Debunking The Cloud Security Issues

Forrester recently published a report on the security of cloud computing that grossly exaggerates the security threats. To point out few specific instances:

"Users who have compliance requirements need to understand whether, and how, utilizing the cloud services might impact your compliance goals. Data privacy and business continuity are two big items for compliance. A number of privacy laws and government regulations have specific stipulation on data handling and BC planning. For instance, EU and Japan privacy laws demand that private data—email is a form of private data recognized by the EU—must be stored and handled in a data center located in EU (or Japan) territories"

This is a data center design 101. One of the biggest misconceptions the organizations have about the cloud computing is that they don't have control over where their information is being stored. During my discussion with the Ron Markezich, corporate vice president of Microsoft Online, at the launch of Microsoft's Exchange on the cloud he told me that Microsoft already supports the regional regulatory requirements to store data in regional data centers. Cloud is fundamentally a logically centralized and physically decentralized medium that not only offers utility and elasticity but also allows the customers to specify policies around physical locations.

"Government regulations that explicitly demand BC planning include the Health Insurance Portability and Accountability Act (HIPAA) ...."

Amazon EC2 fully supports HIPAA [pdf] with few customers already using it. It is rather strange that people think of cloud as a closed and proprietary system against an on-premise system. A CIO that I met few weeks back told me that "on-premise systems are like an on-premise vault that you don't have a key to". The cloud vendors are under immense pressure to use open source and open standards for their infrastructure and publicize their data retrieval and privacy policies. In fact many people suggest that the United States should force the public companies to put their financial information on the cloud so that SEC can access it without any fears of the companies sabotaging their own internal systems. The cloud vendors have an opportunity to implement a common compliance practice across the customer. The customers shouldn't have to worry about their individual compliance needs.

"The security and legal landscape for cloud computing is rife with mishaps and uncertainties."

And the rest of the landscape is not? What about T.J. Maxx loosing 45.7 million credit and debit cards of shoppers, Ameritrade loosing backup tapes that had information of 200,000 of its customers, and UPS loosing Nelnet's backup tape that had personal information of approximately 188,000 customers?

"With the rising popularity of cloud computing and the emergence of cloud aggregators and integrators, the role of an internal IT security officer will inevitably change—we see that an IT security personnel will gradually move away from its operations-centric role and step instead into a more compliance and requirements-focused function."

Staying in current operational role still requires the IT to be compliant. Just because the information is stored on-premise it does not automatically make the system compliant. I would expect the the role of operational IT to change from a tactical cost center to a strategic service provider. If the IT does not embrace this trend they might just become a service consolidation organization. The role of a security officer will evolve beyond the on-premise systems to better understand the impact of the cloud and in many cases help influence the open cloud standards to manage and mitigate the security risks.

"In other cases, the division is not quite so clear. In software mashups, or software components-as-a-service, it can be difficult to delineate who owns what and what rights the customer has over the provider. It is therefore imperative that liability and IP issues are settled before the service commences."

I partially agree. The customers should absolutely pay attention to what they are signing up for and who will own what. The critical aspect of the IP is not the ownership but the IP indemnification. After the SCO case customers should know what are their rights as a customer if someone sues a cloud provider for IP infringement.

"Other contractual issues include end-of-service support—when the provider-customer relationship ends, customer data and applications should be packaged and delivered to the customer, and any remaining copies of customer data should be erased from the provider's infrastructure."

This is what happens when we apply the same old on-premise contracts to the new SaaS world. There are no copies of the software to be returned. Customer simply stop receiving the "service" when the relationship ends. Vendors such as Iron Mountain advocates the role of a SaaS escrow for business continuity reasons. It is up to the customers to decide what level of escrow support they need and what's their data strategy once the relationship with a SaaS vendor ends. It is certainly important to understand the implications of SaaS early on but there is absolutely no reason to shy away from the cloud.