CPNI VIEWPOINT 01/2010 CLOUD COMPUTING

Transcription

1 CPNI VIEWPOINT 01/2010 CLOUD COMPUTING MARCH 2010 Acknowledgements This viewpoint is based upon a research document compiled on behalf of CPNI by Deloitte. The findings presented here have been subjected to an extensive peer review process involving technical advisers from CPNI, our information exchange groups and wider industry. Disclaimer: Reference to any specific commercial product, process or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by CPNI. The views and opinions of authors expressed within this document shall not be used for advertising or product endorsement purposes. To the fullest extent permitted by law, CPNI accepts no liability for any loss or damage (whether direct, indirect or consequential and including, but not limited to, loss of profits or anticipated profits, loss of data, business or goodwill) incurred by any person and howsoever caused arising from or connected with any error or omission in this document or from any person acting, omitting to act or refraining from acting upon, or otherwise using, the information contained in this document or its references. You should make your own judgement as regards use of this document and seek independent professional advice on your particular circumstances.

2 Purpose and aim of this document Cloud computing is revolutionising the way companies are implementing their information systems. Cloud computing is a general concept describing abstracted, generally third party managed, IT infrastructure and applications. The cloud promises better IT resource usage, virtually unlimited scalability and greater flexibility, all at a contained cost. As a result, cloud adoption is spreading rapidly and represents a new opportunity that companies should not ignore given its profound impact. However, cloud computing has introduced new security, privacy and trust questions, such as: Is data safety stored and handled by cloud providers? Is data privacy being managed adequately? Are cloud providers adhering to laws, regulations and good management practices? How is business disruption or outage kept to a minimum? Are cloud providers sufficiently protected against cyber-attack and other malicious actions? Nevertheless, the benefits offered by cloud computing are too significant to ignore and therefore rather than discarding cloud computing because of its apparent risks, this paper aims to assist organisations to evaluate how they can overcome these challenges and maximise cloud computing benefits. As cloud computing services mature both commercially and technologically, this is likely to become relatively easier to achieve. This viewpoint document provides an overview of cloud computing, the potential benefits and risks associated with cloud computing, as well as mitigation advice to reduce vulnerability and impact. The viewpoint is aimed particularly at senior management and business leaders from organisations within the National Infrastructure as well as government agencies. 2

3 Our view 2.1 What is cloud computing? The cloud is a descriptive term that encompasses a range of abstracted IT infrastructure and application services that can be deployed in different configurations. It originates from the common usage of a cloud within network diagrams to abstract a complex set of IT services. A cloud implies a service is supplied; of which there is no explicit need to understand the internal workings of that service. This concept can be applied to customers of cloud computing who choose to receive their IT services from third parties, as they deliberately do not wish to have to understand the internal technical workings of such services. The three most widely used types of cloud computing service are: Software as a Service (SaaS) The deployment of software applications on a dedicated infrastructure which can be tailored to customers needs. For example or database services. Platform as a Service (PaaS) A complete development environment for software applications that is accessible on demand. For example Microsoft Azure or Google s application engine. Infrastructure as a Service (IaaS) Leased IT infrastructure and applications that customers can scale up or down depending on their specific needs. For example any hosting company that provides web hosting infrastructure services. Each type of cloud can be deployed in a different model, the most common of these models are: Vendor (external) cloud Services are offered by a third party provider and accessed over the Internet or other private network connection. Private (internal) cloud Services are offered by a customer organisation, and are managed in house to maximise efficiency as in a traditional shared service model. Hybrid cloud Consists of a mix of Vendor and Private cloud architectures. Community cloud A cloud infrastructure that is shared between similar customer organisations with mutual benefits to sharing services, these can be Vendor, Private or Hybrid models. 2.2 Security in the context of cloud computing Despite what cloud providers and vendors promise, cloud computing security should not be taken for granted. Security in the cloud is often intangible and less visible, which inevitably creates anxiety about what data and systems are actually secured and controlled. 3

4 Accordingly, the security challenges related to cloud computing are worthy of attention from a number of different aspects. That is not to say though, that clouds are insecure, but merely that the effort required by customers to ensure that their security requirements are met will be comparatively greater than more mature, standardised computing models and concepts. 2.3 Benefits of cloud computing Customers deploying cloud computing models can scale up or down their IT services (applications, platform or infrastructure) on demand, enabling the delivery of a comparatively more efficient, streamlined IT service than in a traditional outsourcing model. Since cloud services are, in effect, leased, customers do not incur the same level of capital costs for IT resources and equipment as they would in deploying in-house IT models. 2.4 Risks of cloud computing In the current cloud computing landscape, there are a number of security, privacy and trust challenges in adopting a cloud computing model. Many of these challenges will be familiar to organisations with traditional outsourcing arrangements, but are likely to be exacerbated with the adoption of the cloud Lack of standards There is a lack of generally admissible cloud computing standards at an EU or worldwide level which has resulted in uncertainty regarding the security and quality levels to be ensured by cloud providers. Cloud customers do not have all the information available to them regarding the internal architectures of vendor clouds, which may deploy a combination of open and proprietary access protocols and programming interfaces for their cloud services. Therefore standards within cloud models may be harder to establish Confused security and privacy model The cloud computing concept is based on the principle that the complexities and intricacies of IT operations are abstracted within the cloud environment. Cloud providers promise that cloud computing is secure and many security-related functions and products are available in the cloud. However, the idea that risk is outsourced to the provider is wrong and, where customer data is concerned, the accountability for data governance resides firmly with the cloud customer. These issues should be clarified through contracts, policies, service statements or Terms and Conditions of the cloud provider, which will set out security and privacy obligations and define the responsibilities of all parties involved Extended enterprise risk Cloud computing architectures can involve a large number of third parties requiring access to data or computing resources necessitating the adoption of identity and access management measures. When data is entrusted to a third party appropriate precautions must be in place to ensure uninterrupted and full control authority of that data is available to its owner. 4

5 2.4.4 Data Leakage Customer information can be hosted on, or managed by the cloud, some or all of this information may be business sensitive (i.e. bank account records) or legally sensitive (i.e. health records), highly confidential or extremely valuable (e.g. business intellectual property). Entrusting this information to a cloud provider in some cases may increase the risk of accidental data leakage of that information to competitors, who could be sharing the same cloud platform in a multi-tenant environment, or another third party Application and platform security risks In house applications may be deployed to cloud computing environments without adequate guidance on the risks of new platform environment. Migration to cloud computing requires that secure development lifecycle and testing processes for application development within the customer organisation are robust and fully consider the risks of cloud computing such as third party access to customer data, security vulnerabilities and reduced availability Legal disclosure and interception in a foreign territory In cloud computing, there are particular legal and regulatory issues around the rights to data, outsourcing and contracting. In particular, national laws and regulations governing the interception and disclosure of data in jurisdictions in which data is stored, or transmitted across, differ considerably over who has access to that data. In addition, since cloud delivery models introduce more complex supply chains with vendors stationed across the globe, the legal complexity is considerably greater. This is often the case outside of the European Economic Area (EEA) where there has been minimal attempt to harmonise EU laws with non member states. The legal and regulatory constraints over the right to data, however, may be irrelevant if data is being stored in, or transmitted across, a fragile state which cannot uphold or enforce the law. The encryption of data in transit is recommended practice to protect secrecy and confidentiality of data in a hostile environment Discontinuity of service The centralised management and control of some cloud implementations may introduce single points of failure, threatening the availability of data and computing services. A small incident in the cloud provider s infrastructure may have a disproportionately large impact upon its customers. Furthermore, the cloud services market is still maturing and the present circumstances of the global economy may impact cloud providers and vendors, and affect their customers. Adopting customer organisations must be confident that the services outsourced to the cloud provider, including any important assets (personal data, confidential information) will not be disrupted Vendor lock-in Customers outsourcing their IT services to the cloud, or outsourcing their IT services in general, should be concerned about vendor lock-in. This situation is characterised as a dependency on the cloud provider to maintain customers business operations. This is exacerbated by the fact that many cloud providers and vendors have implemented proprietary 5

6 standards which their customers have become reliant upon, and embedded within their own organisations. Customer organisations need a clear exit strategy and should try to avoid proprietary technologies and standards where possible. As cloud computing technologies mature, and cloud standards become more widely recognised, organisations may find this easier to achieve Lack of third party assurance Third party assurance has a critical role to play in the customers risk management approach. By virtue of the cloud s geographic dispersion, third party risk assessments on cloud providers are likely to be more complex, time consuming and costly. Third party risk is a key risk of cloud computing. Customer organisations will require more rigorous third party assurance over the security of their data in the cloud. Where security standards have been defined and mandated by a legal or regulatory authority, such as they are for the processing of personal data, external pressure on customers to perform third party assurance work is also likely to be supported by financial penalties for failure to protect data. 2.5 Risk mitigation Cloud customer organisations should consider a more rigorous approach to third party risk. Risk will become an even more important part of doing business when adopting cloud concepts, as it is harder to measure Contractual agreements Customers should define contractual agreements between different parties involved in the cloud, including (but not limited to): Data location and cross-border data transfers; Quality assurance principles; Continuity assurance and recovery guarantees; and Compensation and service termination clauses Clarification on the security model Customer organisations should agree clear terms and conditions governing the supply of cloud services that set out the obligations, roles and responsibilities of all suppliers involved in the provision of the service (if this is the case), including restrictions to access the data hosted on common platforms Data encryption Data encryption should be considered and used by customers where feasible to ensure that data stored or processed in the cloud is secure, mitigating the risks of data leakage, disclosure or interception. 6

7 2.5.4 Segregation of data Customers should specify demonstrable segregation of their data from other customer s data stored in, or transmitted across, the cloud from their cloud provider Assurance Customers should seek assurances over the quality of service levels, as well as privacy and security requirements. This can be provided in a number of ways: Adherence to generally-accepted standards, with consideration of their scope (e.g. PCI DSS, ISO27001); Conduct of audits, insertion of meaningful clauses on remediation and enforcement in the contract or Terms and Conditions; Set-up of certification and, if necessary, accreditation schemes for cloud computing providers involved in the processing of special data types (sensitive, highly confidential, etc.); Involvement of Trusted Third Parties (TTP) for specific services types of specific data types; and Establishment of co-operative platforms between user communities, regulators and cloud providers to discuss the views and take action on all above points. 7