“Cloud computing”… A buzz word for a while now! It’s a fact that security professionals will face, one day or another, a situation where the company applications and data will be hosted “in the cloud” and whatever your activity is! (auditor, system admin, investigator, etc).
This evening, the ISACA Belgium Chapter organized a round table about this topic: “What’s in the cloud for you?“. The speakers were: Benjamin Jacobs, Patrick Van Eecke and Marc Vael. They talked about the “cloud” from three different points of view: Technical, Legal and Compliance.
Benjamin, CTO of Combell Group, started with a presentation about the technical side of the cloud. His employer is providing virtualization services since 2006 when the expression “cloud computing” was not yet created. This proves that the cloud-revolution is not so new. The logical evolution of servers was: physical, virtualization and finally a “global virtualization” called now the Cloud. The definition of Cloud Computing proposed by Benjamin (amongst others) is: “a business model based on the Internet, as a service, dynamically assigning resources and flexible in all aspects“. He insisted on the business model. That’s the real revolution. On a technical point of view, the infrastructure did not evolved so much. From the Cloud, common services derived:
- SaaS (“Software as a Service“) like salesforce.com
- PaaS (“Platform as a Service“) like the Google web engine
- IaaS (“Infrastructure as a Service“) like Amazon S3.
Provided Cloud services can be managed/unmanaged and public/private. Private clouds rely on dedicated hardware using tailor made solutions. In public clouds, big farms of servers are shared between the customers. Note that moving to a unmanaged cloud solution can be seen as a step back from a system administration point of view. Internal investments are required to managed the platform (day to day tasks, patching, monitoring, etc).
The second speaker, Patrick, addressed the legal aspect of the cloud computing and the current issues. Patrick is a lawyer with a huge background in IT. The challenges are multiple: liability, which laws are applicable and confidentiality. In Europe, most laws addressing the personal data protection were published between 1992 and 2003. They were created to protect the e-* services. In Belgium, basically the law (since 1992!) says: I must know where are stored my personal data. And now? With the Cloud Computing? Another issue is the distinction between the “data controller” and “data processor“. The data controller defines the purpose and the means of processing personal data. The second, data processor, is just the “dumb performer“. Today, Cloud providers are controllers and processors. They can be prosecuted in case of data breach. This is a very big constraint for European cloud providers.
Contracts between both parties are also important. First, “click-wrap” agreements are legally enforceable! Contracts are full of small remarks (in small letter). Like any contract, read all the terms. Some are often unacceptable. What will happen in case of bankruptcy? Is there a support? Which court is competent in case of legal issue? That’s why the choice of a local cloud provider can be an advantage.
About the liability of illegal data? Providers are responsible of the data stored on their servers. But , exception, they cannot be prosecuted if they were not aware of their presence. It’s the principle of “notice and take down”: Only if they detect something illegal, they have to remove the content. That’s why lot of Cloud providers do not implement any control of the data.
Also, they are also software licensing issues: Some software licenses are based on CPU. How to address this in a cloud? Even open source software can be source of legal issues. The GPL states that any modified open source software must be given back to the community (this is called the “contamination effect“). Another licensing model was created: the Affero GPL to address this issue.
Finally, the compliance issues: data retention, tax related storage requirements, electronic invoicing legislation, e-commerce legislation, electronic signature and, again, all problems of data location.
The last speaker, Marc, addressed the governance and security aspects of the cloud computing. The IT world is changing and the cloud will be part of it. That’s why security processional have to take care of it. Marc tried to demystify the “evil cloud“. It has also positive aspects for the security:
- Resource concentration
- Standardized interfaces (“dashboard”)
- Security audits
- Standard updates and baselines
Of course, to provide good security, there are also a lot of challenges:
- The cloud provider must allow external audits
- It must support forensics investigations
- Some accountability
- Architecture transparency
- Physical controls
- Safe migration of data (ex: when changing of cloud provider)
- Logging & monitoring
- Data ownership
- Supervisors security (ex: Blue Pill)
- BCP & DRP
- Data encryption
The choice of your cloud service provider is crucial. The growing demand for cloud services drive companies to provide cloud services as any other IT service. But how long will they survive? Take care when you send your data to their cloud. Finally, classic compliance tools can still be used to audit cloud services: the classic ISOxxxx, ISACA CobIT, ISACA Val IT or ISACA Risk IT. Like any security project, the executive management must be part of the project at different levels: vision, decision and support.
This was an interesting meeting which tried to demystify the bad perception of the Cloud that most of us still have. Ok, they are many issues to keep in mind but, according to the speakers, the Cloud is there and we’ll have to work with it.