Login Register Subscribe
Current Issue

Look hard at the risks involved before leaping into the cloud

Reprints

“Cloud computing” has been an information technology darling since it became increasingly widespread over the past decade. Offering more flexible, accessible and less-expensive resources, cloud computing is an attractive alternative to traditional computing environments. But it has its costs, including increased security risks and web-based threats, particularly as it accessed through mobile devices. Edgar Germer of OneBeacon Technology Insurance discusses the risks of operating in the cloud and measures companies should take to assess the risks they face when they make the move.

The National Institute of Standards and Technology defines cloud computing as convenient, on-demand network access to shared configurable computing resources. Think of cloud computing as a utility like a gas or phone company. An organization buys computing and storage space and services and pays at the end of the month. Data exists on the provider's remote servers (“the cloud”) and is accessed over the internet.

Five characteristics typically differentiate cloud services from conventional computing:

• On-demand self-service — Users directly buy computing services with minimal interaction with the provider.

• Broad network access — Services are available over the internet and accessed through “thin” (smartphone or tablet) or “thick” (laptop or desktop computer) platforms.

• Resource pooling — Storage, processing, memory, bandwidth and hardware are shared with other users.

• Rapid elasticity —- Services can be rapidly purchased in any quantity at any time and discontinued with equal ease.

• Measured service — Usage is monitored, controlled and optimized.

Four, primary cloud-service models are used — private, public, community and hybrid — with offerings ranging from single occupancy configurations (private) to shared services available to multiple clients.

The client's degree of control over the computing environment depends on the type of cloud used, ranging from almost no control in public clouds to full control in private clouds.

Just as different deployment models affect an organization's scope and control over the cloud, so, too, does the providers' service model. Three common ones are:

• Software-as-a-service — Providers host software while subscribers connect and use it, eliminating the need for software downloads. Examples include Twitter, Facebook, Yahoo, Gmail and Salesforce.

• Platform-as-a-service — This offers software developers tools to create applications. Examples include Microsoft Windows Azure and Google App Engine.

• Infrastructure-as-a-service — This provides servers, software, data center space or network equipment resources as a metered, outsourced service. Examples include Amazon Elastic Compute Cloud and Rackspace.

Cloud computing becomes even more attractive on mobile devices because it provides on-demand access, computing, networking and storage capabilities without the software memory drain.

Authentication

Accessing applications over the internet is easy, but security risks can be high. Authentication verifies that the user is who he says he is. To increase assurance, authentication should be combined with encryption and secure data transmission protocols. Various authentication mechanisms have been proposed to secure data access suitable for mobile environments. Examples include login IDs, passwords, personal identification numbers and multifactor authentication. Applying identity management and other security measures, including malicious code detection, through the cloud is more convenient and reduces consumption of limited processing capability on mobile devices.

Winning the battle

No network can be 100% secured. Therefore, an organization should:

• Define objectives — Prioritize objectives and set realistic risk tolerances to allocate resources to critical areas.

• Implement a security plan — Understand the threat landscape, such as hacking, cyber attacks, media and social scams, and protect the organization using policy and technology (end-point security, firewalls, antimalware and antivirus software).

• Prepare an attack response — Respond quickly to a breach to mitigate damage.

• Establish a security awareness culture — Employees working together to safeguard enterprise data; it takes only one mistake to infect a network.

Organizations planning to take advantage of the low costs and high accessibility of a mobile cloud computing platform should follow federal National Institute of Standards and Technology recommendations:

• Carefully plan the security and privacy aspects of cloud computing before adopting it.

• Understand the environment offered by the cloud provider and ensure that it satisfies organizational security and privacy requirements.

• Ensure that the client-side environment meets organizational security and privacy requirements for cloud computing.

• Maintain accountability over the privacy and security of data and applications in cloud computing environments.

In other words perform a risk assessment, understand the exposures and proactively reduce risks to an organizationally acceptable level while understanding that the organization is ultimately responsible for safeguarding its data and data of others under its care, custody and control.

Edgar Germer is a risk control specialist at OneBeacon Technology Insurance. Contact him at 610-213-0671 or egermer@onebeacontech.com.