The Dangers of Cloud Computing

1/3

>
Published on NetworkWorld.com Community
(http://www.networkworld.com/community)

The Dangers of Cloud Computing

By jheary
Created May 28 2010 - 3:03pm

Cloud services can be a huge money saver for businesses and looks to be the future
direction of IT for many. I'm a huge proponent for cloud services as long as folks enter
into agreements with their eyes wide open. To this end here are five things you need to
be aware of before you move your data to a cloud service.
There are three types of cloud services: Infrastructure as a Service, Platforma as a
service, and Software as a service. Most of the concerns I'll talk about will apply to all
three types.
Right to audit your cloud provider - Many default contracts will not provide you with
the right to audit your cloud services appropriately or in some cases at all. You need to
make sure that you retain the same auditing rights as you would expect to have in your
own data center. At least that is the ask for, the reality is you'll probably end up with
something a bit less than that type of auditing access but aim high. Be sure to ask how
they control privacy in a multi-tenant environment where everyone has the same right
to audit policy. You need to make sure that your services are properly segmented from
others so they cannot audit you as well. Be aware that there are no private or public
regulations for auditing cloud services today. We need a trusted third party who will do
this auditing for us and allow us to compare the security of similar cloud provider
services. Until this happens we each need to fight independently to get the auditing
rights we desire in our contracts.
Data Privacy Concerns - In almost all cases if you have a IaaS or PaaS service then
you should be encrypting your data at rest. Be sure the Key server is not also stored in
the cloud service as this would defeat the purpose. Have the key server be at your
corporate site or some other site not related to the cloud provider. Why should your
data you ask? Well, in a nut shell when you move data the question of "Is it still just
your data" becomes a very real one.
Cloud providers are subject to law enforcement subpoenas, surveillance and data
seizure activities that you wouldn't normally be subjected to in your own Datacenter.
Loss of 4th amendment rights for US companies are also at issue. By moving data to a
cloud service you may be decreasing your protection from search of your data by law
enforcement and civil plaintiffs? A warrant with a gag order mean thats that your cloud
provider must provide your data without notifying you they did so. Ability to protest a
warrant is also compromised because the warrant is issued to the provider not your
business. There is no legal obligation for the cloud provider to inform their customers
that data was given because of a court order, etc.
In one case the FBI seized assets the physical assets/servers from a co-location
provider. Over 50 innocent companies were shutdown in the process because their
data was intermingled with the FBI target. Read more here FBI raids Data Center [1] .
When one of the affected companies tried to sue the texas court ruled that the FBI had
the right to do this.

http://www.networkworld.com/community/print/61877

31/5/2010

The Dangers of Cloud Computing

2/3

Digital Forensics - Cloud services do not lend themselves well to the methodical
collection of digital forensics. If you do have a security breach, digital forensics become
critical to finding out how extensive the breach was. Several state and local
governments now have "breach notification" laws on the books. In addition the
healthcare hi-tech law and PCI require you to notifiy customers of a breach. The
notification methods sometimes vary based on the size of the breach. Be sure your
contract provides you with the necessary forensics capabilities you'll need. Chain of
custody is also an issue. Be sure your provider will not hamper your ability to prosecute
criminals. Ask them about how they handle log and other important data.
Penetration Testing - Penetration testing is usually prohibited in the default contracts
of cloud providers. However, this is a requirement of PCI and most security policies.
This is a trick problem for cloud providers. On the one hand they want to provide their
customers with this capability but on the other hand providing this to them could cause
damage to their systems and other customers service if used incorrectly. Several large
cloud providers, like Amazon and Google, are letting customers scan their own
equipment and services. This is a good step forward, but it still lacks the ability to scan
the cloud providers infrastructure. You should ask for this capability or an equivalent
(like a periodic report from a trusted third party scanning service) in your contract.
Natural disasters and end of contract issues - Be sure to ask your cloud provider
how they deal with the following:
Natural Disaster clean up
Removal of data at contract end. Can you verify it's destruction?
Cloud providers are getting better at securely disposing of your data at the termination
of your contract but you still need to ask or look in your contract to be sure it meets
your needs. Ideally, they should either physically destroy hard-drives or perform an
approved Department of Defense erase procedure.
An often-overlooked issue is how cloud providers deal with the protection of your data
during and after a natural disaster. For example, if a hurricane hits their datacenter and
rips it apart what are their procedures for keeping your data secure. In many cases the
physical access controls will be rendered inoperable by the storm and worst case
servers could be strewn throughout the site. They need to show you a comprehensive
plan for securing the site and your data during the clean up effort. You don't want
volunteers picking up the pieces.
Those are five of the things you should be aware of and check on before you sign a
contract with a cloud provider. For more good info on what to ask for in a contract or
service see the excellent guide done by the cloud security alliance here
http://www.cloudsecurityalliance.org/ [2]
What other things are you making sure to look for when considering a cloud provider's
services?

The opinions and information presented here are my PERSONAL views and not those
of my employer. I am in no way an official spokesperson for my employer.
More from Jamey Heary:
* Credit Card Skimming: How thieves can steal your card info without you
knowing it [3]

http://www.networkworld.com/community/print/61877

31/5/2010

3/3

The Dangers of Cloud Computing

* Google Nexus One vs. Top 10 Phone Security Requirements [4]

* Why you should always shred your boarding pass [5]
* Video rental records are afforded more privacy protections than your
online data [6]
* The truth about new SSL attacks [7]
* 2009 Top Urban Legends in IT Security/a> [8]
Go to Jameys Blog [9] for more articles on security.

As well know to us,many

By Anon (not verified) on Fri, 05/28/2010 - 11:47pm.
As well know to us,many young women like to choose the christian louboutin pumps?

As well know to us,many

By Anon (not verified) on Fri, 05/28/2010 - 11:48pm.
As well know to us,many young women like to choose the [christian louboutin pumps>http://www.christianlouboutintime.com/christian-louboutin-pumps-c-5.html]?

As well know to us,many

By Anon (not verified) on Fri, 05/28/2010 - 11:50pm.
As well know to us,many young women like to choose the christian louboutin
pumps?
cloud audit

cloud forensics cloud security cloud services

security Heary Jamey Heary security

Source URL: http://www.networkworld.com/community/blog/dangers-cloud-computing

Links:
[1] http://www.networkworld.com/news/2009/042209-when-the-fbi-raids-a.html
[2] http://www.cloudsecurityalliance.org/
[3] http://www.networkworld.com/community/node/33210
[4] http://www.networkworld.com/community/node/49560
[5] http://www.networkworld.com/community/node/44457
[6] http://www.networkworld.com/community/node/44055
[7] http://
[8] http://www.networkworld.com/community/node/42489
[9] http://www.networkworld.com/community/heary

http://www.networkworld.com/community/print/61877

31/5/2010