Journal Online

Making Sure You Really Are Walking on Cloud Nine

1
Tarak Modi, cISa, cISSP, PMP, principal architect at G&B Solutions, is a seasoned business leader, skilled enterprise architect and published author with more than 15 years of proven experience solving business problems by aligning business and IT. He has co-authored Professional Java Web Services and has written more than 80 articles related to IT management and transformation. Modi currently leads the cloud computing and security C&A practices within G&B as part of the CTO office.

Cloud computing has grown from being a promising business concept to one of the fastestgrowing segments of the IT industry. Tough economic conditions and constant pressure to accomplish more with less are prime catalysts to the realization that tapping into the cloud can allow fast access to best-of-breed business applications and computing resources, storage, and other infrastructure at negligible cost. But as more and more information on individuals and companies is placed in the cloud, concerns are beginning to grow about just how safe an environment the cloud really is. The most common safety concerns are the security (confidentiality, integrity and availability) and privacy of the data stored in the cloud. These concerns are not unwarranted, as evidenced by just a few of the headlines on cloud-computingrelated breaches within a six-month period between February and July 2009: A highly publicized data breach within Google Docs on 7 March 2009,2 which, although fairly small, got a lot of attentionso much so that the Electronic Privacy Information Center (EPIC) has filed a complaint3 with the US Federal Trade Commission to investigate the adequacy of Googles privacy and security safeguards. The Google Gmail two-and-a-half-hour outage on 24 February 20094 and the Google Docs one-hour outage on 8 July 2008.5 News on 15 July 2009 that a hacker was able to gain access to an administrative employees personal e-mail account,6 which then granted the intruder access to that workers Google Apps account. The Google Apps account stored sensitive Twitter communications, including financial reports and plans for a reality show based on the popular micro-blogging service. Despite these headlines, the problem is not necessarily with cloud computing, since data security breaches and availability concerns such as these are not new. Furthermore, even though cloud computing has added a few more twists in the never-ending security saga, it has primarily served to bring the existing concerns to the forefront at a level at which even end users are thinking about data privacy. As Twitter founder

Biz Stone said in a blog posting7 following the Twitter compromise, It isnt about any flaw in web apps; it speaks to the importance of following good personal security guidelines, such as choosing strong passwords. This article explores common-sense strategies to ensure an organizations cloud computing endeavors are successful and unproblematic. Background Cloud computing is an emerging pay-per-use computing model that enables convenient, ondemand network access to a shared pool of configurable and reliable resources.8 In other words, it allows users access to their applications from anywhere through any connected device. Although the applications reside in massively scalable data centers where computational resources can be dynamically resized to fit the users changing requirements, a user-centric interface makes this complex cloud infrastructure transparent to users. The fundamental business model of a cloud facilitates more efficient use of existing resources. Since clouds require users to commit to predefined start and end dates for resource requests, IT organizations can more effectively plan, manage capacity, and repurpose IT-related investment and resources. Conversely, as users realize that they can get resources within minutes of a request, they are less likely to hoard resources, thus creating a virtuous circle of efficient resource request, allocation, usage and deallocation. A cloud enables users to consume IT resources in the data center in ways that were never available before. A traditional procurement cycle (without clouds) could take several months from the time a request is made to the time the resource is available for use. The process involves many steps, such as procuring hardware; finding raised floor space and sufficient power and cooling; allocating administrators to install operating systems, middleware and software; provisioning the network; and securing the environment. Even in IT organizations that reprovision existing hardware resources, the process could still take several weeks. A cloud can
ISACA JOURNAL VOLUME 3, 2010

dramatically alleviate this problem by implementing automation, business workflows and resource abstraction that allow a user to browse a catalog of IT services, add them to a shopping cart and submit the order. An administrator approves the order, the cloud does the rest, and the procurement cycle has just been short-circuited from months to minutes. Therefore, it is evident that cloud computing touts many benefits. Simply stated, the user has access to a powerful yet simple, robust yet elastic, pay-as-you-go, self-service environment. IT shops benefit with a reduced total cost of ownership (TCO), higher agility with greater responsiveness to changing business needs and a reduced overall risk posture. The dark SIde of cloud coMPuTIng Despite its many benefits, cloud computing is fraught with business- and technology-related concerns. Three major areas include those around the cloud vendor itself, legal issues and security/privacy of data. Vendor/Business-related Concerns Gartner puts the cloud services market at US $46 billion last year, jumping to US $56 billion in 2009 and US $150 billion by 2013.9 With so much to gain, it is no wonder that close to 100 vendors now offer cloud platforms to companies seeking to outsource their IT infrastructure, application and data storage/management. However, let the buyer beware, as many of these vendors are too niche-oriented and too small to expand significantly or act as consolidators. Simply put, will the vendor selected be in business several years from now? Answering this question requires careful examination of the vendors financial assets, its size, cash flow and stability (management and workforce). While selecting a cloud vendor, the organization should not overlook a careful examination of the long-term strategy and commitment of the vendor. If the vendor is a company that came into existence solely with cloud computing, vendor viability might be suspect. On the other hand, there are vendors that have been around for a while with offerings in areas such as grid and utility computing that now claim to offer cloud computing as well. The question is: how serious is the vendors commitment to the cloud? And, can this commitment be measured tangibly in terms of development, marketing, sales and support resources allocated to the effort? To get an optimum return on investment (ROI), the vendor selected must have a buffet of pricing options. Does the vendor selected have a flexible enough pricing model to support the organizations needs as its business grows or declines? As an example, consider Amazons EC2 pricing model, which allows pricing variations based on both dynamic 2
ISACA JOURNAL VOLUME 3, 2010

and reserved instances (of cloud computing capacity) as well as data transfer (in and out of the cloud). Ever notice how things always seem to break or not work just when they are needed most? That is why evaluating the vendors professional services and customer service track record is of prime importance. Possible questions include: Is there adequate documentation? Is customer support 24/7, and is it based on a standardized model such as ITIL? Also, the organization should check existing customer references. Finally, it is important to evaluate the vendors partnerships and community involvement. How actively is the vendor involved in standards organizations on cloud computing, such as the Open Cloud Manifesto and the Cloud Computing Interoperability Forum (CCIF)? Ascertaining this can help build confidence in the vendors commitment to keeping up with the latest advances (standards, technology and practices) in cloud computing. This, in turn, shows the vendors commitment to providing the client with a standardsbased, secure and interoperable cloud computing platform. Legal/Compliance-related Concerns By its very definition, cloud infrastructure (storage and servers) is expected to be spread across multiple geographical (national and international) boundaries. This raises issues around data privacy when data are stored and transferred across these boundaries. Complicating matters further is the tremendous diversity that exists in data privacy legislation, ranging from moderately regulated in the US to heavily regulated and rigidly enforced in Europe. Although a service level agreement (SLA) is a common risk mitigation tool that establishes a baseline service guarantee between the organization and the vendor, just how enforceable the SLA is depends on how viable the vendor is. Another factor affecting SLA and contract enforceability is where the vendor is legally located (remember it could be another country) and who has jurisdiction over legal disputes arising from SLA violations. Yet another complicating factor is that investigating inappropriate or illegal activity in a cloud could be very difficult, as logging and data for multiple customers may be colocated and spread across many hosts and data centers. It is best to find out in advance whether the vendor has been able to support such investigations in the past and to get the appropriate contracting agreement in place prior to final commitment. Security- and Privacy-related Concerns Probably the most talked about area of concern around the use of cloud computing involves data security and privacy. To address this concern, the organization must look at

two aspects of the cloud: management and technology. The management side involves examining the vendors securityand privacy-related policies for its cloud and evaluating how these policies are managed, decided upon and, most important, enforced via both management and technology-based controls. Also, the organization should be sure to ask for the procedures that implement the policies, as these will indicate how ingrained the policies are within the vendors organizational culture. Ill-defined procedures are typically a sign of lack of senior management support for the defined policies. The technology side involves making sure that adequate technology controls have been in place in support of the defined policies. Typical technical controls include encryption mechanisms, access control devices, authentication systems, virtual private networks (VPNs), firewalls and antivirus systems. A key aspect of cloud computing is that of multitenancy, in which data in the cloud are typically in a shared environment alongside data from other customers. Encryption is effective

but is not a cure-all. The organization must understand who its neighbors are in terms of who else is sharing the cloud infrastructure. The organization should find out if the vendor has good discipline over separation of data, processes and even infrastructure, if needed. The organization should try getting insight into the vendors employee hiring practices and subsequent training practices regarding privacy and security. Finally, what happens in the case of a disaster? The organization should make sure that the vendor replicates the data and application infrastructure across multiple sites to ensure that it is less vulnerable to a total failure. The organization should always review the vendors business continuity and disaster recovery plans to understand whether it has the ability to do a complete restoration and how long it would take. Figure 1 summarizes the areas of concern, possible threats, potential risks and optional mitigation strategies discussed here.

figure 1risk Management Matrix

area of concern Vendor/ business Threat Files for bankruptcy risk Loss of infrastructure, data or applications, impeding operations Mitigation Strategy Vendor analysis Private clouds Redundant cloud providers Implementing business continuity/disaster recovery plans Vendor analysis Private clouds Redundant cloud providers Vendor analysis Reference checks Vendor analysis

Vendor/ business Vendor/ business Vendor/ business Legal/ compliance Legal/ compliance Security/ privacy

Gets acquired

Existing data format no longer supported

Inadequate support Inadequate pricing options

Costly delay in completing business functions Inability to support elasticity in demand and business growth at a competitive rate, thus diminishing cost-benefits Data security/privacy compromised, leading to legal action

Sensitive data crossing boundaries in violation of privacy laws Vendor inability to support legal discovery and investigation Lack of direct control in putting effective security practices in place and then maintaining them

Understanding data movement and storage Internal clouds Private clouds

Difficult to prove innocence in a legal action Due diligence prior to commitment Appropriate contract Data security/privacy compromised, leading to legal action Policy and procedures review (SAS 70 type II audits, ISO 27001 review) Technical controls review (FISMA) Private clouds Encryption before cloud boundary Vendor analysis Private clouds Redundant cloud providers Implementing business continuity/disaster recovery plans
ISACA JOURNAL VOLUME 3, 2010

Security/ privacy

Disaster

Loss of infrastructure, data or applications that impede operations

SuMMary Granted cloud computing is not as mature as one would like, it is also no longer just a fledgling technology. As discussed in the beginning of this article, companies that successfully leverage cloud computing can reap many benefits. Understandably, taking the leap of faith in deciding to leverage cloud computing can be an overwhelming task, but it is a critical task that must be performed diligently to ensure that the organizations trust in the cloud is not misplaced. Smart consumers are those who avoid the gotchas by asking the right questions, thereby ensuring that the cloud they are walking on is truly cloud nine. endnoTeS 1 A US-originated term that means in a state of blissful happiness. 2 Google Inc., On Yesterdays E-mail, The Google Docs Blog, http://googledocs.blogspot.com/2009/03/onyesterdays-email.html 3 Electronic Privacy Information Center (EPIC), FTC complaint concerning Google data breach, 17 March 2009, http://epic. org/privacy/cloudcomputing/google/ftc031709.pdf

Google Inc., Update on Todays Gmail Outage, The Google Docs Blog, 24 February 2009, http://gmailblog. blogspot.com/2009/02/update-on-todays-gmail-outage.html 5 Metz, Cade; Google Evaporates Docs and Spreadsheets Cloud, The Register, 8 July 2008, www.theregister. co.uk/2008/07/08/docs_and_spreadsheets_goes_down/ 6 Kaplan, Dan; Intellectual Property Belonging to Twitter Exposed in Hack, SC Magazine, 15 July 2009, www.scmagazineus.com/intellectual-property-belonging-totwitter-exposed-in-hack/article/140157/ 7 Stone, Biz; Twitter, Even More Open Than We Wanted, Twitter Blog, 15 July 2009, http://blog.twitter.com/2009/07/ twitter-even-more-open-than-we-wanted.html 8 National Institute of Standards and Technology, Cloud Computing, NIST definition, http://csrc.nist.gov/groups/ SNS/cloud-computing/ 9 Gartner, Forecast: Sizing the Cloud; Understanding the Opportunities in Cloud Services, 18 March 2009, www.gartner.com/DisplayDocument?id=914826
4

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal. Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors content. 2010 ISACA. All rights reserved. Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25 per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited. www.isaca.org

ISACA JOURNAL VOLUME 3, 2010