Random Walk Down Cloud Street

An interview with a federal government journal:

1) We have heard many definitions of 'cloud computing'. How do you define it?We are headed towards a pay-per-view model for most (not all) of IT. So with that set-up: Cloud computing is any “IT” service that can be sold pay-as-you-go over the Internet. Ideally a cloud service should be available immediately. Click-to-buy. But also click-to-exit. Minimal hassle or contractual obligations.

Software-As-A-Service accounts for a lion’s share of the market (e-commerce suites, cloud storage and on-demand business software). But that’s part of the story. The other part is sourcing key aspects of your business processes that span both talent (or labor) + software.

NIST (National Institute of Standards and Technology) has an air-tight definition.

My take on definitions is, that it’s OK to bend a definition but not break it. For example: If a cloud provider charges you by the day, and bills you by the month. That is OK. It’s still metered – if not by the hour or minute. If the cloud does not switch on the power in a split second – that’s OK if they give you a better service-level agreement.

Note: Cloud Types

• Not all cloud providers can compete on a low price point. So there will continue to be differentiation on value. In the future you will see software, and infrastructure and platform cloud services start to blur.
• A cloud provider can create sub-divisions where it can dedicate a pool of resources for 1 customer. That structure is in opposition to multi-tenancy- where more than one customer shares the infrastructure or application. The cost to operate such a cloud will be higher. And the more 1-1 relationships the more we are bending the definition of cloud computing
• It’s not all vanilla, there will be chocolate chip and mint. Organizations are actively looking at hybrid on-premise/off-premise hosting platform

2) Why, in your opinion, is the cloud getting so much attention right now? (It seems that no one was talking about it two years ago. Is this accurate?)
Every industry is rethinking how they get things done with a backdrop of scare resources–talent, budgets and energy. The stars happened to align the last 2 years for cloud computing. And the spotlight and vendor value proposition is squarely on Small/Medium Businesses, and now government agencies and the enterprise.

The appealing value is hard to ignore:

• Operating cost reduction (maintenance/support/upgrades)
• Better utilization of software licenses
• Any savings from replacing infrastructure CAPEX with subscription fee OPEX

Keep in mind that Salesforce.com was founded in 1999. And depending on how far you go in history we have been doing some sort of outsourced and time-shared computing for decades especially in the science community.

3) One of the challenges to cloud computing is security. What are the biggest things CIOs/IT managers should be wary of?
First, cloud computing introduces change. And change is the arch enemy of security. You add a window, you create a new way for someone to get in. So you need to understand all those things that change when moving an application or your data into the cloud. If you get these two rights right, you are on track: 1. can I tell what I own in the cloud, and 2. can I tell when something changes in the cloud?

Second, is your trust relationship. If a cloud provider won't let you see behind “their firewall”, won’t give you an audit of facilities (e.g. how they perform software upgrades, background checks for personnel), then you should look elsewhere. Mischief is inevitable. And you don’t know until you test, and you test because you want to verify, and you verify because you don't trust.

Third, you will have to ask yourself: how am I measured and what am I trying to protect? FISMA (Federal Information Security Management Act) makes it expensive for public cloud providers to meet Certification & Accreditation requirements. Enter the 1-1 cloud scenario’s (e.g. future Google Federal Cloud). Additionally, there are multiple Federal and State level Regulatory requirements, including HIPPA, GLBA, SOX, FFIEC, SEC, and PCI. Compliance is not security. You will need to keep the eye on the real issues: Cyber threats. Malware that morphs every 35 seconds, bot-nets that phone home and the active underground economy of cyber crime.

4) Another challenge sometimes has to do with a mindset. Some are worried about the cloud because . . . Well . . . It’s a new way of thinking. What do you suggest for CIOs/IT managers who might be timid about the cloud?
When a fixed enterprise mindset and the Internet collide, time and time again the Internet has won. This is no exception. Virtualization and cloud computing are here to stay. So why don’ you try before you buy? Get to know the technology, understand the Return on Investment and what you are giving up. There will be hidden costs. So it’s important to do your due-diligence and develop a business case for cloud services.

Its not rocket science to pick a cloud provider: Cut to the Chase.

Most of the vocal public cloud providers are "like a 5 year old, they run away" or start to babble when you open up a discussion on risk, compliance and security.

If a cloud provider won't let you model the network or get a full audit of servers (e.g. patching, virtual machine provisining, console activity), then one should choose another. If an organization can't understand the attack surface of the target operational environment nor identify vulnerabilities then they will likely be unable to access and accept the risk to operate (and meet fudicuary obligations).

Each industry will have its own set of impedence factors. The FDA imposes a set of critiera for a validated platform for healthcare/biotech. Federal agencies must deal with FISMA and the guidelines by NIST which I have have experience with. Government agencies start to ask tough questions when a provider builds their own hardware, let alone relying upon foreign supplied COTS components.

There are cloud providers that are making claims but security concerns will remain until there is an audit and verification. I would go with cloud providers that have had experience with enterprises and are able to offer a managed service components. The solution should be complemented with the right people that can speak to the issues.

A trusworthy cloud provider will transparent than not. They have to be willing to speak with you about their controls. In some cases, you need to exclude a provider if they can not provide a fully-managed offering - with physical server seperation. In other cases you mauy need a NOC with staff that has been thru back-ground checks. You will then have to assess and then select a cloud provider with say a separate NOC that is FISMA compliant. Some "cloud" provider are actually able to drop in a separate node for large Financial Services clients. But they still have to think about the economic costs, and unlikely to be "click-to-buy-to-provision". There is significant investment in the networking gear, patch panel, service management and capacity allocation where a public resource pool is adequately cut-off for private consumption. There would be contractual obligations to reserve and purchase resources e.g. 1000's of virtual / physical servers.

A check-list compliance appraoch with service providers will be necessary. Accenture has an assessment methdology and Cloud RFI survey that we've used with a number of cloud providers. The results would be verified with a site visit. Is the machine room isolated from other functions. Are there camera's on the peripheral of the building. Do they harden 'their" operating system before installing other applications.What is their process for applying patches/updates? Accenture is experienced in coordinating and supporting external security audits and can provide recommendations and guidance for security improvements and corrections.

Best practices carry over with cloud computing, especially with the concentration of high-value assets and the unknown threats of multi-tenancy and virtualization. Everything gets more fractrured and the operating picture (your understanding of cyber risks) change e.g. email traffic, user logins/behaviour, remote access traffic, building access, time reporting etc. If all types of customers (enterprise, small business and regualted) are using the same ingress and egress interfaces that may simply be unacceptable to some customers.

Its vital to understand the attack surface of the cloud and use an enterprise risk management framework to select security controls. Are there cloud providers and candidate for Financial services that make ssense in a cloud? It depends on your definition of a cloud and what they are providing. It will depend on what you are willing to give up. This starts with a risk assessment.

Risk Analysis versus Risk Assessment

I would like to distinguish a project impact analysis (PIA) from a risk assessment of the business solution under debate. The former is a business case justification. The latter allows the stakeholders (e.g. CISO, CIO, CEO etc.) to identify potential threats, prioritize those threats into risks and identify the controls that can reduce the risks to acceptable levels.

A due diligence exercise should examine capital outlay, development costs and long-term costs such as continued operations and maintenance. The cloud option (definitions aside) and whether it is a sound business case will be dependent on the cloud provider. Certainly issues such as regulatory compliance, process safety, validated platform can be show-stoppers. However the as-is system and the target cloud provider must be taken into consideration.

In my opinion a risk assessment does not need to be a long drawn out process. It can also be completed in a matter of days. It is the only way to provide management with the tools needed to perform their fiduciary responsibility of protecting the assets of the enterprise in a reasonable and prudent manner. For example, multi-tenancy is likely a regulatory concern and on the surface Amazon Web Services appears to fail this test. Dig a little deeper and it turns out that Amazon Web Services allows a customer to avoid virtual machine co-residency. Now the probability that a “cross-channel attack” will result in data loss is questionable. The purpose of a risk assessment is to quantitatively or qualitatively make that risk decision and approval to operate.

Get to know your network -- where ever it is

Skybox, Redseal, Cauldron are examples of Enterprise Risk Modeling (ERM) vendors. The tools filter noise, prioritize actions and put the attention on relevant exposures. Here is vulnerability reduction use-case:

Overlay the vulnerability results for a subnet or a set of host machines with a network scan. Then visualize the network topology instead of using VISIO diagrams. It is then easier to zoom in and group zones and classify hot-spots. You can track a SQL Injection vulnerability to inform remediation decisions such as applying a software patch. Cartography of the network is akin to a Google Map. You can spot quick wins such as an expansion of vulnerability scanning coverage. Another type of improvement can be to reduce or avoid false positives. You can look at a high vulnerability score’s and determine whether it will cascade into a worse problem. Finally visualization is a powerful way to present and communicate data in a meaningful way to the right audience. A picture speaks a thousand words.

What you can do with these tools, depend on what you feed it. You can automate firewall and network access compliance. You can inventory assets. You can grab vulnerability data.

Regulated Industry and Cloud Computing. Just A Note.

I’ve had some experience with regulated industry and cloud computing. It’s important to start by defining the issue. I’ve come across a variety of significant concerns from contractual arrangements, trans-national transactions, co-location of virtual machines, placement of data and transparency. There will be plenty of government rules and compliance check-lists that are at logger heads with the inherent set-up of a shared infrastructure or personnel that have not passed a minimum back-ground check.

The prominent cloud providers (e.g. Google, Amazon Web Services) are already making architectural and infrastructure changes. Google has announced its GovCloud SaaS offering with Google hosting that is solely dedicated to US Federal, State and Local Government – bounded within North America. It’s a work in progress.

Federal government agencies are mandated by law (Federal Information Security Management Act) to implement security protection commensurate with risk. The mandate is to develop and maintain minimum controls and to ensure independent testing and evaluation of those controls.

Those public cloud providers (IaaS, PaaS, SaaS) that offer a communal IT model are opening up a new threat profile. More than one organization hosted on the same physical server, saving data in the same storage device and co-mingled traffic passing across the same interconnects and network edge. They will make compliance claims and do not supply policy an security documentation. All will not be hack-proof and the burden of proof of compliance will fall on the system owner.

It may seem blindingly obvious, but there are certain industry segments that fall into the hard, medium and simple category for cloud computing. No export control. Easy. Healthcare is medium/hard depending on the application. Legal council is a stakeholder and advisor.

The classification and sensitivity of data will dictate the acceptance of risk and the choice of a cloud provider. But if we are talking about PII/PHI and high-impact systems then certainly government agencies are going the route of a private cloud model. Now there are ways to create a secure virtual environment. The security must encompass the physical machine and attendants of those machines. Any regulated industry client will (or has) performed their own PII risk assessment (e.g. NIST 800-122). A risk assessment from a regulatory point of view to inform whether it makes sense to move to the cloud is also necessary.

If the contract is inflexible and non-negotiable then one simply has to walk away and look for another cloud provider that is willing to negotiate. And if the cloud provider claims to be more secure than a regular old data-center – then it should be OK for them to prove it to the customers satisfaction.