Fact or FUD: Compliance and Security in the Clouds
popping..Cloud computing has its share of fans and critics. Regardless of which side you are on, the biggest issues with the cloud falls into the areas of security and compliance. Both fans and critics need to be aware of the facts and need to stay clear of the FUD. So let’s play Fact or FUD!
Fact or FUD? Cloud Computing is not secure. Answer: FUD
Cloud computing by itself may not provide the necessary security required by some applications, services, or data. However, with the right approach to architecture and system design, the appropriate level of security can be obtained. Without architecture and system design, cloud computing will not be secure enough for many companies
Example: My company has two distinct functions. First is a transactional system that has customer data. Second is a B2B portal sharing real time reporting of operational data. The transactional system has much stricter requirements around security including consumer privacy, PCI compliance, etc. The B2B portal is not exposing consumer information and does not have the same security requirements. For us, the B2B portal can meet our security requirements in a public cloud like Amazon to take advantage of the low cost structure and the ability to scale quickly. The transactional system can not run on a shared public environment thus making public clouds unacceptable based on our security requirements. However, all of our needs can be met with a private cloud solution by having dedicated servers at an outsourced data center. For extreme security measures where a server needs to be locked in a cage, an arrangement can be made with the cloud provider to meet that requirement as well. Regardless, best practices like designing for OWASP’s Top 10 vulnerabilities, locking down ports and unnecessary commands on servers, public/private keys, and encryption are still necessary regardless of where your systems are. We hired an independent security and compliance company to perform an assessment on our architecture and ask them to specifically highlight security and compliance risks of our cloud computing approach. This allows us to design for security and compliance and isolate it as a layer within our architecture that our other layers will access to ensure consistency and ease of maintenance.
Conclusion: It is no different than if you are building systems for an on-premise data center at your corporate headquarters. You don’t get security and compliance when you buy servers, you must design for it!
Fact or FUD? Cloud Computing cannot be as secure as on-premise data centers. Answer: Absolute FUD!
Many of the large cloud vendors (Amazon, Google, Force.com), spend more money on security infrastructure and processes than many of our companies could ever dream of. It is one of their core competencies and a major breach could kill their business. Also, most major security breaches are the result of inside jobs whether they are intentional or not.
Example: Look at the list of Worst IT Security Breaches from 2007 and 2008 and you will see that the biggest risks are stolen or lost laptops and tapes, poor controls, and internal employees/partners with access. Whether your systems are on-premise or in the cloud, these risks remain unchanged. You could even argue that a backup strategy consisting of image snapshots or disk backups in the cloud could be more secure than tape backups.
Conclusion: Regardless, whether a computer is physical or virtual, on-site or off-site, you still need to apply security best practices. For every instance of the cloud being less secure than on-premise, I can find an example of the cloud being more secure than on-premise.
Fact or FUD? Cloud Computing can’t be compliant because logs disappear when you scale down images. Answer: FUD. Can be solved.
One of the benefits of cloud computing is the ability to scale up and down the number of virtual servers to meet peaks in demand. Critics will point to this scenario as a show stopper for compliance because of the loss of data when the image disappears. If you don’t design for it they are absolutely correct. If you do design for it, it is absolute FUD.
Example: In my case, we are leveraging a number of open source tools that run Tomcat. We can configure Tomcat to write its logs in two places. The first is the normal location that Tomcat writes its logs which is contained in the same virtual image. The second is on a image dedicated to maintaining all critical logs and various information. This area can also be replicated to another location and an archiving and roll-up strategy can be applied to meet any demands pertaining to records retention and compliance.
Conclusion: This is a valid concern and one that can be addressed with a strategy and a sound design. I am sure that a more complete solution than the one I mentioned above could be implemented as well.
Fact or FUD? Cloud Computing can’t meet my needs because my customer won’t let their data leave their country. Answer: FUD. Can be solved.
This is a common requirement in some European countries. So do we just throw our hands up in the air and give up? Depends.
Example: In my case, we are a startup and have no intentions of owning data centers so we will figure this out. Our solution is solved through applying EA principles to clearly define our requirements, constraints, and critical success factors. It is crucial to our business model to not spend huge amounts of capital on infrastructure, therefore, we will solve this with software! We have anticipated that our physical data may live in different data centers based on our customers’ requirements. To meet this requirement, we will build an abstract data layer that the other layers of our architecture will leverage to access data. This abstract data layer will be configured to transform and route all data requests to the appropriate physical location of the data. Whether the data is at the customer’s site, in a public cloud, in a private cloud, or wherever, our systems will still function as if it were all co-located in the same place.
Conclusion: Companies that have an abstract data layer can still meet the requirements necessary to process data located at specified data centers. Legacy systems with this requirement should stay home.
Fact or FUD? We must move to the clouds or we will not be competitive. Answer: Absolute FUD!
Not true. It would be wise to look at creating new applications and services in the cloud or possibly migrating non-mission critical systems to the cloud to reduce costs. If you are in a startup, you would have to be nuts to not leverage the cloud. Building systems from scratch for the clouds is much easier than moving legacy systems that were never intended to live outside the corporate walls. The real question is what business problem am I solving if I implement this system or service in the cloud? If it does nothing for the business than don’t bother.
Example: Let’s say that your company wants to implement a new CRM system. A SaaS solution like SalesForce.com is a no brainer if you can afford it. Instead of buying hardware and software, training administrators, patching OS’s and application servers, you could off load all of that to the experts in CRM. If you don’t have the budget for SalesForce.com, you could implement an open source alternative like SugarCRM or vTiger on Amazon’s EC2 overnight at an extremely low cost. No long procurement cycles, no additional floor space, energy consumption, OS patches, etc.
Conclusion: For startups or small or medium businesses, cloud computing is a game changer for providing an inexpensive and agile computing environment that allows these companies to compete against the big established companies. For the big businesses, leverage the cloud where it provides benefits to the business.
Summary
Much of the FUD are actually valid concerns that can be solved with architectural best practices and sound strategies. The challenge is cutting through the myths and getting to issues that are actually solvable. Many of the cloud fans are fans because they think they can just throw stuff over the wall into the cloud and all their problems are solved. They hear stories how some business person at the Washington Post spend a couple hundred bucks and solved a huge problem. That’s cool, but that is an adhoc problem that was solved in the cloud. To build real live systems in the cloud, there are no short cuts for architecture and design. This is actually good news for the security folks because now people are actually thinking about security since cloud computing has raised the awareness.
On the other side of the coin are the “Fudsters” who can’t let go of the job security, obsessive control, inflexibility, and vendor golf shirts that they are so accustomed to. They say whatever they need to say to persuade their management that cloud computing is insecure. They are actually providing a valid service for the rest of us though. They raise valid concerns that we need to address when we design for the clouds. So the next time you here FUD, send it my way I will give you some examples of how it can be addressed in the cloud.
Did you enjoy this post? Why not leave a comment below and continue the conversation, or subscribe to my feed and get articles like this delivered automatically to your feed reader.
Comments
@Hoff,
The real point is that without a disciplined architecture and design, the issues are real problems. But just because these issues exist does not mean that they are facts. If a company just goes blindly into the cloud without resolving the issues, than the person raising the issue is being validated. In reality, all of these issues mentioned in my post are solveable. The problem is, many people throw out road blocks and decry them as facts that Cloud Computing is insecure. In reality, most of it is FUD.
Based on Hoff’s comments, I updated this document to clearly side on fact or fud. In the original post I used “can be solved” twice which implied that it is FUD if you apply good design practices to the issue. The cloud by itself does not solve the issue but the cloud coupled with a good design and strategy does. The same applies to the first question which asks is the cloud secure. Again, the cloud and its infrastructure by itself is not enough, but the cloud can be secure if the systems and services that you are deploying are designed for the risks.
Further, on the “Absolute FUD!” answers you seem to be really making the point that it’s an issue of nuance and definition relative to the scenario (which I suppose would fit into your “It Depends” group) versus actually demonstrating it is FUD.
Mike:
Interesting that given your “Fact or Fud?” queries, you only actually answered 2 of the 5 questions the way in which you asked them.
“Depends” and “can be solved” aren’t compelling answers and don’t answer those questions given your premise.
Further, on the “Absolute FUD!” answers you seem to be really making the point that it’s an issue of nuance and definition relative to the scenario (which I suppose would fit into your “It Depends” group) versus actually demonstrating it is FUD.
The real answer to almost all of your questions is “It Depends” but that’s not as sexy sounding, eh?
Your last sentence is interesting: ” So the next time you here FUD, send it my way I will give you some examples of how it can be addressed in the cloud”
…the converse is also true…
Just my $0.02.
/Hoff