Call us at 507.319.5206 or This email address is being protected from spambots. You need JavaScript enabled to view it.
Follow us on LinkedIn and Twitter

Cloud Computing Won’t Fix Your Security Problems

HA, SSO and the CloudRecently, I was talking to a system administrator who said “We’re moving to the cloud. They’ll be responsible for security.”

I was a bit startled to hear this. Not because of the first sentence; because of the second.

There are lots of valid business reasons to move your computing operations to a Cloud Service Provider. And I’m not one who believes cloud computing is inherently riskier than on premise computing.  Neither do I believe that Cloud Computing is inherently more secure than on premise computing.

Moving your computing operations to the cloud does not eliminate your security responsibilities; it changes them.

The simple truth is that if your organization isn’t doing a good job of managing security today, moving to the cloud won’t fix those problems.  On the flip side, if your organization is doing a good job of managing security, it will be easier for your organization to maintain your current security posture after moving to the cloud.

When you move to the cloud, one of the biggest changes you’ll face is policy enforcement.

With on premise computing, you both define and enforce appropriate and acceptable behaviors (i.e., policies) for your employees with respect to how they handle your data.

When you move to the cloud, you are no longer directly involved in the enforcement of your policies for the employees of your Cloud Service Provider (CSP).  But guess what? You’re still legally responsible for how CSP employees handle your data.  For example, if you’re covered by HIPAA regulations, you need to keep track of both the CSP employees that can access Personal Healthcare Information (PHI) as well as your own direct and contract employees.

So how do you carry out these responsibilities when you can’t directly enforce your policies?

The contract with the CSP is the primary tool.  The contract needs to specify the policies you expect your CSP — and its employees — to follow and enforce. This needs to be spelled out up front before the contract is signed.

Just as important, CSP contracts need to define how and when you will measure the CSP’s compliance with your policies (trust, but verify) and the penalties for non-compliance.  Of course, this is more difficult if your cloud deployment includes multiple service providers.  You may want to consider a Cloud Services Broker (CSB) who can provide a single point of accountability.  This ends up being as much a legal exercise as it is technical.

By definition, cloud computing is done over the internet. This means you now have to understand the architecture of your CSPs’ network as well as your own. What perimeter defenses do they employ? How do they configure the connection between their Virtual Machines (VMs) and partitions to their own networks? How do they segment their networks? Do they employ Intrusion Detection/Protection devices for each segment or only at the ingress/egress points to the internet? How do they monitor their networks?  Are you able to monitor the parts of their network in which your computing instances are located?

You need to ensure that your principal network engineers get engaged early enough in the process — before any contracts are signed — to define your requirements and measure how potential CSP’s stack up against them.

For those with application and system security responsibilities, the best place to start is with the applications you intend to move to the cloud.  For each application, make a checklist of the organizational and regulatory requirements for the application and the data.  Then start working with your attorneys, helping them understand the technical requirements and how to translate those into effective legalese.

The Bottom Line

Moving to the cloud doesn’t mean you can let the CSP handle security and your worries are over. It only changes the ways in which you carry out your responsibilities.

Your CSP contract must spell out what you expect your CSP to do, how and when you will measure your CSP’s compliance with those expectations, and how you will deal with non-compliance.

Cloud computing customers may require fewer highly technical security skills.  But it also represents a bigger challenge for security management and governance.

If you need help with cloud security, give me a call.


This entry was posted in Cloud Security, Info Security Mgmt and tagged , , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>