Cloud computing is the new kid on the block, a new way for organisations to manage their business systems and networks without investing in the traditional IT estate. E RADAR's Will Roebuck looks at why organisations are turning to the cloud, the opportunities this new technology can bring, and identifies some of the risks involved.
Cloud computing - computation, software, data access and storage services that don't require end-user knowledge of the physical location and configuration of the system that delivers the services - is appealing to organisations and consumers alike as it offers many benefits over traditional, server or desktop-based computing.
However, with these benefits come corresponding risks which should not be overlooked, particularly around security and privacy. We know that technology is dynamic and complicated, and is an ongoing headache for law makers who strive to provide levels of certainty for the majority of us using it. Make no mistake that laws and regulations NEVER catch up with technology, but simply evolve to meet new circumstances. Cloud computing is by no means different with law makers setting down markers in order to shape the future of this exciting and cutting-edge technology.
This article sets out a cloud computing SWOT (strengths, weaknesses, opportunities and threats) analysis for organisations looking into cloud investment. It compliments my earlier article entitled The Law and Cloud Computing.
The key strengths for cloud computing lay in business continuity, flexibility and agility, and mobility.
- Shared computer resources
Instead of wasting precious and costly computing power, an inherent drawback of the current client server model, cloud computing allows for a more efficient and affordable use of computing resources.
- Cost savings
The end user is no longer burdened with the expense of maintaining and updating servers, data centres and software. Instead, the cloud computing provider carries these IT costs, while organisations simply pay a low monthly subscription fee.
- No licensing
- Reduced reliance on external consultants
The provider now handles the updates and installation of software patches - dangerous security loop holes. Conflicts in software incompatibility is no longer your problem so there's no need for external IT consultants to troubleshoot your business systems.
Data stored in the cloud can be accessed from virtually anywhere with an internet connection.
- Legacy systems
- User attitude and control
- Global economy
- Agility and flexibility
Smaller firms are nimble and thus more easily able to move to the cloud and take advantage of cloud computing's many cost-saving benefits.
- Growth in cloud services
- Consolidation in legal and regulatory environment
- In house IT Personnel
Many IT professionals will need to re-invent themselves as organisations do away with expensive IT Departments.
- Data Protection
- Physical equipment
- Physical environment
- Physical by-products
- Identity authentication
- Application privileges
- Input validation
- Appropriate behaviour patterns
- Reporting logs
- Permanent network connections
- Intermittent network connections
- Network maintenance
- Remote censors and control systems
- Back-up procedures
- Human maintenance of security procedures
- Intentional actions threatening security
- Internal policies for software development
- Policies for dealing with external vendors
Questions to ask your cloud services provider
Organisations should consider online security when purchasing software products from vendors. We’ve suggested some basic questions to ask below, albeit it is not an exhaustive list. Additional protections can then be built into the supplier contract.
- Which SDL (Secure Development Life-cycle) programme does your development team adhere to?
- What methodologies do you use for security testing your products? (Automated testing, code-review, fuzzing, manual tests etc.)
- How frequently and using which methodology do third parties conduct security assessments on your products?
- What training do your development and testing teams receive specific to application security?
- Do you have a dedicated team to assess and respond to security vulnerabilities reported in your products?
- What is your patch release strategy and what tools do you offer for patch deployment?
- Do you disclose all vulnerabilities that affect your software, and how/when are customers notified?
- How did you Threat-Model the application?
- Do you conduct security testing separately from functional testing?
- What technical guidance do you provide about vulnerabilities, including how they could be exploited, how they are currently being exploited, and how to mitigate vulnerability?
- For applications developed on Microsoft platforms: do you utilise Microsoft's D.R.E.A.D model to assess the security of your software?
- What is a typical vulnerability to patch delivery time frame?
- Would you support a future product Health Check?
- Are there any outsourced / subcontracted components related to your product? And how do you assess the security impact of such components?
- Who do I talk to if there is a (security) problem with your product?
- If the operating system is patched or upgraded, will the application continue to work and how will security be affected?
- Is your organisation ISO 27000 compliant?