Thursday, 26 January 2012

Cloud security: A risk driven perspective

One of the reasons that organisations give for not moving their IT to the cloud is concerns about computer security. As a consequence, the area of cloud security is a ‘hot topic’ – an appropriate classification as the debate sheds more heat than light on the issue of security and cloud based systems.

A fundamental principle of security is that you should always approach it from a risk-driven perspective. It is impossible to achieve complete security so you assess the most likely or the most consequential risks and protect against these. You may insure against some of the other risks or you may simply accept them because they are unlikely to arise.

It seems to me that this has been forgotten in the discussions on cloud security.  There are extensive discussions on ‘security risks of moving to the cloud’ but these take place in isolation, without considering the security risks of ‘not  moving to the cloud’.

A simple example will illustrate this. A possible security risk, which is unique to the cloud, is that hypervisor vulnerabilities allows data to leak from one virtual machine to another. This is certainly a theoretical risk and I believe that it may have been demonstrated as a possibility. But I could not find a single example of this arising in practice, with ensuing loss to cloud users.

Contrast this with the figure in the SANSsurvey of top cyber-security risks which found that the most common vulnerability was unpatched client-side software.  If you move to a SaaS environment, you can dramatically reduce the effort required for management and it is much more likely that the services offered are updated in a timely way when vulnerabilities are discovered.

If we take a risk driven perspective, we should not worry about theoretical risks but about the real everyday risks that affect operation. The CSI computer crime survey suggests that more than 40% of losses are a consequence of insider attacks. Moving to the cloud will, at worst, be neutral here. It could improve security as the centralized operation means that there are likely to be fewer local vulnerabilities that can be exploited by insiders.

The other major common risk is the risk of vulnerabilities through the carelessness of users. These may be weak passwords, systems left logged on, sharing of authentication, and so on.  Moving to the cloud won’t solve this problem but again there is a possibility of more control improving the situation.

Two other areas are presented as cloud security risks but are no such thing:
  1. Third-party access to data. This is a general outsourcing risk rather than something that is specific to the cloud. If you outsource your payroll processing, you are taking exactly the same risk.  Before you outsource anything, you should go through a due diligence process to convince yourself that the service provider can be trusted. Cloud services are no different here and the old adage that ‘you get what you pay for’ is as true for clouds as for every other area.
  2.  Compliance risks where specific types of data have to be subject to particular jurisdictions.  For sure this is a serious issue and, for sure, it may make the choice of cloud provider difficult. The possible hassle may mean that it’s simply easier no manage the data in-house. But this is NOT a security risk (security is about confidentiality, integrity and availability), nor is it specific to the cloud. Again, it is an outsourcing risk that has to be considered – and which will become less of an issue as cloud providers are able to guarantee where your data will be located.
In summary then, we need a common sense approach to cloud security. The reality is that if you believe that your current system is secure, you are probably deluding yourself. Moving to the cloud may not bring any extra security issues of any significance but may improve the security of your information.