Cloud computing is the latest trend that has the industry abuzz. Everywhere you go, there are cloud services for every functionality imaginable. Many believe that cloud computing can deliver tremendous business and operational efficiencies. There is even a movement at the national level: Vivek Kundra, the country’s recently named federal CIO, is being tasked to push the adoption of cloud-based services across the federal IT landscape.
Cloud computing differs from traditional outsourcing because in the latter model, it is still very much standalone computing — either you take your server and put in someone else’s data center, or you have a MSP managing your devices. In many cases, you know exactly where your data/host is and what resources, if any, you share with others. Cloud computing decouples data from infrastructure and obscures low-level operational details, such as where your data is and how it’s replicated. Multitenancy, while it is rarely used in traditional IT outsourcing, is almost a given in cloud computing services. These differences give rise to a unique set of security and privacy issues that not only impact users’ risk management practices, but have also stimulated a fresh evaluation of legal issues in areas such as compliance, auditing, and eDiscovery.
I’ve had many conversations recently with IT security and compliance professionals about cloud security, and the universal concern seems to be that there is a lack of visibility and standards across cloud providers. Users of cloud services therefore are left to fend for themselves, especially in terms of understanding and addressing security risks associated with outsourcing to the cloud.
Earlier this year, I published a Forrester report titled: “How secure is your cloud: A closer look at security issues for cloud computing”. I received tremendous feedback after the publication. This quarter, I am embarking on a big research effort to evaluate security and privacy practices of some of the leading cloud providers, such as Salesforce, Amazon, Google, and Microsoft. We will be conducting the evaluation on three broad aspects:
- Security and privacy: Concerns such as data protection, operational integrity, vulnerability management, business continuity (BC), disaster recovery (DR), and identity management (IAM) make up the list of security issues for cloud computing. Privacy is another key concern — data that the service collects about the user (e.g., event logs) gives the provider valuable marketing information, but can also lead to misuse and violation of privacy.
- Compliance: Data privacy and business continuity are two big items for compliance. Specific issues such as geo-location of data centers, incident response procedures, eDiscovery support, and proper handling of logs and audit trails all come to focus here.
- Legal and contractual issues: Legal issues are the least well-understood areas of cloud computing. Though I will not be giving out legal advice, I will be looking at what legal issues may arise in the context of cloud computing. For instance, liability and intellectual property are two examples of legal issues that often being discussed. Other contractual issues include end-of-service support —when the provider-customer relationship ends, customer data and applications should be packaged and delivered to the customer, and any remaining copies of customer data should be erased from the provider’s infrastructure, etc.
I’d like to know if anyone has any specific concerns to cloud security that may be outside of what’s mentioned above. If so, please leave a comment here. Also, I’ve so far identified vendors who are more in the platform-as-a-service and software-as-a-service areas, should I include infrastructure-as-a-service vendors like Rackspace? Let me know what you think. If you would like a snapshot of the cloud security report, send me an email firstname.lastname@example.org