One incumbent concept that has acquired momentum and is present in several IT departments worldwide is Cloud Computing. It promises ubiquity, Software as a Service (SaaS), implementation agility, fault tolerance & load balancing, capacity on demand, easy outsourced maintenance and low costs as the best promising catch.
That looks pretty encouraging and attractive at first sight, but is that really worth it?, what are the dangers posed to our organization if we decide to fully adopt this technological trend?.
Talking with those who pretend to dive in cloud computing services in our emerging markets (such as Mexico and Latin America in general), there prevails the general sense and hype of flexibility because the ability to sudden increase computing power as required, very attractive low expenses that replace our usual burden of paying and administering our own IT infrastructure, a fault tolerance service and an infrastructure platform plenty of services to choose from to support our precious business applications and services.
The offerings may vary widely from well established IT companies such as Microsoft with Windows Azure, IBM with SmartCloud, Google Cloud Platform Services, the unexpected but acknowledged Amazon with Amazon Elastic Computing Cloud Services, and Oracle Cloud with their services applications portfolio. Consulting services for implementation and management are also available from E&Y, Accenture, PWC and the rest of the Big 5, with other medium size consulting firms that promise to implement flawless and successfully these solutions to your enterprise.
There might be confusion in terms of the services and deliverables comprised in the concept of Cloud Computing, that is the perception for the newcomers in the field.
There are Cloud Service Providers (CSP) that solely offers storage in the cloud and business applications accessible to the customers offsite (Software as a Service SaaS), others CSPs promise use of computing power and unlimited bandwidth via scalable virtual machines with formal SLA ranging from 99.90% to 99.99% uptime service, application platforms customized to our unique business application needs (Platform as a Service, PaaS), and a small group of CSP deals promise to deliver more elaborated services consisting in a fully ecosystem which comprises all the above and adds infrastructure procurement such as connectivity through firewalls, switching, routing, Databases deployment and management, and availability of servers in a physical or logical fashion, application development and migration services, cloud monitoring and backup support, security services via VPNs that include Identity and Access Management in network and application layers, data encryption into the databases that support our business apps, all such services are named Infrastructure as a Service (IaaS). That is to say, your datacenter completely outside your facilities, all with monthly or semiannual payments. Is worth to mention that the cloud may be implemented on premises also.
So with these business offerings, what are the acceptance and implementation levels of Cloud Computing globally?.
It appears that Cloud Computing has begun years ago its journey into our IT budgets and business, as it seems in the E&Y study “2011 Global Information Security Survey, Seeing through the cloud” as presented in the following figure.
Source: E&Y, “2011 Global Information SecuritySurvey, Seeing through the cloud”, http://ey.com
Surprisingly regarding cloud applications, it appears that Latin America leads the pack with their use of Cloud Computing Application Services. Accordingly with Tata Consultancy services in their report “The State of Adoption of Cloud Applications”, this region represents a 39% cloud applications deployed, against Europe with 12%, USA 19% and Asia Pacific with 28% in 2011. The corresponding projections for 2014 shows for Latin America 56%, Europe 24%, USA 34% and Asia Pacific with 50% as shown below.
Source: Tata Consultancy Services, “The State of Adoption of Cloud Applications”, http://sites.tcs.com/cloudstudy
At this point we know a bit more about Cloud Computing Services offerings and acceptance, but what are the differences that persists between Cloud Services and what are threats to our business information?
By NIST Cloud Computing definition in the paper “NIST Special Publication 800-145”, the deployment models for Clouds are Private Cloud, Community Cloud, Public Cloud and Hybrid Cloud.
Identifiable Cloud Models offered and already in use by customers are the Private and Public Clouds, whereas the Community and Hybrid Clouds are far less common and not oriented to a mass customer segment.
The Information Security implications of Cloud Computing are described as following:
- Private Cloud.- As per its definition, is provisioned for an exclusive use by a single organization, so it doesn’t share resources with other external entities, and may be managed via internal or outsourced IT teams. It is aimed to provide the customer company with equivalent controls to supervise and manage the business operations as the ones used onsite. For this reason this cloud appears as the safest of all. There are providers that offer a portfolio of solutions private clouds oriented, such as Oracle Cloud, VMWARE vCloud Infrastructure Suite, Ubuntu Cloud and others well positioned in the industry.
- Community Cloud.- It is designed for a group of tenants that share the same objectives (associations, federations, governments) and are willing to share resources, so the boldness of the information security controls depends entirely on the policies observance and compliance of the group. This cloud may occur with some InfoSec flaws but maintaining certain control levels over intrusion attempts or information leaking. Samples are Google Apps for Government or Microsoft Government Community Cloud.
- Public Cloud.- Because of its scale economies savings, this cloud may be the least expensive of all, but with a security toll. It shares all its resources through different approaches (servers through virtual machines, common hardware platforms and middleware applications, communications devices, storage, DB instances etc.) and might allow several customers coming from different business realms, to use and deploy its business applications, being served on demand. The quality of the controls is diluted and may become dependent on the application layer controls that segregate the environment and platforms for the customers (virtual machines controls, session management controls). The security concerns in this type of cloud are the highest of all.
- Hybrid Cloud.- It combines two or more clouds as described above, mixing the security of private clouds infrastructure with public or community clouds, bound together by standardized or proprietary technology, so when combined by interconnection it may seems that the security enforcement compliance depends basically on the weakest link of the chain, therefore the used controls cannot be equally robust in every point of the cloud. Microsoft Azure and Vmware vCloud offer Hybrid Clouds.
Being said that, before adopting a cloud and engaging in a medium or long term contract with a CSP, you may check some considerations before, such as:
- Strategy.- Review your business strategy to verify that it matches with the Cloud Computing Service offerings, a useful strategy business tool is a SWOT (Strengths, Weaknesses, Opportunities and Threats) analysis, to determine if the cloud really enhances and support your current business. Calculate the total costs fixed and variable (monthly or annually) with your current datacenter and compare them with the equivalents with Cloud Computing Services.
- Regulations and Compliance.- As you know, not all businesses are equal and they need to comply with different regulations. Banking and Finance industries for example, tends to have tougher normativity compliance, than other activities i.e. retailing or automotive industries. In México, the Banking regulatory compliance is supervised by the CNBV (Comisión Nacional Bancaria y de Valores www.cnbv.gob.mx) and the technology regulatory framework is shown in the Chapter X in the “Circular Única de Bancos”. The annex 52 presents the regulations for banks to use offsite IT resources, and in general terms requires that any banking institution in Mexico must comply with the same quality control levels as if they were onsite, and regardless it is hosted outside company premises, the final responsibility for protecting customers data, always belongs to the bank.
- Appetite for Risk.- Elaborate on a risk matrix to map your critical information assets planned to reside on the cloud, and match them with the perceived vulnerabilities and threats that may damage your data or your business continual operations. Calculate the final risk with your preferred risk methodology (High, Medium and Low Criteria may help) and finally with the CSP proposals establish if the cost benefits obtained are worth the risk that you are incurring to. Remember that legally (depending on the legal framework of the county), proving in terms of a signed contract that a provider has mismanaged your leased Cloud may be cumbersome and sometimes impossible.
CONCLUSIONS
Cloud Computing is no longer an abstract concept and right now is a technological trend that came to stay for long in the IT industry. For years we have been primitive users of clouds (i.e. Yahoo! and Google mail services). Nowadays and probably because of the wide spread availability of certain technologies (virtual machines, reduced cost physical appliances, databases, open source or proprietary middleware software, affordable storage, etc.) there are Cloud Computing Service solutions that allow a company to partially or fully migrate their business datacenter to a Cloud Service off premises. Not all CSP offers a one size fit all solutions but this is a growing market in its way of consolidation. Because the original definitions by NIST, Clouds are differentiated by the nature and number of tenants that share computing assets, and the risks levels and information security issues posed to our operations may vary therefore caused by the quality of the controls implemented. Dedicate enough time to evaluate and certify that your CSP comply with the standards and norms of your industry, and the support offered by the Computing Cloud Services is aligned with your overall business strategy.
Author: David Ruiz