Cloud Trust

When we talk of information security, including cloud security, most of the talk is about confidentiality. Well, as from my experience almost no one talks about 2 other parts of the triad – integrity and availability. But these attributes become crucial in cloud.

Why are we doing cloud in the first place? To cut expenses, both capital and operational – dollar saved is dollar earned. Guess what cloud provider does? The very same thing, cutting expenses as much as they could. And there is no easy answer to the question: make cloud more secure or save some money.

Let’s take an easy example, how can cloud provider protect your data confidentiality?

For data at rest it’s pretty obvious answer – encryption. For data-in-flight there is no answer at all, encryption cannot protect from privileged insider – all the keys and hashes can be sniffed during live migration or through snapshotting. There are no measures to protect your data with 100% assurance, but all have costs. With the BIG providers you can be sure there are some internal security policies to prevent insider access and those who have access are not random people from the street. As cloud computing market grows we see a lot of smaller providers with nice prices for the service, but… So there are some basic questions for you provider you would really like to have an answer before moving your data:

  1. Who has an access to hardware?
  2. How much access do admins have?
  3. Who is watching them?
  4. Is there internal backup?
  5. Who has an access to backups?
  6. What really happens with our data when we close account?

I personally know a small company providing a very good service for accounting and supply management from the cloud. But they haven’t deleted any data in their entire history – everything is still in their databases. You closed your account 2 years ago – doesn’t matter. Data is still here.

Important part of the cloud is multitenancy – all the tenants use the very same shared hardware infrastructure, it saves money. But also it imposes new risks we never saw before cloud. Questions for provider:

  1. How tenants are isolated?
  2. Who grants tenant admin rights?
  3. Who is watching them (both admins and tenant admins)?
  4. How tenant admin is authenticated?
  5. What really happens with our data when we close account?

The last question is exactly the same, but with different aspect – who ensures our data is not accessible one way or another by other tenant taking over hardware resources we used to have?

And this is an easy part, because we’re moving to integrity and availability which are most of the time considered as operations team responsibility with almost no attention from security team.

Let’s say you’ve rented some VMs from the provider. How do you know where exactly data is stored and how reliable storage system is? Is it high end EMC Symmetrix system or DIY in garage 90TB storage like this one?

Most providers do not use classic corporate storage systems with known performance and proven reliability. DIY storage is way to cut really big piece of investment, but… here are 2 examples from Russian provider space:

  • “Selectel” have lost customers data several times due to problems with linux mdraid service.
  • “Cloudmouse” irreversibly lost 22 000 VMs due to problems with ceph service.

And personally I wonder – have these guys ever heard of backup? BTW have your provider heard?

Okay, I’ve scared you a little of cloud, so now let’s compare it to good old home-made IT. We’re building it for years and we know everything and control everything. Right?
98% of ITs I’ve seen – wrong. There are a lot of reasons for that, like:

  1. There is just not enough qualified personnel
  2. IT manager and whole IT department trying to maintain their personal importance instead of pursuing company needs
  3. There were mistakes made before and company still paying for that
  4. Some decisions were purely political instead of technical
  5. … and this list can be 100 pages long.

So what should we do about it and what’s the magic word?

It is Trust. And particularly Cloud Trust. I’ve tried to extract the meaning of this word:
– Trust is situation when you are sure in other party words/deeds

Outside IT you gain trust, it is a process. And you gain it with time when you prove yourself trustworthy. I believe everyone agree that you should trust your cloud provider if you move your data and intellectual property to their premises.

Experience is something you don’t get until just after you need it.

What we do with our relations with new people and establishing if we can trust them is calling for trusted 3rd party. You cannot be sure if a man or woman right across the table is a real doctor, so you ask for diploma from university you trust.
Unfortunately in cloud provider space there is no trusted authority to certify one or another provider. There are several organizations to help us though, like global Cloud Security Alliance with ready to use questionnaires. You just take it and ask your provider to answer these questions for you.

From other side what I see – most of companies exaggerate importance of their data, because they don’t really have a clue. Netherlands police for example took a deep look into data they have. Guess what they have found – 95% of everything they have is NOT confidential. How much commercial company data is really confidential you think?

What should you do before considering cloud services.

DO

  1. Clean up a mess in your internal IT. Cloud is about automation, and when you automate the mess – you get automated mess.
  2. Classify your data. There is no need in 100 different types and security classes, 3 to 5 would be just fine.
  3. Start with new non-confidential data.
  4. Start with new test zone in the cloud.
  5. Start with secondary and support processes.
  6. Deploy seasonal and peak loads in the cloud.
  7. Create and test backup policy with offsite data storage, so if cloud goes down you have at least backups.

DO NOT

  1. Replicate your services as they are.
  2. Move everything at once, especially business critical applications.

“IT vs Private Cloud” Paradox

Many years we speak of cloud computing, and I have been selling private cloud for a long time. But we’re still in very early stages of private cloud adoption. Why?

Answer was a surprise even for me. Private cloud is not something IT department need.

Every commercial company is a manufacturer. Yes, I’m not mistaken. Even small nail salon is a manufacturer. They produce profit. Just for argument simplicity let’s talk about profit as income minus costs (capital expenses and operational expenses including salaries). As we know dollar saved is dollar earned and therefore we’re driving costs down.
But where does cloud part come in you ask? Just wait for it.

Let’s take a look at allegedly most interested in cloud employees – IT department. Department includes IT management and administrators / specialists, IT assets in both hardware and software. And budget. As a rule, IT budget looks like some kind of financial black hole actively consuming sums with many zeroes. It’s almost impossible to understand financial flows and how it reflects on actual IT services. Here comes private cloud with financial visibility, service catalogs and measured service – so we can actually say how much one mailbox costs. We’re in CFO dream now.

But IT department says: NO!
RLY? WTF?

Ok, let’s take another look on IT department, completely unrelated to technology – motivation.

What average IT admin wants? Pretty simple answer: high-tech toys, arcane techno mage status and significance. Who should choose new servers/storage system? Of course ME, it’s MINE! No, it’s not. It’s a tool, not a toy, and cloud brings us standards for systems. More than that, cloud makes admin interchangeable, the role does not bear any arcane knowledge anymore. Cloud admin is highly qualified in several areas – yes, but I don’t really see a lot of admins after 30 who really want to study something new and adapt. People want stability and “expert” title. What they do not want is to remain students till grandchildren.

What does IT management want if we skip part with kickbacks and gray schemes on procurement? Pretty the same – influence and significance. Which directly translates to number of employees and total systems cost. Plus a budget to control themselves, with no one looking over the shoulder. Each new new employee reporting bring costs, and each new admin add NO to the cloud question.

What cloud makes with IT budget? Black hole splits into separate services with measured costs, and CFO can now compare internal services with available on the open market. Which can be not in internal services favor. Cloud brings financial visibility to financial management and line business managers as well as how to spend budget in accordance with company targets.

– What, board will be able to see how I spend my budget?! – direct quote from one CIO I met.

It’s not a paradox, we now understand why IT don’t like cloud. But what should we do? I don’t have that answer.