Security: The Scary Part of Cloud Computing

5 Sep 2011 5:14 PM

Comments 7

On August 29, 2011 some of us from TechSoup attended NTEN's Nonprofit Cloud Computing Summit in San Francisco. It was a one-day in-person free workshop, thanks to funding from Google Foundation, and attracted an impressive array of smart and informed nonprofit technologists. The event was a chance for me to become further informed on the scary part of cloud computing: security.

The cloud security technical session presenter was Donny Shimamoto, who is the founder and managing director of IntrapriseTechKnowlogies in Hawaii. IntrapriseTechKnowlogies specializes in nonprofit IT and financial consulting. Donny is a certified public accountant (CPA) and a certified information technology professional (CITP). NTEN chose him to present on cloud security and financing because he has a unique blend of accounting expertise, technology know-how, and nonprofit industry understanding. Most importantly, he is able to help communicate some very complex accounting and technology concepts in terms that nonprofit leaders can understand.

Recent Cloud Computing Security Breaches

The scary part of cloud security is mainly the succession of hacks and security breaches that the largest and most sophisticated cloud providers have endured this year. The biggest such incident was Sony's PlayStation Network outage that started April 20 and which lasted nearly one month. This outage compromised sensitive data for Sony's 77 million customers.

The list of 2011 cloud failures in is impressive. In February, Google had a 30-hour outage that destroyed 40,000 Gmail accounts. In April, Amazon had an eight hour outage that affected their Elastic Compute Cloud (EC2) service that in turn took down multiple cloud websites including Engine Yard, Foursquare, HootSuite, Heroku, Quora, and Reddit. In June, Dropbox came under criticism when all Dropbox accounts could be accessed without passwords for some hours. More recently Microsoft had an outage in its CRM Online and Office 365 services. The Washington Post also got hacked in August, exposing 1.2 million user IDs.

Despite all this, the industry standard for cloud software as a service providers is to guarantee 99.9% availability. The big cloud providers like the ones listed above have excellent physical security in their data centers (multiple locked doors, security cameras, and so on). They also have strong "logical" security in which they have sophisticated data encryption, software and hardware firewalls, and constant monitoring.

Cloud security really protects three basic things:

Service outages in which users can't get to web-based services.
Confidentiality, in which you define and have assurances about who can see information about yourself.
Privacy, in which your sensitive data (user IDs, credit card or financial information, social security numbers, and so on) is protected from hackers or other unauthorized access.

To tell you the truth, I'm still not that clear on the difference between confidentiality and privacy, nor the difference between ethics and morals, but perhaps in time...

The Greatest Security Risk to Nonprofits

One thing that Donny was clear on was that the greatest security risks for nonprofits are actually internal security sloppiness like people leaving their passwords in easy to find places or even giving them to others. Hackers often get their first entry in to an office by getting employees to give them usernames and passwords.

Here are some additional revelations from the presentation:

There are no national or international cloud security standards or best practices yet.
There is something called the Generally Accepted Privacy Principles that is being promulgated by the American Institute of CPAs.
If there is a security breach by one of your cloud vendors, primary liability for sensitive data rests with your organization - not the cloud vendor.
There is no simple way to assess how secure cloud providers actually are. Their back-end systems are not visible to end-users.
The way to judge a cloud vendor's strength is to read their service level agreement, privacy policy, audit reports, and standard contract. That's a lot of technical reading.
Some cloud vendors also supply things called Service Organizational Control reports, which are third party audits of the cloud providers' security performance.

Donny Shimamoto's presentation gave me a better understanding of why the field of cloud security is so scary.

Additional TechSoup Resources

Endpoint-Level Security at Your Library or Nonprofit - Thursday, September 8, at 11:00 a.m. Pacific time.
TechSoup's Security Corner
Security in the Cloud
Can Cloud Computing Change Organizational Boundaries?
Clearing Up the Cloud at NTEN's Nonprofit Cloud Computing Summit

Comments

donnyitk

6 Sep 2011 10:46 PM

Thanks Jim for a great summary of my presentation. I hate to always be the one to scare everyone away from cloud computing because it does pose some great opportunities--especially for smaller organizations. The main thing is that organizations understand the risks and take the appropriate steps to mitigate the risks--which sometimes is just a matter of educating their staff what they should and shouldn't so with cloud services.
jasontlantz

28 Sep 2011 11:53 AM

While I think the article provides a good rundown of potential issues with cloud solutions, I feel like these conversations are often one sided. The question of cloud security can't be evaluated in a vacuum. Instead, it must be compared to the alternative of internally hosting, securing, and supporting similar solutions.

I've yet to encounter a non-profit with the security staff and focus that most cloud providers have. Thus, from a systems security perspective, I'd put money that there are far more security vulnerabilities already in place at most nonprofits than at any respectable cloud service. This is especially more so when you consider that many of the in house hosted services are available through the internet (i.e. Exchange webmail).

Regarding the potential for a breach of confidential data, I would personally rather be in the position of defending the security practices of a cloud provider meeting numerous annual security audits than have a microscope turned on the internal IT security practices of most non-profits.

The only security question that makes sense to me when evaluating cloud security in comparison to in house security is the possibility of a vulnerability at the infrastructure level of a cloud service. For example, a vulnerability on your website due to not patching your CMS could happen the same on a cloud server or your own server. I'd be interested to hear instances of a cloud infrastructure hack granting access to multiple client systems, but thus far I haven't seen any.

The real question I see in regards to cloud security centers around reliability (SLAs, disaster recovery, bankruptcy, etc). While Google's downtime or Amazon's EC2 downtime may speak to the issue of reliability, they don't really say anything about "cloud security" and thus seem a non-sequitur to this discussion. Also, the discussion of cloud outages shouldn't take place in a vacuum. I'd be interested in seeing a list of all services at non-profits who internally host systems as a comparison on reliability.

At my last job, I saw a major non-profit afraid to move to cloud solutions because of "cloud security" FUD and an IT department well versed in the old way of doing things. It's hard to teach an IT person new tricks, but I strongly believe the cloud is too compelling for non-profits to not start seriously evaluating their options.

As Donny said in his comment, none of this means you shouldn't use the cloud. It just means, as with everything else in IT, you should do your research and plan appropriately.
skylance

26 Oct 2011 10:21 AM

Great discussion. Donnie did good summarizing the risks. The cloud can make good business sense, but sadly, FUD is ultimately where the story stops for some folks because of the misconceptions re: cloud security. "Is cloud computing more secure? Less secure? 100% secure?" I mean, they're legitimate concerns, but without context, questions like these can't be answered upfront with "yes" or "no." By context I mean: what data are we migrating to the cloud? Where is it being stored and how? What equipment are they running on? What's the value of the data and the risks if it got into the wrong hands? Who exactly is handling the organization's data on the other side? Not all cloud vendors handle their security similarly, and not all cloud vendor offerings are made equal. As illustrated by The Register article, even some SaaS services can offset parts of THEIR infrastructure stack to other cloud vendors, so this further throws in more complexity to the "security" issue.

Good points Jason on in-house security. SaaS vendors will have better resources to harden the security re: data and services provided. And of course, a nonprofit's security policy should also be strong, or at least taken seriously. If a nonprofit's in-house network security ranks poor, applications haven't been patched in ages, the staff has shady computing habits, or password policies are just "whatever,"... Well, data can still be vulnerable via these other trajectories. A nonprofit's faith invested in a cloud vendor must also be matched by the faith invested in the security policies within their own perimeters.
jimlynch

27 Oct 2011 9:34 AM

Gosh, I just have to say how informed and interesting the comments are on this by Donny, Jason, and Skylance. it really is an interesting discussion developing here.
tclaremont

6 Sep 2012 9:45 AM

One of the things stopping many non-profits from making progress in the cloud is a pesky little thing called HIPAA (if your NPO is subject to such things). Within the HIPAA privacy rules is a statement that summarilly states that you need a business agreement with the entities that store your data, ensuring its utmost confidentiality. Of course, finding a mainstream cloud provider that will sign such a liability agreement is not an easy task. And with the high profile breeches that have occurred, many organizations feel that the best approach is to keep their data entirely within their own four walls.

All of this is not meant to say that I disagree with the cloud approach. And I most certainly acknowlege the fact that security within a typical organization is rarely going to rival that of a well-run cloud. What we are up against is perception much more so than reality. When public perception of cloud security evolves, so too shall adoption.
jimlynch

6 Sep 2012 10:23 AM

Tim,

Good point. I just wanted to clarify for folks that HIPAA is the Health Insurance Portability and Accountability Act and it applies to any US entity that handles medical records. Nonprofits that need to store medical records regardless of whether they're onsite or in the cloud need to assure that medical data is HIPAA compliant - which is considerably more complex than garden variety data storage.

The clearest thing I've found so far on what HIPAA compliance means is at:

enterprisefeatures.com/.../how-cloud-computing-affects-hipaa-compliance

-jim
tclaremont

7 Sep 2012 6:11 AM

Great link, Jim. It is one of the more easilly digested summaries I have come across. By the way, I intentionally left out the defininition of HIPAA since if you are not aware at this point it very likely does not apply to you!

This work is published under a Creative Commons Attribution-NonCommercial-NoDerivs 4.0 International License.

Join TechSoup

Security: The Scary Part of Cloud Computing

Security: The Scary Part of Cloud Computing

New here?