Cloud Trust

When we talk of information security, including cloud security, most of the talk is about confidentiality. Well, as from my experience almost no one talks about 2 other parts of the triad – integrity and availability. But these attributes become crucial in cloud.

Why are we doing cloud in the first place? To cut expenses, both capital and operational – dollar saved is dollar earned. Guess what cloud provider does? The very same thing, cutting expenses as much as they could. And there is no easy answer to the question: make cloud more secure or save some money.

Let’s take an easy example, how can cloud provider protect your data confidentiality?

For data at rest it’s pretty obvious answer – encryption. For data-in-flight there is no answer at all, encryption cannot protect from privileged insider – all the keys and hashes can be sniffed during live migration or through snapshotting. There are no measures to protect your data with 100% assurance, but all have costs. With the BIG providers you can be sure there are some internal security policies to prevent insider access and those who have access are not random people from the street. As cloud computing market grows we see a lot of smaller providers with nice prices for the service, but… So there are some basic questions for you provider you would really like to have an answer before moving your data:

  1. Who has an access to hardware?
  2. How much access do admins have?
  3. Who is watching them?
  4. Is there internal backup?
  5. Who has an access to backups?
  6. What really happens with our data when we close account?

I personally know a small company providing a very good service for accounting and supply management from the cloud. But they haven’t deleted any data in their entire history – everything is still in their databases. You closed your account 2 years ago – doesn’t matter. Data is still here.

Important part of the cloud is multitenancy – all the tenants use the very same shared hardware infrastructure, it saves money. But also it imposes new risks we never saw before cloud. Questions for provider:

  1. How tenants are isolated?
  2. Who grants tenant admin rights?
  3. Who is watching them (both admins and tenant admins)?
  4. How tenant admin is authenticated?
  5. What really happens with our data when we close account?

The last question is exactly the same, but with different aspect – who ensures our data is not accessible one way or another by other tenant taking over hardware resources we used to have?

And this is an easy part, because we’re moving to integrity and availability which are most of the time considered as operations team responsibility with almost no attention from security team.

Let’s say you’ve rented some VMs from the provider. How do you know where exactly data is stored and how reliable storage system is? Is it high end EMC Symmetrix system or DIY in garage 90TB storage like this one?

Most providers do not use classic corporate storage systems with known performance and proven reliability. DIY storage is way to cut really big piece of investment, but… here are 2 examples from Russian provider space:

  • “Selectel” have lost customers data several times due to problems with linux mdraid service.
  • “Cloudmouse” irreversibly lost 22 000 VMs due to problems with ceph service.

And personally I wonder – have these guys ever heard of backup? BTW have your provider heard?

Okay, I’ve scared you a little of cloud, so now let’s compare it to good old home-made IT. We’re building it for years and we know everything and control everything. Right?
98% of ITs I’ve seen – wrong. There are a lot of reasons for that, like:

  1. There is just not enough qualified personnel
  2. IT manager and whole IT department trying to maintain their personal importance instead of pursuing company needs
  3. There were mistakes made before and company still paying for that
  4. Some decisions were purely political instead of technical
  5. … and this list can be 100 pages long.

So what should we do about it and what’s the magic word?

It is Trust. And particularly Cloud Trust. I’ve tried to extract the meaning of this word:
– Trust is situation when you are sure in other party words/deeds

Outside IT you gain trust, it is a process. And you gain it with time when you prove yourself trustworthy. I believe everyone agree that you should trust your cloud provider if you move your data and intellectual property to their premises.

Experience is something you don’t get until just after you need it.

What we do with our relations with new people and establishing if we can trust them is calling for trusted 3rd party. You cannot be sure if a man or woman right across the table is a real doctor, so you ask for diploma from university you trust.
Unfortunately in cloud provider space there is no trusted authority to certify one or another provider. There are several organizations to help us though, like global Cloud Security Alliance with ready to use questionnaires. You just take it and ask your provider to answer these questions for you.

From other side what I see – most of companies exaggerate importance of their data, because they don’t really have a clue. Netherlands police for example took a deep look into data they have. Guess what they have found – 95% of everything they have is NOT confidential. How much commercial company data is really confidential you think?

What should you do before considering cloud services.

DO

  1. Clean up a mess in your internal IT. Cloud is about automation, and when you automate the mess – you get automated mess.
  2. Classify your data. There is no need in 100 different types and security classes, 3 to 5 would be just fine.
  3. Start with new non-confidential data.
  4. Start with new test zone in the cloud.
  5. Start with secondary and support processes.
  6. Deploy seasonal and peak loads in the cloud.
  7. Create and test backup policy with offsite data storage, so if cloud goes down you have at least backups.

DO NOT

  1. Replicate your services as they are.
  2. Move everything at once, especially business critical applications.