Back in the late 70’s to late 80’s mainframe time used to be rented out to companies who could not afford their own supercomputer but it was a very different world back then. There weren’t all the compliance issues to deal with, cyber-crime was a rarity, employees weren’t computer savvy enough to walk out with computer data and most of all when you saved your data on a supplier’s mainframe, the data stayed on the supplier’s mainframe.

Cloud computing essentially returns us to those days when unused mainframe time and space was sold to companies. However, today we have a different world where organised criminals actively target systems and profit greatly from their endeavours. Today, we also have the additional burden of heavy legislation and compliance procedures caused by high powered corporate executives driving their companies into the ground under cover of creative accounting and decisions without regard to risk.

Research has shown that the main issues with Cloud Computing are not so much the benefits. Everyone gets these! The issues are whether they are worth the compliance and security risks. Suppliers of Cloud Computing services may have stronger security than the average organisation but there are issues that organisations need to consider, that frankly wouldn’t have been issues in the early 80s. So what are the issues that are unique to the Cloud environment?

Security Issues

There are several security issues, the main ones can be broken down into:

• Physical Data Access issues. For example who has vetted the Cloud supplier’s employees and ensured that they will not compromise your systems. How do cloud providers ensure their employees won’t run off with or compromise your data.
• Logical Data Access Issues. Will a firewall policy for one customer’s application affect access to your application?
• Virtualisation issues. For example how would you protect against Virtual machine Escape, a technique where a virtual machine could potentially leak into the Host machine and compromise other virtual machines being hosted.
• Patch Management issues. For example, if another organisation’s application hasn’t been patched what impact will this have on your application?

Compliance

In many industries, companies need to know where their data is being held from a regulatory and compliance perspective. They are also subject to a number of auditing procedures. In a similar way you need to be able to audit your cloud provider for:

Data location (in several industries such as defence it is important that their data isn’t being held in country which may gain strategic advantage from access to this data)
Back up and business continuity procedures. Compliance issues can be broken down into:-

• Regulatory compliance. Who is responsible for breaches if you are to be PCI, HIPS, SOX etc compliant?
• Audit availability. For example, what logs of systems, applications, access to physical servers and so on are kept.
• Audit access. For example, who can access the log files and how easy is it for corporate auditors to inspect the logs and virtual systems. How are your organisation’s systems protected from someone else’s auditors.
• Data Location. Where or more specifically which country and in which company is your data being held in. It may not be held by your Cloud provider!

Business Issues

And finally there are business and risk issues that will affect your choice of Cloud supplier. These include:

• What happens to your data if your Cloud supplier goes down?
• What happens to your data containing all your customer personal details if you go down?
• What happens to your data if your Cloud supplier merges or gets taken over by another Cloud supplier who has different SLAs?
• What business continuity processes are in place?

Summary
In summary, there are many many benefits that make cloud computing attractive. However the benefits really do not yet outweigh the risks and there have been a number of occasions when major cloud providers have gone down. Below is a set of links if you would like more in depth information on the issues.

From The Security Vibes Site

How to Assess Which Applications to use in the Cloud Today
Cloud Virtualisation Security Risks - Currently Member Only Content
Cloud Patch Management Security Risks - Currently Member Only Content

From Other Sites

Jericho Group on the Cloud Cube model and the issues involved.
The Jericho Forum on Youtube – Adrian Seccombe CISO for Eli Lilly discusses the Cloud issues.

The Cloud Security Alliance provides an 83 Page PDF file on Cloud Security.

Gartner report on the seven risks of cloud computing can be found here.

From McKinsey and Co – warning this was one of the most criticised reports by cloud proponents. Clearing the Air on the Cloud report.

Cloud Computing Journal on Everything Cloud – ProCloud but also contains articles and stories when customers have suffered access failure due to Cloud Outage from the likes of Amazon. Their April 2009 interview with VMware CTO who promises to make the Cloud Hype a Reality in the Future can be found here. Note...that means it is quite ready yet!

Finally an article on the Impact of Amazon Cloud Down Time in 2008 can be found here.