The Cloud, Security & Standards
For better or worse, the cloud can be seen as a “game-changer” in how we store and process information. While the placement of intellectual property, business confidential or personal information in the Cloud raises security concerns, it does offer benefits. In other words, it’s coming – whether we like it or not.
On the plus side, vendors already speak of significant cost saving in the reduction of IT budgets (even if you halve the numbers, they’re still worthy of consideration by CFOs). Depending on which level of the cloud you’re dealing with, other benefits include better managed security, better resource allocation, better audit and forensic capabilities – in short, better risk management.
As for the negatives, there are many organizational (governance), technical and, yes, said the lawyer, legal risks. These range from loss of control (i.e. lock-in, loss of governance) to data protection and licensing liabilities. The technical risks are extensive and impact both the governance and legal risks. A very good analysis of the risks associated with using the cloud can be found in a recently released Cloud Computing Risk Assessment by ENISA (the European Network and Information Security Agency). I won’t dwell on them here but the report provides an excellent synopsis of the risks and an extensive series of questions to ask any provider. The Cloud Security Alliance also has a list of key security threats to cloud computing.
So we’re going to “go there” (i.e. the cloud) and we have a slew of new risks to consider. Now what? Absent anything else, lawyers will tell you to ensure there are security-related provisions in any services agreement. Generally, it’s good advice. However, negotiating and maintaining the security-related provisions will pose issues for both sides.
Governments and corporations with large volumes of transactions to process have negotiating power and will expect their demands to be met. Small and medium-sized enterprises (SMEs) have no negotiating heft and will simply receive whatever standard terms providers can get away with. “Freedom to contract” isn’t necessary the direction to go. If you’d like to see an interesting survey of cloud computing terms of service, then consider this study out of the UK.
With large customers, part of the negotiations and due diligence exercise will involve greater client information demands where security/risk managers present a very long list of questions to be answered (think “death by a thousand questions”). The answers may not vary much but they’ll still have to be customized. Also customers may not like some answers so a corresponding customization of the security posture of the service offering may be expected. Not enough for a provider to say no; but likely enough to introduce some variation in security procedures.
Audit fatigue is another concern. One might argue today that while many contracts have audit rights, few organizations actually conduct audits. I think this situation will change over time. Security professionals with management responsibilities will readily tell you that responding to audits from clients is a time-consuming activity. Given the potential sub-contracting to service providers within the cloud computing business model, one has to consider evaluations of the security posture of partners, which requires time and resources to effectively address. (The same issue arises for those who work with federated identity management regimes or other trust models, but that’s a blog post for another day).
Is there a solution? My suggestion is adherence to a standard combined with annual certifications of compliance to that standard. The Cloud Security Alliance has a good starting point with its Cloud Controls Matrix. I say “starting point” simply because the documents it maps to (e.g. ISO 27001: 2005) don’t seem, in my view, to address the architectural issues raised by the cloud. (Nor does CICA 5970 or its American equivalent SAS 70 for that matter – neither are security audits no matter how many people think so.)
Adherence to a standard provides an easy way to offer customers the assurance that they require to satisfy legal obligations and insurance requirements but without a too strenuous due diligence burden. Developing a standard that addresses all the issues (starting with the ENISA list of questions) is important. If industry doesn’t do it, some government will.