Offerings in the Public Cloud have proliferated in the last few years along with the excitement and interest in their potential. The benefits available from cloud services are enticing, but they come with some extremely serious inherent risks which are easy to overlook. Many of the business users who may be looking with interest at cloud-based offerings may not be able to recognize and assess these associated risks effectively. Ignoring them can lead to enormous, unknown exposure for the enterprise. There are many valid approaches to risk management, but the worst possible strategy is to simply ignore the risk. Unfortunately, this is just what can happen when it comes to making use of the cloud and it has become incumbent on IT to help make sure our users know and understand the risks. Similarly, it is also our responsibility to fully evaluate them in any use of the cloud we consider.
Risks inherent to any cloud-based offering can be segmented in a number of ways, but many of the most serious can be put into two broad categories: security and continuity. These are far from exhaustive, but they cover most of the particularly dangerous ones.
Use of the Public Cloud takes control of the infrastructure aspects out of our hands. By its very nature, what goes on behind the curtain is a black box. There are some cloud providers who acknowledge the security question and make themselves somewhat transparent to clients when it comes to their security practices. Even with these providers, our access is limited since the more that is known about the security practices, the more vulnerable they potentially become. For those providers who do not let us peak inside the black box, what they do is completely unknown. This makes security in the cloud almost all trust with very little, if any, verify. Even worse, threats come not only from external sources but also potentially from ones internal to the provider.
External threats come from data thieves who must look at cloud providers like conventional criminals look at a bank. Providers are likely well defended and hard to crack, but if you can get in, you have access to the concentrated data of many clients. On the positive side there are, as with a bank, economies of scale to security. After all, we cannot all afford a vault in our home. On the other hand, your data is now in the hands of someone else who is likely a target and you must depend on them to defend it. Worse, in most cases that I have seen, the providers are responsible for the security of your data, but they are not accountable for it. If there is a breach, you do not really have any recourse. Conflicting interests are also a concern in the event of a breach since it is not really in the best interests of the provider to reveal it. They are, of course, obligated to do so and many likely would. Others might not though, which would leave you in the position of not even knowing you were robbed since, unlike cash, data can just be copied.
Depending on the offering in question there may be other measures which, even in the event of a breach, might help protect your data. As with the safety deposit boxes in a bank vault, the cloud can offer additional defenses by inserting depth such as encrypting the data in the application being used. Unfortunately, even if those secondary defenses are solid today, it does not mean that they will hold up over time as decryption technologies improve. If data thieves are able to steal your data, even encrypted, it is only a question of time before it can be read. Many types of data are highly time-sensitive and become mostly useless if not quickly accessible. Other types of data remain useful over fairly long periods of time, e.g., financial or personal information, medical records, contracts and customer records. If we are using the cloud for this type of data, we need to remain keenly aware of the limitations of encryption.
Internal threats are more subtle and potentially insidious. Those who maintain and administer offerings in the cloud have access by virtue of their positions. Since they are employees of the cloud provider, you lose control of the employee screening process. This screening is not as simple as just having controls in place for things like prior criminal records, drug use, etc… Factors which represent a conflict of interest if your organization was hiring a person directly are unlikely to be factors in the cloud provider’s hiring practice. It could be as simple as a DBA who has a relative or friend who works as a sales representative for a competitor and passes on the occasional piece of “harmless” information. It could be as complex an external element inserting someone internally to facilitate data theft. Corporate espionage may not be as well-known as its cousin between nations, but it is extremely active.
Any concerns you might have about outsourcing and off-shoring should be applied to any use of the cloud as well. Many cloud providers make use of both off-shore infrastructure and personnel. Even presuming these personnel are just as honest as domestic ones, there is an increased risk since most tend to be drawn from areas where wages are substantially lower than in other parts of the world. This can only make the temptation of misusing access all the greater.
There are many cases where we are custodians of data which is considered private by another enterprise, organization, or individual. The terms under which we have possession of it may not allow us to store it on infrastructure which is not our own or allow access to it by personnel not under our direct employ. It may even be restricted by law to remain in a specific country and ensuring this once it is in the cloud is nigh impossible. Cloud providers might give you attestations regarding their locality and data control, but would these be satisfactory to the actual owners of the data? If questions like these are not considered when evaluating cloud offerings it can put contractual agreements at risk and potentially lead to substantial harm to the business.
The issues discussed above only scratch the surface of the security concerns we must consider when evaluating the use of a cloud offering. Even this abbreviated list is enough to consider treating any data sent into the cloud as immediately compromised. If we take this approach, it renders the cloud unsuitable for any sensitive uses. Extreme? No more so than the risks to our organizations for not adequately protecting our sensitive information.
Making use of the cloud makes us dependent in ways that we would not be if the application was locally hosted. Many of these are the same as we would have just hosting an application in an off-site datacenter, but the lack of control increases the risks. Temporary capacity and performance issues can be a concern, but cloud providers are generally on top of these issues. The most significant risks involve disaster planning and recovery.
Using an offering in the cloud inherently has more potential failure points. We need to be concerned about connectivity for the consumer and the provider, as well as things which could affect the internet itself. For many uses, connectivity issues might be tolerated during normal circumstances, but we should be cautious of putting anything in the cloud which we rely on in a disaster. For example, consider two of the most popular cloud offerings; email and service desk. Losing either of these functions in a disaster would make managing the recovery significantly more chaotic.
Email has become the primary communication method at many companies. Having it become unavailable during a situation could be devastating. A system like this should either be local or at least have a local backup for use when external connectivity has failed. Having it in the cloud prevents both. Somewhat less used, but perhaps just as devastating, would be having your phone service in the cloud. The disaster planning ramifications of using the cloud for core communication functions such as these should be carefully assessed.
One of the first systems to be brought back up in a disaster is the help/service desk. The system is not important in an obvious way, but will be how you coordinate bringing everything else back online and the overall recovery from the disaster. If one of the effects of the situation is to disrupt connectivity to the cloud and you are using a help/service desk hosted in it, you have just lost one of your main recovery tools at the very moment you need it most.
When everything is working the way it should and all is well, the cloud provides a number of attractive benefits. But not every day brings sunshine and sometimes things do go wrong. What if the provider of the cloud offering you have subscribed to has problems? If the quality of service drops, you have little or no direct ability to rectify the situation. Even worse, what if your provider goes under? Where is your data and how do you recover it to bring your business services back into operation? What about data ownership when you choose to terminate your contract with the provider? The number of possible scenarios is infinite, but the key is to always remember the inherent loss of control which is the implicit dark side of the cloud.
Not all Doom & Gloom – Private Clouds
Private Clouds are the silver lining to many of the potential problems of Public Clouds. They do not offer some of the advantages which can be gained from various SaaS offerings, but they do provide the nimble infrastructure which is one of the main Public Cloud attractions. With a Private Cloud, you own the infrastructure, so the security concerns remain the normal things that you worry about anyway. Unfortunately, many of the continuity issues remain if you have infrastructure supporting your Private Cloud in off-site datacenters. Since you own and control it however, you are in a much better position to determine how to mitigate the risks for critical applications.
Both Public and Private Clouds are exciting and offer tremendous potential. We just need to not let our enthusiasm blind us to the risks and hidden costs which come with them as well. In fact, Private Clouds are, I believe, crucial to the evolution of IT towards a utility type service model. The term utility computing has been overused, but it is in many ways the direction we are going and many of the same concepts apply which affect other utilities such as electric power. Almost all of us utilize what is, for most intents and purposes, a Public Cloud of electricity. We know little about where it comes from, just that it is there when we need it. And for some of us, we mitigate the risk of a failure by having some local generation capacity. If we are going to be able to offer our business users “flip the switch and it is there” kind of services, we need something like the cloud. Private Clouds would seem to be the compromise which allows us to develop the service models we need without giving up a dangerous level of control.