There have been some good discussions recently on the security of cloud computing services. Are you using or considering using external cloud computing for data storage or to undertake business functions?
A recent post A follow-up on SaaS & Cloud Risk reminded me to raise the topic here. The posting highlighted comments on The Register regarding Multi-site Bug Exposes Cloud Computing's Dark Lining included one by Raife Edwards:
IF... you own, and run, your own servers, or systems/software... AND, a "common vulnerability" exists, and is exploited... You MAY be vulnerable... you MAY have a security issue... you MAY be targeted... you MAY not have adequately protected your system... you MAY be hit by the problem... you MAY have issues, and losses... possibly.
If, however, you are dependent upon any, EXTERNAL, single point-of-attack/vulnerable-point... then you WILL be hit... you WILL be affected... you WILL have losses... and you WILL be totally-dependent upon EXTERNAL-interests in "fixing", and recovering... based upon THEIR competence, and on THEIR time-table... and, to suit THEIR perception of THEIR interests.
Does this affect you? Not sure? Does your business use any of the following (the categories and terminology overlap)?
- software as a service (SaaS)
- platform as a service (PaaS)
- infrastructure as a service (IaaS)
- hosted application
- application service provider (ASP)
- cloud computing
- online office application (e.g. Microsoft Business Productivity Online Standard Suite, Google Docs)
- external web mail (e.g. Hotmail, Gmail, Live Mail)
- peer-to-peer services (e.g. Skype)
- online backup and synchronisation (e.g. Iron Mountain, iDisk, Live Mesh)
- other people's content included directly into your software applications (e.g. news feeds, maps)
- third party online service (e.g. address lookups, payment gateways).
If so, perhaps answer these three questions. Does it matter...
- if someone else deletes, or an unauthorised person views, your data?
- in which geographic location your data are stored?
- if your data or service are unavailable for more than 10 minutes?
If you answered "yes" to any of the above, take time to consider what the effects would be if any of your data was stolen or the service was unavailable for an hour, a day or a week. The considerations are very similar to any other business decision, but it's easy to forget the trust we are placing in another party.
The key security issues to review are software liability, right to audit, service level agreement (SLA), security testing plans, authentication policies, intellectual property, storage locations, system isolation, data encryption in transit and at rest, backup and recovery, archival, support, complaints procedure, contract jurisdiction and legal compliance. If you have cyber liability insurance, you will also need to check whether these cloud services are covered.
In Part 2 (of 2) on Tuesday, I'll highlight some more recent cloud computing issues and provide links to additional discussions.
Update 27th November 2009: See also Cloud Computing Risks.