about technology and innovation that makes virtual computing possible. The report summary opens with the definitive statement 'Cloud computing is a new way of delivering computing resources, not a new technology'. Huh? No new technology? Did I read that right? Do the authors assume that all technologies the enable the Cloud have been tested, tried, and true across a myriad of end-user performance, reliability, and availability requirements?
Of course, Cloud computing includes many new technical components, including this sample:
- vBlock infrastructure platforms from EMC, Cisco, and VMware,
- Storage policy engines that manage the jurisdiction of data,
- Algorithms that determine if SSD or spinning disks are optimal storage platforms given performance, energy, and security requirements,
- Data Dispersal storage platforms to distribute data and reduce discovery risks,
- Electronic Data Recording with the ability to recover from service interruption with zero data loss,
- Transformational ways to protect data beyond traditional and complex access controls, encryption, and key management,
- IaaS and identity as a security service for both public and private cloud applications.
So what does this tell us? For one thing, security is and will always be in the eyes of the beholder, or in this case, the business or individual that owns the risk. Second, the ENISA report is a useful piece of research and study. It provides a baseline for for CISOs, CIOs, end-users, and technology providers alike for understanding the risks and rewards associated with Cloud computing and provides a framework for comparing like-offerings, technology capabilities, and determining a tolerance for risk. And third, there are waves of new technologies transforming traditional computing toward the utility model, technologies that both create and mitigate risks.
Action Item: For the CISO, it’s important to not let the "Cloud-speak" swallow everything. That's too easy. There are significant new technologies being introduced almost every day that both make virtual computing possible and technology and business risk management a more complex art. Using risk assessment strategies and methodologies like ENISA’s [several others to consider, too], CIOs, risk managers, and the security community must pick apart new and emerging technologies and services to understand the capabilities, risks, and controls for providing safety in the cloud.