At the Evolve.CLOUD conference in Sydney CSO sat down with Archie Reed, CTO Strategic Enterprise Services APAC and Japan for HP, to talk about the Cloud Security Alliance for which Reed is also a member. He outlined the global organisation's goals for standardising security in the cloud, education and certification, and what it means for companies looking to or making a transition to the cloud.
"What is the value of your data?" he starts by saying, before elaborating that any business decision to involve cloud services must be based around the value of your data, and the trade-off that can be involved in moving that data to the cloud. There may be cost incentives, or business flexibility by employing cloud services, but it comes with its own risks.
First and foremost is who has access to that data. Hosted with a third-party, a company is inherently trusting the cloud service to protect that data, and not just from hackers -- the threat of government intervention to obtain data from a service was raised more than once at the conference, with the US Patriot Act being held up as an example.
Reed clarifies the real danger behind this, "It's not just that they can come to a provider and ask them to hand over data, it's that the law states they don't have to tell you your data has been accessed".
And, as Reed explains, this can be a lot more serious than it sounds: when talking about data, most people think of it in relation to customer data, but often moving to the cloud involves a lot more -- internal company documents, communications, and even business logic can all be tied up in a cloud service depending on what transition has been made. And so, he says, "is there a risk your company's core businesses could not only be accessed, but without your knowledge?"
Australia is no less safe as well, he explains, not only because Australia's anti-terrorism laws are similar and even explicitly state that a service is under no obligation to inform you that a request to access your data has been made, but also directly threatened from US interests where thanks to the Free Trade Agreement is able to gain access to data stored with Australian cloud services. And what about less opaque threats, like hackers? We regularly see news of companies and services being hacked and thousands of customer details being stolen.
"If data has value, and it does, then it can be a tradeable commodity" he says, referring to the incentive for hackers, and drawing back to the value a company places on its own data. The rules of security haven't changed and the number one threat to a cloud service, as with any business, isn't a direct attack to the network -- it's wetware, employees. He gives the example that even Google's security protocols have been breached thanks to social engineering in the past.
But of the hacks targeting web services, and especially cloud services, the biggest problem he says are APIs (application programming interfaces). Most services naturally allow for front-facing web-based management, and for this a service provider will often write its own APIs. Sometimes this means the wheel is being reinvented many times over, with each service having its own API, and as with all new software bugs and flaws are inevitable. But even those services standardising on a known templated API and building upon it are just as at risk. According to Reed the most successful attacks have all been thanks to design issues with service APIs and, once a flaw is discovered, hackers often employ botnets with thousands of computers to scan the net looking for evidence of the flaw, thereby finding vulnerable targets.
But sometimes legitimate services are used as an attack vector too, Reed says, citing the example of one hack against a well-known vendor that occurred with time bought on an Amazon EC2 cloud and, ultimately, paid for with stolen credit card data.
The irony is not lost. "Not only are hackers using cloud services at scale, they're not even paying for it!"
You would be forgiven for thinking that employing a cloud service might not be worth the risk and effort, but Reed points out that this is what the Cloud Security Alliance, an organisation with 33,000 members worldwide including big business corporate sponsors, is all about: how to identify, mitigate and, manage the risks to ensure cloud services become a reliable business tool. When asked about the advantages of cloud services, Reed says first and foremost it's "business agility".
"Being able to set up a new service and take it down very quickly" is something that cloud services excel at, and allow a company to respond faster to customer and market demands. There's also of course the financial benefit where moving to the cloud can shave costs, let alone tapping into the extra functionality cloud services can provide.
And, despite detailing the risks cloud services can face, in some cases Reed explains a company's data may be safer with a cloud service than its own internal infrastructure. Why? Because these services have built their business, and importantly reputation, as a service provider and their success is dependent on providing a secure product. At least for small to medium businesses, chances are more has been spent on security with a cloud service provider than a company's own investment into security.
"It all comes back to the value of your data" he says again. The goal for a CSO or CIO, Reed explains, when looking at the cloud is being able to balance the value of your data versus giving up full control over access to that data. A lot of it is about trust, he says. "We have a habit of implicit trust with a company" he observes, citing banks as an example. They have all your personal data, and you expect them to keep it safe. But there's no guarantee. And the same is true with a third-party service, afterall "You are putting all your data into someone's software solution in the cloud" he says. "If something goes wrong, who's liable for what? If there's a breach, how quickly will they respond? If they're being audited, will they inform you?"
The other consideration is transferability. "Look at how they store their data" Reed explains, "are you going to be locked into their tools and processes?" giving an example of one cloud service provider that uses its own version of Java to provide its services. You may spend time and money writing tools to interact with the cloud service only to find that you can't take this with you if you want to change services later.
Other considerations he says are identity and access management, auditing, monitoring and reporting. And, importantly, understanding where the responsibility lies for any security breach, and what your options will be.
All of which the Cloud Security Alliance is set up to help educate about he explains, with member countries all working towards a common goal, "it's community trying to do the right thing." For more information about the Cloud Security Alliance, see https://cloudsecurityalliance.org