Is Cloud being misold? Cloud tends to be marketed as the solution for all ICT efficiency and delivery problems. This gives companies the impression that they simply sign up to a supplier and they’ll do the work. But on closer inspection you’ll find this simply isn’t the case and nor is it advisable.
Take a look at the terms and conditions of any of the large cloud providers and you’ll see that even though their service catalogues are vast, encompassing everything from application delivery to security, there is still a large reliance on the customer to ensure the service is governed. This assumption – that some or all of Cloud management will be undertaken by the Cloud Service Provider (CSP) – is a common error cloud customers make.
The top three errors then are:
#1 – We don’t need to worry about security, our CSP does this for us.
Untrue. Even if you went for a complete managed end-to-end service, you will still need to take responsibility for your organisation’s security. Ultimately the buck stops with the customer. The analogy we use with our customers is this – If you use a bus to make a journey to work, you still need to ensure you get to the bus stop on time, safely board the bus, know where your stop is and get off as well as making sure your belongings are safe. This is similar to CSP management. A lot of CSP’s will offer security products as part of their service catalogue, but it is still your responsibility to either configure the software/products appropriately or procure that additional service. Once the product is procured and configured it is still your responsibility to manage it.
#2 – We’re safe because the CSP is PCI, SOX, ISO certified.
Untrue. They will have a specific instance such as an application, basic platform or application that may well be, but the chances are that you will be procuring a blend of services. Make sure you know what is and isn’t part of that scope. For example, if you procure a tightly scoped card/payment processing application via SaaS, PCI may cover it. If you shift your entire ICT infrastructure into a CSP that claims they are ISO27001, it is highly unlikely their scope will cover your business and processes. You will need to adjust your own ISO27001 scope.
#3 – Your data could end up in any nation, of particular concern is data ending up in a nation with minimal data protection legislation. This is what’s common referred to as ‘data sovereignty’ and there’s been some real scaremongering over this concept but in reality this will be in the commercial terms, where the CSP details where the data may ‘live’. If not always ask for it in writing.
The CSP market should be more open and upfront in terms of what they do and don’t take responsibility for. Most customers would rather they knew what they were and weren’t buying. And for this to happen there will need to be some form of standardisation or self regulation. There are already discretionary codes of practice such as the APMG CIF which requires suppliers to layout terms simply and clearly and we’ve seen this being mandated in the banking world. But will we see it in the Cloud? Maybe.
For now, the organisation needs to perform their own due diligence. Look for a supplier who voluntarily signs up to these types of codes of practice. Consider also the CSP’s reputation. How has the supplier managed security and compromises in the past? This is crucial in understanding how they will behave in a worst-case scenario. Establish where your responsibility starts and finishes, so you know what you should and shouldn’t provide as part of your side of the deal.
Also, know where your gaps are. For example, if the supplier cannot provide encryption for data at rest or certificate management, you know there is a risk there that you decide to open negotiations on or accept.
Without knowing those risks, and ascertaining if they are acceptable, you may end up unduly pointing the finger following a compromise.
By Jamal Elmellas, Technical Director, Auriga