It seems that the security risk to federal cyber security introduced by a new or emerging technology is inversely proportional to the convenience it offers to industry. Every few years a hot capability comes along that instantly has businesses clamoring to adopt it, while security professionals scramble to discover and address its vulnerabilities. Wireless networking fell into this category, and the rise of Cloud computing over the last few years appears to be just the leading edge in a massive migration towards virtualization and out-sourced data hosting.
An industry unfortunately lacking standardization and oversight, where the uninformed essentially gamble one of their most valuable assets on a table marked with confusing, and sometimes risky, bets. The “valuable asset” in this analogy is, of course, proprietary data. Businesses, and even governments, frequently fail to comprehend the true value their data and intellectual property represent to their organization-much less the value that information might have to others: “Value” cannot always be measured in monetary terms, and oftentimes the value of an object comes not in its positive potential, but in the negative consequences it might produce in the hands of a competitor, criminal, or wary public.
The attraction to the Cloud is undeniable. Cost savings are frequently realized through the outsourcing of infrastructure, software, technical support, and security controls-assuming those services are effective and reliable. In fact, a service provider may be able to offer a computing capability far beyond what many companies might otherwise be able to afford: An outsourced solution is easily scalable, providing a partial or total solution with ready-made growth capability, and it may also offer increased accessibility to data if that is desirable. With respect to security, for a small or mid-sized company with marginal security to begin with, even a service provider with only modest security features may offer an improvement over the existing system.
When deciding whether or not to outsource it is important for an organization to fully understand and quantify their risk in utilizing the Cloud, starting with a comprehensive assessment of the true value of the data and intellectual property being entrusted to a potential service provider. In an outsourced solution, an organization is relinquishing direct control of their data, and possibly business processes as well, to an entity for which the element of trust may be unknown or at least undeveloped. Significant effort should be expended in understanding the details of the service being provided and defining the level of trust obligated by the contractual relationship. Be wary of Service Level Agreements (SLA) containing contractual elements granting the provider wide latitude and limited liability for the storage or confidentiality of data: For instance, some SLAs include provisions for sharing data with third parties or rights for marketing.
Key information to collect and consider when comparing service providers will include:
• Governance, Oversight, and Liability: When was the service provider’s last assessment, and have they had citations or security breaches in the past? Is the service provider compliant with applicable regulatory requirements in handling your data? Are you in compliance with applicable regulatory requirements in outsourcing your data? What is the provider’s liability and obligation in case of data loss or compromise?
• Physical and Logical Geography: Where are the data centers physically located that will be hosting your information, and how will your data be partitioned on the server(s) relative to other data stored by the provider?
• Security Controls: How is your data secured, both in transit and in storage? How, when, and where is your data replicated, and how long is it retained? How will various security measures impact advertised access and performance characteristics for the service?
• Physical and Logical Access: What security policies are in place for access to, and modification of, the data center and your data? Who will have access to your data? Possibilities include service-provider employees or administrators, third-party vendors, contractors, as well as officials from governmental, compliance, or oversight bodies.
• Balance Risk versus Trust: Evaluate the costs and consequences in the event your data were lost or compromised, and consider maintaining internal control or heightened security measures for that portion of information critical to the organization or the conduct of business. Such sensitive data might concern proprietary products or processes, intellectual property, privacy information regarding employees or customers, or company financial’s.
Although various initiatives are underway for establishing uniform standards and oversight bodies for the virtual sector, many such efforts have failed in the past and effective legal and industry standards for Cloud computing appear to be years away from realization. As tighter security and control requirements do come into play in the industry, it will be interesting to see whether outsourcing remains a cost-efficient and attractive proposition for businesses when weighed against the relative risks.