By Chloe Clarke – Head of Global Business Development at Razor Thorn Security
The launch and continued rise of the Cloud in recent years would be difficult to miss, yet surprisingly widespread apprehension towards this new service exists within our business culture. The Cloud holds so much potential due to its flexibility, accessibility and cost saving capabilities, so I want to explore what is causing this uneasiness towards Cloud services, and what key questions are affecting people’s decisions to adopt and leverage it?
From an outsider’s perspective, (I formerly worked in retail and educational sales roles, so I’m not from a technical background) it became clear relatively early on in my new role that many of the statements Cloud vendors would make are not always accurate, and there also seemed to be a stigma surrounding the Cloud.
After speaking to a variety of individuals considering Cloud adoption, they all appeared to share the same concern – risk. It was felt that the level of uncertainty following implementing cloud services represented too great a risk to enable them to go ahead with their project.
With first-hand experience working in the education and retail sectors, I understand what it’s like working in a highly regulated environment. We would be forced to recall and amend any incorrectly advertised information that was being used to sell an item immediately, for if it were found to be false it would cause reputation damage, revenue losses, and bring the possibility of law suits.
Whilst this rigorous application of regulation is common practice, in contrast there seems to be a rather blasé attitude towards the amount of misleading advertisement which a number of Cloud companies provide regarding the security of their services. For example, I was handed documentation by a company stating that their Cloud held PCI DSS accreditation, however following a few questions about this from me, the individual modified their statement to: “We work in a PCI manner”…
It was felt that the level of uncertainty following implementing cloud services represented too great a risk to enable them to go ahead with their project.
Getting to the truth of Cloud security can be a minefield of ill-informed sales jargon, which is at best confusing, and at worst misinformation, which serves to put businesses off completely. With this in mind, I rounded up a selection of security industry experts to find out the realities of risk involving the Cloud, whether they can be mitigated, and if so how.
Mark Bailey – Speechly Bircham LLP – Lawyers
“Using Cloud does not automatically expose a business to more risk: the big Cloud providers can potentially offer a level of information and physical security far beyond that of most businesses. The key to Cloud is that “you get what you pay for”. Cloud services are all very different, using different infrastructure models as well as being set up and managed differently. This means that evaluation of the service (correct due diligence, intelligent risk review around the actual use that the business requires for the service and properly tailored legal contracts, where possible) are critical. The known risks can then be identified and mitigated, for the appropriate price. Risk is often created where there is a mismatch between the expectations that a buyer has of a service and what the provider is prepared to offer, or where adequate due diligence (both internally by the buyer of its own requirements, and of the provider) is not conducted. The attitude to risk on Cloud also needs to be consistent with the business’ overall risk management processes internally.”
Frank Jennings – DMH Stallard LLP- Lawyers
“Using Cloud services need not expose you to more risk. In fact, if you haven’t embraced proper DR services on your existing IT, using Cloud services could actually reduce your risk. You must spend wisely on Cloud services to get the resilience and security you need. Also, you must check the liability exclusions in the Cloud services contract to make sure you’re happy all the risk isn’t on you as customer. In particular, check if the provider has excluded liability for loss of data and clarify whether your remedies are restricted to service credits.”
David Prince – Hibu plc. (Formerly known as Yell)
“More and more business leaders are making decisions on when Cloud services will be adopted and in what capacity. It is our responsibility as advisors to the business to ensure appropriate and independent risk assessments are being performed. With the stigmatisms attached to Cloud, this is sometimes easier said than done. In one hand you have the undeniable business efficiencies, such as costs savings, agility, and rapid time-to-market, but in the other hand you’re faced with the inherent obscurities of any Cloud model which must be identified, understood, communicated, and managed.
As a strong advocate for simplicity (where possible) I believe a lot of the fear, uncertainty and doubt can be overcome in a relatively straight forward manner, even with the abundance of complexities inherent with this significant shift in IT service delivery. Go back to basics and cover the pre-requisites – contextualise your risk, know your data, and know your business! This will enable you to better understand your organisations risk-appetite and how it is being impacted by Cloud.“
Steve Carroll – CompareSafe – Security Verification Assessors
“Cloud security has always had a level of the unknown about it. While it is true that the Cloud can be a very secure platform, in the same breath it is worth remembering that if set up or used in the wrong way it can open its potential users up to a world of security issues. One article even compared it to “picking a dog with the least fleas”.
That being said, companies should not be afraid of moving to the Cloud as long as they do some serious checks to know exactly what they are buying and if in doubt get it independently checked.”
Adam Moss – Razor Thorn Security – Information Security Consultants
“If Cloud is approached in the correct manner and the security is done properly, it is possible to minimise the risks of moving to the Cloud. The flexibility that Cloud technology brings mean that there are many creative ways that Cloud services can be provided with security as an integral part of the set up.
The key to choosing a Cloud provider is to ask as many questions as it takes for you to be sure that the Cloud service provider does what they say. Ask for evidence of the level of security and if compliance is an issue definitely ask to see any relevant documentation to certify the compliance. If you have a security professional on your team whether in-house or outsourced, get them in involved in the process, ask their advice and if possible get them talking to the Cloud provider.”
Nick Prescot – Firehost – Cloud Provider
“Using the Cloud model for the use of computing is not different from moving to a different dedicated environment…they all have different risks that are inherent with moving data from one location to the other location.
Also, it is case of Caveat emptor in the sense that the customer needs to understand how the data is managed, hosted and in some cases secured.
The question of data sovereignty and compliance requirements should be the main start of any risk assessment and also how the expectation of data privacy and protection can be managed.”
Dave Foster – ProAct – Cloud Provider
“I think the first thing is to look at what risks you have today. I would argue the as a Managed Cloud Service provider we will be a lot more secure than customers as we are audited so have to operate to certain standards (such as ISO27001 and PCI) and also have to prove that we vet and police all our staff.
How many customers do that? Assuming you decide to take a Cloud service then it really depends on the service taken and the type of provider.
As an example, if you took IaaS (I.E. hosted VMs and storage – the most common Cloud infrastructure service) and selected a public provider like Amazon or Rackspace then I would argue you are exposed to more risk. Their models are designed to protect their infrastructure not their customer VMs, applications and data. If you selected an Enterprise provider like Proact who provides an up to the OS service and who proactively monitors and polices security of your VMs, data and applications then I would argue that we go a lot further than most customers. See our security FAQ”
The underlying message is clear: utilizing the Cloud is risky, if a hasty, ill-informed leap is made during procurement.
The Cloud eco-system is still maturing and we are not yet able to transfer all services to the Cloud, however there are many situations where it is potentially safer than in-house IT if implemented correctly.
If a vendor offers a Cloud service which provides a raft of benefits and features, it falls to the business to ascertain whether or not this is proven. Turning to experts and industry counsels for guidelines and advice is invaluable, given the complexities that procuring Cloud services entails.
Getting past the myths surrounding the Cloud is crucial to encouraging widespread uptake, but with a proportion of the general public still convinced the Cloud is of the meteorological variety, with many believing our data is floating around in the sky; demystifying Cloud services presents no easy task.
Although the Cloud can be difficult to comprehend, its offerings are still growing, establishing and being gradually accepted by consumers. However, this is hindered by a misunderstanding of the product, compounded by misinformation driven by some desperate or perhaps just plain ignorant sales teams.
I want to thank everyone who commented on this article: Hibu plc, Firehost, ProAct, CompareSafe, Razor Thorn Security, Speechly Bircham and DMH Stallard.