Written by CloudTalent – published 24 October 2013
After reading an article this week headlined: ‘Complex IT infrastructure biggest factor in increasing fraud exposure’, Mark Steel, CloudTalent CTO shares his thoughts on what cloud computing means for companies’ security.
According to risk management service provider Kroll which commissioned the research, 81% of the executives believe that their business is more exposed to fraud than it was a year ago
Fraud is made easier by complexity, lack of diligence and disgruntled employees. ‘Cloud’ drives all three.
Look up at the sky, and what do you see? Not a single white fluffy cloud but lots of clouds, swirling and buffeting into each other, many looking stormy.
This is the reality of ‘cloud’. It’s not in a steady state – it’s a competitive marketplace where players are struggling to differentiate, which drives aggressive rates of change to remain competitive. As in all marketplaces there are successes and failures, so at any given point in time there will be migrations and transition between service providers with the ebbs and flows of the market-driven tide.
The challenge of the integrator, or an end-user, is to link these cloud services together to deliver cohesive platforms to run businesses on. There are two levels of complexity – 1) what goes on within any given cloud service with the false illusion of ‘what I don’t know about, I don’t need to worry about’ and 2) the integration points between cloud services and any on-premise systems.
Information creation and requests can originate from any part of the ecosystem and may be serviced from any part. Cloud traversal requires chains of trust as the requests and information are passed between services to satisfy a user’s request. Each one of these handoffs needs careful consideration and control, and hampered by a lack of maturity and standards in the marketplace, it requires highly experienced IT professionals to manage it. Handoffs are susceptible to compromise through spoofing, identity theft and denial of service, each one of which could be catastrophic to your business. Even a minor misconfiguration or software bug can open the door.
Ensuring the integration points of identity, data management, API’s, backup & recovery etc. are robust, secure & serviceable, and the dependencies between services sufficiently transparent, that ensuring effective service management and governance is critical. This was often difficult for many organisations to solve within an on-premises bounded enterprise but ‘cloud’ now requires a significant uplift to what is required to maintain and secure a business’s information systems.
Lack of Diligence
Buying Cloud Services requires even more diligence compared to traditional on premise solutions. Procurement, IT and Legal have to consider more than price and service at point of acquisition – they also need to probe how the service will evolve over time, what the choices are if the service degrades, how to repatriate data and business logic and operational knowledge, can the service be run in escrow, what are the legal jurisdictions the service is provided from as in a cloud these can change at a push of a button?
With on premise services the failure of a service provider might leave you in the undesirable place of having to self-support systems without maintenance contracts, or be unable to enhance or change systems – but the systems themselves still exist and are humming away inside your datacentre. In the case of Cloud, the service can disappear in an instant, and in the Cloud, no one can hear your screams.
Most mature users of Cloud Services will have a number of key providers. Each one of these might have a critical dependency between each other and on the functioning of the business as a whole. How is this exponential risk managed and assessed? Or will it be categorised in the future as an ‘Act of God’ as it is so far removed from control of the individual as being impossible to influence?
Long-standing support staff of on-premises systems are often discarded as part of the transition to cloud. Whilst there is the threat of employees that are scared or angry about the loss of or change to their jobs taking liberties with your systems, these employees not only understand the technology that used to run your business, but also the business and the processes it follows. This will rarely be true of a cloud service provider, who bypass the TUPE transfer obligation of employees and where the goal is to automate and disintegrate the knowledge out of the system in a race to the bottom for the cost and skills of staff required to maintain the service.
The value of the data being hosted will far exceed any remuneration expectations of those tasked to maintain it. The temptation to leverage customer data for personal advantage is always there, and is normally mitigated by company culture and employee motivation to drive loyalty, screening and ultimately employment law. How do you know if your service providers are willing to invest in their staff in the way you used to? How do you manage or measure this every present risk to your business?
The landscape is changing and governance and risk management is struggling to understand and keep up. Cloud services offer wonderful opportunities to reduce cost and increase agility, but don’t forget to plan for the downsides as well – help your business to avoid becoming a contributor to the rising statistics.