Joining us today is Jeff Kalwerisky, Chief Security Evangelist at Alpha Software. Jeff has specialized in information security and risk management for more than 20 years.
DDJ: Jeff, is cloud computing really safe for the enterprise?
JK: Not yet. And the devil, as usual, is in the security details. Cloud computing is now the archetype for Software as a Service (SaaS) and on-demand computing with offerings from, among others, Amazon, Google, IBM, Dell, and Microsoft. Yet, despite the good old "paradigm shift" hype, there are absolutely no standards for how the data is stored.
So, storage on, say, Amazon's "Simple Storage Service" (S3) is incompatible with IBM's Blue Cloud (a.k.a., New Enterprise Data Center), or Google, or Dell. This means trouble for an end-user who wishes or is forced to move from one cloud vendor to another. Obviously, not an appealing prospect.
Let's look at the CIA model of information security: confidentiality, integrity, and availability. First, the customer needs to know her data is encrypted so nosey sysadmins at the cloud data center can't troll through the data for interesting tidbits. If the information is encrypted, who controls the encryption/decryption keys, the customer or the cloud vendor?
Integrity relates to the integrity of the data, in that it changes only in response to duly authorized transactions. So we need standards to ensure that. But they don't exist -- yet.
The last nagging security issue is availability: Will the data be there whenever you need it? The answer here is an unqualified "maybe." In February of this year, Amazon's S3 went down for almost four hours, wreaking havoc on several companies that use and depend on the S3 Cloud. Amazon ascribed the cause to an unexpected spike in customer transactions.
This unfortunate outage has turned out to be a positive event (although not necessarily for the customers concerned). Besides reducing the overall cloud hubris, Amazon has reacted sensibly by enhancing its resilience to data spikes and by providing new software tools for customers to monitor system uptime.
DDJ: Are there best practices for organizations wanting to protect private data?
1. Ensure that the data is encrypted both ways across the Internet using SSL, as well as at rest in the cloud vendor's storage pool. Be sure that you, the customer, control the encryption/decryption keys, just as if the data were still resident on your own servers.
2. Be sure to have clauses in the cloud contract that the data always belongs to you, that you can reclaim it any time with short notice, and that the cloud vendor may not disclose any of your data to any third party. On the last point, there have been some disturbing issues raised where certain cloud vendors have included weasel words in the contract to the effect that they could freely disclose the data to all and sundry. Here the unwary customer does not even have the protection of the Courts: Ari Schwartz, Deputy Director of the Center for Democracy and Technology, recently pointed out that data stored online in the cloud or handed over to a bank does NOT have the same Fourth Amendment protections from unreasonable government search and seizure as data stored on a personal computer in one's home. So be sure to have your attorneys eyeball that cloud contract before you sign it.
3. If possible, have your users provide two-factors to be authenticated to the cloud systems. That is, don't depend on just a password, the much-maligned and weak single factor. In addition to their secret passwords, require the users to present either a physical token, such as a smart card, or a biometric, such as a finger print. Make it as hard as possible for the unauthorized to gain access to the cloud system and then to your data.
DDJ: Where are the security risks related to software development?
JK: Strangely, some of the software development risk goes away! By using the SaaS offering in the cloud, there is much less need for software development. For example, using a Web-based CRM offering eliminates the necessity to write code and "customize" the vendor application. Where you plan to use internally developed code for the cloud, it becomes even more important to have a formal Secure SDLC (Software Development Life Cycle).
In particular, your development tool of choice should have a security model embedded in it to guide the developers during the development phases and restrict users only to their authorized data when the system is deployed into production. The immature use of mashup technology -- which is fundamental to cloud apps -- is inevitably going to cause unwitting security vulnerabilities in those apps. Let's not make all those same mistakes again!
DDJ: Is there a website you can point readers to for more information?
JK: This is a big topic, but here's a good site at CIO Magazine: http://tinyurl.com/4s2djf. Both Gartner and Forrester Research have produced papers on cloud computing.