On August 29, 2011
some of us from TechSoup attended NTEN's
Nonprofit Cloud Computing Summit in San Francisco. It was a one-day
in-person free workshop, thanks to funding from Google
Foundation, and attracted an impressive array of smart and informed
nonprofit technologists. The event was a chance for me to become further
informed on the scary part of cloud computing: security.
The cloud security
technical session presenter was Donny Shimamoto, who is the founder and
managing director of IntrapriseTechKnowlogies
in Hawaii. IntrapriseTechKnowlogies specializes in nonprofit IT and financial consulting.
Donny is a certified public accountant (CPA) and a certified information
technology professional (CITP). NTEN chose him to present on cloud security and
financing because he has a unique blend of accounting expertise, technology
know-how, and nonprofit industry understanding. Most importantly, he is able to
help communicate some very complex accounting and technology concepts in terms
that nonprofit leaders can understand.
The scary part of cloud security is mainly the
succession of hacks and security breaches that the largest and most
sophisticated cloud providers have endured this year. The biggest such incident
was Sony's PlayStation Network outage
that started April 20 and which lasted nearly one month. This outage
compromised sensitive data for Sony's 77 million customers.
list of 2011 cloud failures in is impressive. In February, Google had a 30-hour
outage that destroyed 40,000 Gmail accounts. In April, Amazon had an eight hour outage
that affected their Elastic Compute Cloud (EC2) service that in turn took down
multiple cloud websites including Engine
Yard, Foursquare, HootSuite, Heroku,
Quora, and Reddit.
In June, Dropbox came under criticism when all
Dropbox accounts could be accessed without passwords for some hours.
More recently Microsoft had an outage in its
CRM Online and Office 365 services. The Washington Post also got hacked in
August, exposing 1.2 million user IDs.
Despite all this, the industry standard for cloud
software as a service providers is to guarantee 99.9% availability. The big
cloud providers like the ones listed above have excellent physical security in
their data centers (multiple locked doors, security cameras, and so on). They also
have strong "logical" security in which they have sophisticated data
encryption, software and hardware firewalls, and constant monitoring.
really protects three basic things:
To tell you the
truth, I'm still not that clear on the difference between confidentiality and
privacy, nor the difference between ethics and morals, but perhaps in time...
One thing that
Donny was clear on was that the greatest security risks for nonprofits
are actually internal security sloppiness like people leaving their passwords in easy to
find places or even giving them to others. Hackers often get their first entry
in to an office by getting employees to give them usernames and passwords.
Here are some additional
revelations from the presentation:
Donny Shimamoto's presentation gave me a better
understanding of why the field of cloud security is so scary.
Thanks Jim for a great summary of my presentation. I hate to always be the one to scare everyone away from cloud computing because it does pose some great opportunities--especially for smaller organizations. The main thing is that organizations understand the risks and take the appropriate steps to mitigate the risks--which sometimes is just a matter of educating their staff what they should and shouldn't so with cloud services.
While I think the article provides a good rundown of potential issues with cloud solutions, I feel like these conversations are often one sided. The question of cloud security can't be evaluated in a vacuum. Instead, it must be compared to the alternative of internally hosting, securing, and supporting similar solutions.
I've yet to encounter a non-profit with the security staff and focus that most cloud providers have. Thus, from a systems security perspective, I'd put money that there are far more security vulnerabilities already in place at most nonprofits than at any respectable cloud service. This is especially more so when you consider that many of the in house hosted services are available through the internet (i.e. Exchange webmail).
Regarding the potential for a breach of confidential data, I would personally rather be in the position of defending the security practices of a cloud provider meeting numerous annual security audits than have a microscope turned on the internal IT security practices of most non-profits.
The only security question that makes sense to me when evaluating cloud security in comparison to in house security is the possibility of a vulnerability at the infrastructure level of a cloud service. For example, a vulnerability on your website due to not patching your CMS could happen the same on a cloud server or your own server. I'd be interested to hear instances of a cloud infrastructure hack granting access to multiple client systems, but thus far I haven't seen any.
The real question I see in regards to cloud security centers around reliability (SLAs, disaster recovery, bankruptcy, etc). While Google's downtime or Amazon's EC2 downtime may speak to the issue of reliability, they don't really say anything about "cloud security" and thus seem a non-sequitur to this discussion. Also, the discussion of cloud outages shouldn't take place in a vacuum. I'd be interested in seeing a list of all services at non-profits who internally host systems as a comparison on reliability.
At my last job, I saw a major non-profit afraid to move to cloud solutions because of "cloud security" FUD and an IT department well versed in the old way of doing things. It's hard to teach an IT person new tricks, but I strongly believe the cloud is too compelling for non-profits to not start seriously evaluating their options.
As Donny said in his comment, none of this means you shouldn't use the cloud. It just means, as with everything else in IT, you should do your research and plan appropriately.
Great discussion. Donnie did good summarizing the risks. The cloud can make good business sense, but sadly, FUD is ultimately where the story stops for some folks because of the misconceptions re: cloud security. "Is cloud computing more secure? Less secure? 100% secure?" I mean, they're legitimate concerns, but without context, questions like these can't be answered upfront with "yes" or "no." By context I mean: what data are we migrating to the cloud? Where is it being stored and how? What equipment are they running on? What's the value of the data and the risks if it got into the wrong hands? Who exactly is handling the organization's data on the other side? Not all cloud vendors handle their security similarly, and not all cloud vendor offerings are made equal. As illustrated by The Register article, even some SaaS services can offset parts of THEIR infrastructure stack to other cloud vendors, so this further throws in more complexity to the "security" issue.
Good points Jason on in-house security. SaaS vendors will have better resources to harden the security re: data and services provided. And of course, a nonprofit's security policy should also be strong, or at least taken seriously. If a nonprofit's in-house network security ranks poor, applications haven't been patched in ages, the staff has shady computing habits, or password policies are just "whatever,"... Well, data can still be vulnerable via these other trajectories. A nonprofit's faith invested in a cloud vendor must also be matched by the faith invested in the security policies within their own perimeters.
Gosh, I just have to say how informed and interesting the comments are on this by Donny, Jason, and Skylance. it really is an interesting discussion developing here.
One of the things stopping many non-profits from making progress in the cloud is a pesky little thing called HIPAA (if your NPO is subject to such things). Within the HIPAA privacy rules is a statement that summarilly states that you need a business agreement with the entities that store your data, ensuring its utmost confidentiality. Of course, finding a mainstream cloud provider that will sign such a liability agreement is not an easy task. And with the high profile breeches that have occurred, many organizations feel that the best approach is to keep their data entirely within their own four walls.
All of this is not meant to say that I disagree with the cloud approach. And I most certainly acknowlege the fact that security within a typical organization is rarely going to rival that of a well-run cloud. What we are up against is perception much more so than reality. When public perception of cloud security evolves, so too shall adoption.
Good point. I just wanted to clarify for folks that HIPAA is the Health Insurance Portability and Accountability Act and it applies to any US entity that handles medical records. Nonprofits that need to store medical records regardless of whether they're onsite or in the cloud need to assure that medical data is HIPAA compliant - which is considerably more complex than garden variety data storage.
The clearest thing I've found so far on what HIPAA compliance means is at:
Great link, Jim. It is one of the more easilly digested summaries I have come across. By the way, I intentionally left out the defininition of HIPAA since if you are not aware at this point it very likely does not apply to you!
This work is published under a Creative Commons Attribution-NonCommercial-NoDerivs 4.0 International License.
Close this window