Cloud404 :: Cloud Computing, Risk Management, Security, Compliance

We are entering another major cycle of information technology.  Let’s call it “the cloud” cycle.   The world is faced with many economic woes, and technology can often play a key role in fueling a comeback by increasing productivity, opening new arenas of innovation, and bringing increased value from each dollar spent.   In order to get businesses and consumers spending again, the tech world needs to come up with the next big thing.. and that big thing seems to be “cloud computing.”

This technology offers unlimited scale, and uses resources as they are needed.  There are plenty of articles about the wonders of the cloud , so I won’t take up valuable bytes on the Internet to rehash them.

Software providers are racing to build new products that leverage the cloud paradigm.  There is also considerable effort to “retool” current software to embrace the various principles associated with “the cloud.”  At the same time, product marketing is figuring out how to convince the marketplace that cloud hosted resources are less complex, more secure, cheaper, and a requirement to survive in the globally connected and hyper-competitive marketplace of the future (as if it isn’t already!).

From a personal computing perspective, each of us has that “gut feeling” that makes us peer through the marketing and ask common sense questions before we move our digital lives into the cloud… is the risk too high?  Will the odds of my identity being stolen increase if my data is stored across multiple providers, across the planet, operated by who-knows-who?  Will one of these providers crash, and never come back? Will I lose my cat pictures?

From a business perspective, there’s a bigger problem.  The last era of IT was marked by (a) new laws that drove (b) huge spending which created a (c) ton of enterprise jobs that (d) established a long list of best practices related to computer security and IT audit.  Can the cloud meet their requirements? These very investments may have helped build the foundation that has taken us to a point where we can peer over the edge and consider cloud computing.. but, are we ready to jump?  Even if we aren’t ready to jump, are we going to be forced to jump because everyone else — who you are collaborating and competing with — is?

The intense media attention to cloud failures and uncertainty will drive many new and interesting conversations. I’d also suggest that the rate at which these conversations are occurring illustrates that the mass market is in touch with the realities of the cloud, and there’s a pretty firm understanding of the underlying concepts even though the respective technologies that fuel the concepts are quite complex.   But, since the cloud is all about abstracting complexity, we don’t need to understand the technology.. right?  Or must we take the time to ask the right questions to make effective decisions and use the cloud appropriately?    For example:

• Goal: Lower costs (capital and operational) related to data storage.  Increase failure resilience (i.e. disk crash).
• Market Offering: Cloud Based Data Store. Unlimited. Pay per Gigabyte. Backups performed.
• Solution: Put it in the cloud using provider XY
• Question: How is it secured? Is it encrypted?  If so, how
• Answer: Secured with password (or API access key). Not encrypted.
• Risks: Bad guy could get the password and get the data.  Inside employees at the provider could read the data.  Various legal issues related to subpoenas. Provider gets hacked, and data is compromised…List goes on and on..
• Mitigation: Implement a layer of encryption on all data written (likely via client software or middleware) to the cloud provider.  Do not give cloud provider keys.

To solve this simple scenario, one must understand the goals, ask the right questions, quantify the risks, and ensure that mitigation is feasible. Fortunately, this scenario has been well thought out and we can see that the market has developed quite a few great solutions. There’s plenty of other, much more complex, scenarios to tackle.

I’d also suggest that we instinctively understand that the assumptions we’ve had for the last few years regarding our  “trust” of our computing environment are ready to change.  In 2002, Bill Gates sent the infamous Microsoft “Trustworthy Computing” memo, where he claimed that a trustworthy computing platform doesn’t exist.  In 2002, most of us considered the “technology platform” to be the individual PC that we use.  I don’t think many people trusted their computer in 2002.  However, in 2009,  I’d argue that the trust of the computer has risen significantly.

As I write this blog post, I reflect on a few key differences in how I compute now versus in 2002.  In 2002, I had all of my documents on a PC or a network share.  I fondly recall the release of SharePoint 2003 with great Office integration, which allowed me to easily store my Office documents “somewhere else.. on the SharePoint server.” This gave me assurance that they’d be safe if my PC was lost or suddenly thrown out of the window (I have a medical condition known as “buggy 32-bit device driver rage”).  For other resources,  I had a daily battle syncing content across my various PCs that didn’t share a common network drive.

Now, I build PCs with 32 gigabyte drives (I’ve standardized on power friendly, speedy solid state drives).  I simply don’t need much local storage (with the exception of the occasional 1TB drive for video editing).  I store all of my files online – “in the cloud” (although, most are just hosted services by various providers that don’t likely apply cloud principles).  I read RSS feeds, store photos, sync bookmarks, build mind maps, store office documents, create presentations, backup documents, and even do my taxes with a “cloud” provider.   I’ve stepped up to the reality that I don’t have time to administer my own mail server anymore, and I use an external provider for personal email.   Perhaps I’m getting too old to have the passion to run my own mail server, or, perhaps it’s commodity infrastructure that I don’t have to deal with so I can focus my time elsewhere. Regardless, I can access everything — from my phone to multiple PCs I use — from anywhere, from my various platforms, and not battle with data replication issues.

The context of the Bill Gates “Trustworthy Computing” memo is going to change in the cloud era.  It’s time to look beyond the trustworthiness of the individual computing platform and start to digest the realities of trusting “the cloud” platform, too.

The following trust-oriented questions tend to arise across other blog postings and conversations that pertain to cloud computing.  Most of these “common sense” questions focus on the reality that control of traditional IT infrastructure will be lost as the cloud paradigm is adopted:

1. When I choose a vendor, what happens if they suddenly “go away?”
2. What happens if the vendor increases the price that I need to pay to use the service? Am I locked in? What is the difficulty in migrating?
3. Does the vendor run their offerings with operational sanity?  What are the chances of pilot error?
4. If I need to convince my family or management (and auditors) that our data is secure, what proof can I provide?
5. Where is the data stored? How is it backed up?
6. How strong is the business continuity plan of the provider?
7. How do I know if my data is breached?
8. What do I do if my data is breached? How do I investigate?
9. What will my provider tell me about the scope and nature of the breach? Who is liable? Who is culpable in the customer breach notification (note: congress is currently considering Federal breach notification laws!)?

Behind the scenes and at a high level, providers still practice change control, monitor and investigate security events, and perform operational incident management.  Given the scale that providers deal with, will they take the time to explain what they do?  Is the explanation a “one off” explanation to appease you, or is it applied to all of their customers (which makes the process more predictable)?  Alternatively, the response could be a Jedi hand wave diverting your attention back to the “it’s cloud, so you don’t need to worry about it” panacea.  Or, “don’t worry about it because we have an SLA with financial consequences and that certainly isn’t in our best interest” reply.  According to Gartner, cloud computing providers who refuse to undergo scrutiny are “signaling that customers can only use them for the most trivial functions.”  I don’t disagree with this, but I expect it will take time for service providers to getting the story right — especially since the scale, tenancy, and internal factors within a service provider scenario differ from running enterprise IT.  So, even if the answer isn’t perfect at this time,  the market will demand clarity and evidence over time.

So, this is likely a good entry point for the blog, and will drive our hypothesis that the most important — yet difficult to quantify — decision associated with your adoption of cloud computing revolves around risk.

From now on, we’ll zoom into specific topics associated with security, privacy, compliance, and … risk.. within the cloud.

Until then, doveryai, no proveryai.

- Craig