Culpability and the cloud

The customer may be king but they’re also likely to be the cause of cloud security failures in the future, according to analyst firm Gartner, which predicts 95 percent of public cloud security issues will be down to the customer, rather than the provider, by 2020.

Unfortunately, the cloud is still seen as a panacea for all ICT and data needs and it’s these false expectations that increase risk. Some organisations look upon cloud as a one-stop solution for security as well as functionality, almost turning a blind eye to the fact that security practices must still be maintained.

The most common mistake is to assume Cloud will meet all ICT challenges. It won’t. Quite often it provides a new “bucket” for your existing data and applications. Access methods may vary slightly but the interaction between the solution and the end users will often change little.

Organisations sometimes end up moving their problems to an external container without grasping the advantages migration gives them in doing some house cleaning. Cloud is a business project, not an ICT project, and presents an opportunity to address policy, procedure and general risk management.

Using risk as a key factor, it’s possible to design a solution and business process that is far more resilient and accommodates change while keeping security risks low. Decide what you want to achieve from the project, define the requirements formally and engage suppliers.

When you go to market, look at how well the provider delivers the service end-to-end. This includes design, migration, business as usual (BAU) and decommissioning so that data is considered from cradle to grave.  A litmus test we apply to commercial review is to ask the supplier what happens to redundant hard disk drives (HDD’s)?  This is a good way to test whether the supplier has considered post contractual obligations.

When it comes to signing on the dotted line, always seek commercial assistance so you clearly understand what you need to commit to.  This is not as easy as it sounds as contracts and tender responses can be complex and vary.

A common mistake is to not understanding the demarcation of responsibility.  Look closely, and you will find that the supplier is responsible for a lion’s share of the security maintenance, especially if it’s IaaS or PaaS being procured. But there will also be an onus on the customer and when it comes to security failings, the supplier will often sight a number responsibilities the customer has not maintained.  This is why we see will see the high cloud security failure rate Gartner has calculated.   Unfortunately the consequences of such failures can be severe. Data theft has implications, both commercially and legally, and resolving who is responsible for the loss is where a good commercial assessment pays dividends as it should be clear who had responsibility for what and when.   Ultimately, if you want to prevent yourself from falling into the 95th percentile, there are three takeaways: address risk management; make sure you understand your responsibilities fully; and, highlight and manage the gaps – don’t ignore them.

By Jamal Elmellas, Technical Director, Auriga

Jamal Elmellas

Jamal Elmellas is Technical Director at Auriga Consulting Ltd where he manages and oversees the technical administration of complex projects, and business strategy, assisting the implementation team with all aspects of security architecture. Previously Director of Data Barrier Ltd, a company that was instrumental in the deployment of a PAN Government Cloud solution in the UK, Jamal joined Auriga as a direct result of the company’s acquisition in 2011.