May 19 2010
I just got back from a lunch put on by Integralis featuring a presentation by Dr. James Ransome, the Chief Security Office and Senior Director of the Cisco Collaborative Software Group. It was a very good lunch at La Mar and also a very good presentation by Dr. Ransome, but the majority of his presentation can be summed up in one sentence: If you’re looking to put your company in the Cloud, seek the advice of an expert. The permutations of what make up ‘The Cloud’ are so varied and complex that you’re either going to have to dedicate resources (which are probably already stretched thin) to understanding the Cloud or you’re going to have to hire an expert to help you navigate the maze of issues and how they affect your situation. Of course, if you’ve been reading much of what Chris Hoff has written the last couple of years, you probably already know that ‘The Cloud’ a incredibly complex set of technologies that are all lumped under one name by marketing in the hopes you won’t dig deeper and try to understand in the first place.
I’m not going to try to explain all the complexities that make up the cloud; Hoff’s makes a living make presentations on it as does Dr. Ransome. But I do want to point out some of the issues about the cloud that I hadn’t thought about before that came up today. I look at the cloud through a rather narrow lens, “How does it affect merchants and PCI?”. Since that’s where I make my living, I hope it’s understandable. I’m generally only concerned about storing credit card numbers in the cloud and why merchants shouldn’t be doing so. And what the Cloud Audit group is doing to make it so that maybe someday merchants will be able to store their payment information in the cloud. But that’s a ways off and my influence on it has been minimal.
I’d say the areas that Dr. Ransome covered that I’d given the least thought to was first the legal aspects of the cloud, second the incident response and finally the electronic discovery concerns. Since I rarely deal with legal contracts and SLA’s, I make assumptions about what will be covered, who’s going to be legally responsible for what and how all of this is going to be enforced. But this is probably one of the most important aspects of moving your corporation to a cloud environment, since every other aspect of your experience in the cloud is going to be driven by the contracts you’ve signed with your cloud provider. There’s no difference between the cloud and any other form of service you are provided by another company, but it’s likely to be much more complex due to the fact that so much of what makes up the cloud is still being determined. I don’t know if there are any lawyers out there yet specializing in ‘cloud’ contracts, but I’m sure it won’t be too long before someone catches up to the band wagon.
The idea of secondary uses of data caught me a bit by surprise. It’s not just the data you’re storing in the cloud that’s important, it’s the data about your traffic patterns, about how much you’re storing and how you’re storing it that become important. Metadata about your company’s use of the cloud can some times be every bit as important as the actual data you’ve stored. If you don’t have strong provisions in your contract to make certain that the metadata is yours and can’t be used by your provider, you could find that your cloud provider has found a way to make money off of the secondary data you’ve generated and disclosed more than you’d hoped.
Incident response is another aspect of the cloud that I’ve always taken for granted. In hindsight, I shouldn’t since even most non-virtualized hosting providers don’t necessarily include a form of incident response by default, it’s something that’s got to be in the contract. And something you’re probably paying a few pennies for, even if the price is buried within the overall cost of the hosting. And unlike the usual rackspace environment, a lot of people probably don’t think of building a virtual IDS within their virtual server environment.
Electronic discovery, as a separate responsibility is the final issue that’d never occurred to me; I’d given plenty of thought to it in the form of log management, the legal requirements for discovery had never really crossed my mind. From a compliance perspective, there’s the requirement to have logs and be able to use them for forensics, but from a legal stand point, how much trouble is your company going to be in if there’s an incident and you have to tell the judge that you can’t produce the evidence because it was all virtualized. If you’re a merchant and we’re talking about credit card records, there may not be much impact. But if you’re a major government contractor who lost important files, the situation may be a little hairier than you’d like to consider.
I don’t claim to be an expert in cloud security. I’m interested in it and I’ve explored my little corner of the cloud, but there’s a whole lot more of it to be explored before moving major portions of any business to the cloud. The nitty gritty, nuts and bolts technical details are vitally important, but part of what today’s presentation made me realize is that the high level architectural implications, processes and human capital requirements are probably even more important than the particulars of your underlying infrastucture. Which in a lot of ways applies to security in general.