CSO Perspectives and SaaS Con report: Cloud Computing Security Remains a Conundrum

Abstract:

Prospective and existing cloud computing users often site security as one of their biggest concerns, particularly with public or hybrid clouds.  The lack of standards for security, federated identity, and data handling integrity hasn’t done anything to alleviate those worries.  For example,  Software as a Service (SaaS) or Platform as a Service security contracts often lack contingency plans for what would happen if one or more of the companies involved suffer a disruption or data breach. And it’s not generally known, what type of security exists when data passes between clouds (private-to-public or public-to-public).   There’s even talk of Virtual Private Clouds but no one really knows what that is either.

The enterprise customer, cloud providers and vendors are having difficulties in sorting out the many potential problems and resolving the finger pointing of  who is responsible for what in the event of a data breach or other security trouble – especially over a shared infrastructure.  In particular, there is no standard way of gathering the required information or isolating the problem in a multi-vendor cloud envirnoment.  In fact, cascading security breaches are possible.  That would really play havoc with cloud users data and apps.

Users and vendors are just starting to seriously examine these unresolved issues through industry associations, such as the year-old Cloud Security Alliance.   So the Cloud Security related sessions at the co-located CSO Perspectives and SaaSCon conferences took on an increased sense of importance and urgency. 

Conference Highlights:

1.  Panelists at a joint session on Cloud Security made the following observations:

-Security problem isolation and prevention of cascading security breaches must be specified in the Cloud contract or SLA.
-The cloud vendor should log all inappropriate or unauthorized access incidents.
-The cloud security market needs to understand the nuances of data loss due to security breaches.

2.  At a minimum, a Cloud Computing SLA should include:

a] Security of data, e.g. encryption mechanism
b] Up time/ availablity
c] Forensics of each security breach, especially across a shared infrastructure
d] Data portability to accomodate multiple vendor relationships
e] Being able to change the server OS (e.g Windows to Linux) without disrupting existing applications
f] Business continuity and contingency planning in the event of a falure(s)

3.  The following items were said to be needed, but currently missing from the cloud computing environment:

a] Standards or Interoperablity Agreements
b] Benchmarks to compare cloud services with one another
c] Federation of identities to facilitate single sign on procedure for multiple inter-connected clouds.

4. Interesting quotes:

a] Jim Reavis, co-founder of the Cloud Security Alliance, said, “”It’s important we understand there isn’t just one cloud out there. It’s about layers of services,” Reavis said. “We’ve seen an evolution where SaaS providers ride atop the other layers, delivered in public and private clouds.”  I believe the implication was that Infrastructure as a Service was layer 1 (the Data Center layer), Platform as a Service at layer 2 (the Application development/tools layer), and SaaS at layer 3 (or the Application run time layer)
b] Ed Bellis of on-line travel agency Orbitz said, “It’s a challenge, working with partners to get on same page.  Early on there were many things we didn’t expect. Federation of identities in our internal systems became a challenge because of differences between our internal procedures and those of the SaaS provider.”   “In your SLAs, you need to have clear language for how data will be handled and encrypted and, in the event of a security breach, the contract must have clear language on who is responsible for specific aspects of the investigation. Build these considerations into the contract side.”
c] Keith Waldorf, VP of operations at Doctor Dispense, a point-of-care on line medication and e-pharmacy provider, said one of his company’s most painful experiences in this area was on the contract side. “The lack of common standards really surprised us.”  Waldorf said he once was a client of an (anonymous) cloud service provider that upgraded its offerings, but his company was unable to take advantage of the upgraded services because the original SLA locked him in to using only the software and hardware that was available at the time he initially signed the contract.
d]  Jeff Spivey, president of Security Risk Management Inc., said “the vendors are driving the service, rather than the market defining its needs.”  The previous day, Jeff presented on the threat of “black swan-like” security threats and cautioned the security oriented audience to monitor for “weak signals (of potential threats).”

5.  Microsoft reiterates that they “are all in” with respect to Cloud Computing.

Tim O’Brien, Microsoft Platform Strategy Group manager said that what really matters is what cloud service based delivery can do for the customer.  Microsoft will be moving “category leading products and platforms to the cloud.  For example, Exchange Online (e-mail), SharePoint Online (collaboration), Dynamics CRM Online (business apps), SQL Azure (structured storage) and AD/Live ID (Active Directory access) as its lead services for businesses.  All of these are designed to run on Windows Server 2008 in the data center and integrate with the corresponding on-premises applications. They will also work together with standard Microsoft client software, including Windows 7, Windows Phone, Office and Office Mobile. 

In addition, the company is offering its own data centers and its own version of Infrastructure as a Service for hosting client enterprises’ apps and services. It is using Azure—a full online stack consisting of Windows 7, the SQL database and additional Web services—as a platform as a service for developers.  Microsoft Online Services are up and running. They include Business Productivity Online Suite, Exchange Hosted Services, Microsoft Dynamics CRM Online and MS Office Web Apps.  On the consumer side, Microsoft launched a cloud backup service called SkyDrive, soft-launched about two weeks ago. SkyDrive is an online storage repository for files that users can access from anywhere via the Web.  The web edition of MS Office 2010 will be free to all Windows Live account holders this May. (We wonder how that will effect the company’s profits, which have always depended on the desktop sales of MS Office.  

In summary, it’s clear that Microsoft has a comprehensive strategy is in place; users will now have to try the cloud based products and services and decide how integrated they really are.

The following from Tim O’Brien provides additional information and insight on Cloud Security and Web version of MS Office 2010:

Relative to cloud security, there are a number of resources you can access on our technical sites, some of which I’ve included here:

http://technet.microsoft.com/en-us/security/ee519613.aspx

http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=3269a73d-9a74-4cbf-aa6c-11fbafdb8257

http://www.microsoft.com/downloads/details.aspx?FamilyID=7C8507E8-50CA-4693-AA5A-34B7C24F4579&displaylang=en&displaylang=en

http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=2ab57b5c-8c4f-4b8c-a260-0fe77b5b713f

“For Office, you simply sign into http://skydrive.live.com with your Windows Live ID, and you can use the document workspace for your Office docs, and view/edit them in the browser using the Office Web Apps (specifically, Word, Excel, PowerPoint, and OneNote).  To create a file, you can click on “New” for a drop down menu of these four apps, and off you go…”

References:

1. Frustrations with cloud computing mount
– Lack of standards, industry agreements get more attention as industry expands

Cloud computing lacks standards about data handling and security practices, and there’s not even any agreement about whether a vendor has an obligation to tell users if their data is in the U.S. or not. And
The cloud computing industry has some of the characteristics of a Wild West boom town. But the local saloon’s name is Frustration. That’s the one word that seems to be popping up more and more in discussions about the cloud, particularly at the SaaScon 2010 conference here this week.

That frustration about the lack of standards grows as cloud-based services take root in enterprises. Take Orbitz LLC, the big travel company with multiple businesses that offer an increasingly broad range of services, such as scheduling golf tee times and booking concerts and cruises. 

http://www.computerworld.com/s/article/9175102/Frustrations_with_cloud_computing_mount

2.  SaaS, Security and the Cloud: It’s All About the Contract
-Security practitioners have learned the hard way that contract negotiations are critical if their SaaS, cloud and security goals are to work. A report from CSO Perspectives and SaaScon 2010.

Perhaps the most important lesson is that contract negotiations between providers is everything. The problem is that you don’t always know which questions to ask when the paperwork is being written.  Panelists cited key problems in making the SaaS-Cloud-Security formula work: SaaS contracts often lack contingency plans for what would happen if one or more of the companies involved suffer a disruption or data breach. The partners — the enterprise customer and the vendors — rarely find it easy getting on the same page in terms of who is responsible for what in the event of trouble. Meanwhile, they say, there’s a lack of clear standards on how to proceed, especially when it comes to doing things in the cloud.  Add to that the basic misunderstandings companies have on just what the cloud is all about, said Jim Reavis, co-founder of the Cloud Security Alliance.  Somewhere in the mix, plenty can go wrong.

“If you’re in a public cloud situation and Company B is breached, a lot of finger pointing between that company and different partners will ensue,” Reavis said. “If this isn’t covered in the terms of agreement up front, you have no hope of recovering data (or damages).”

Security vendors can be part of the problem as well. In a recent CSO article about five mistakes one such vendor made in the cloud, Nils Puhlmann, co-founder of the Cloud Security Alliance and previously CISO for such entities as Electronic Arts and Robert Half International, noted that the vendor — who was not named — did “everything you can possibly do wrong” when rolling out the latest version of its SaaS product, leading to users uninstalling their solution in large numbers.

http://www.csoonline.com/article/589963/SaaS_Security_and_the_Cloud_It_s_All_About_the_Contract

3.  Microsoft is moving ever deeper into the data center, exploring frontiers it hasn’t frequented in the past.

SANTA CLARA, Calif.—Only a year ago, the idea of Microsoft showing cloud computing services at an event like SaaSCon would not have computed one bit.
The world’s largest software company has been late to the party on a few things—the Internet being a classic example—but times and its corporate attitude have changed. They had to.  Microsoft, whose executives not long ago were often quoted as hating cloud computing because it cuts directly into their core business, already has swallowed its pride to embrace open source—well, to a certain extent. The company also is trying to move deeper into the data center, exploring frontiers it hasn’t frequented in the past.  At SaasCon 2010 here at the Santa Clara Convention Center April 6 and 7, Microsoft had its first booth dedicated strictly to business cloud services.  It’s an ambitious plunge into a market already full of veteran players and bright newcomers alike.

http://www.eweek.com/c/a/Cloud-Computing/Microsoft-Positioning-Itself-for-Cloud-Service-Business-656834/

4.  A Tale of Two Clouds

The cloud is the answer to all our IT problems — from poor performance to lack of scale to high energy costs. The cloud is a sucker’s game that merely shifts responsibility for IT infrastructure to different hands, leads to performance issues of its own and leaves your data more open to theft.   If both of those statements happened to be true — and we won’t know for sure until it starts to amass significant workloads — would that alter your plans to deploy cloud infrastructure in any way? Apparently not, if the latest research is to be believed.

One the one hand, we have reports from groups like Global Industry Analysts that predict the cloud services market is set to top $200 billion in the next five years. That would represent a blazingly fast growth curve, driven largely by enterprise needs to cut costs and expand capabilities in what is likely to be a mediocre economy at best.   But it’s tough to square that level of acceptance with the increasing anecdotal evidence that suggests a large number of IT professionals are hesitant to place too much reliance on the cloud due to security concerns and a lack of interoperable standards.

http://www.itbusinessedge.com/cm/blogs/cole/a-tale-of-two-clouds/?cs=40604

One thought on “CSO Perspectives and SaaS Con report: Cloud Computing Security Remains a Conundrum

  1. I like the IEEE Techblog very much. There’s so much good info and analysis, like the conundrum of cloud computing security.

Comments are closed.