By Louise Chalupiak
If we boil it down, the cloud is really just someone else’s server. But the compelling characteristic is that it is a server or servers we can access via the Internet and which also supplies subscribers with the required computing resources. The cloud is a 21st-century solution to a problem left over from the 20th century when IT resources were scarce and expensive.
As a result, organizations were always at risk of being unable to maintain their on-premises systems. Profit maximizing organizations were quick to respond with several variants offered as a service. The only option is no longer to implement and maintain our own hardware and software solutions. We now have the option of migrating our infrastructure to a cloud platform, as well as working with application-specific service providers for enterprise-wide services such as time-keeping, enterprise resource planning, sales pipeline tracking, financial systems, and human capital requirements.
Ultimately, the goal is to free ourselves from the stress and the risk of maintaining and upgrading our own systems. While this strategy may alleviate some of our concerns, in the world of technology, nothing is risk-free and immune from security problems, and cloud strategies are no exception.
We have neighbors in the cloud
While there are options to subscribe to a private cloud service, most find the cost to be substantially less palatable than the public cloud. And so, we knowingly subscribe to services with whom we share servers with multiple other subscribers. Along with a lower cost, we also enjoy the advantage of knowing that if there is an issue that is impacting our organization, it will also be impacting all of our neighbors with whom we share cloud space. This means added pressure to the service provider to ensure issues are identified and dealt with quickly.
Cloud security: Sometimes things go wrong
While in theory, cloud solutions can help to alleviate our corporate strategic risk, there are still important considerations when you start to go down this path.
When you have neighbors in the cloud, there is always the risk that other subscribers, either accidentally or maliciously, will gain access to your data. As in any system, cloud security is only as good as the architecture dictates. As a subscriber, however, we are not in a position to see the details of the architecture developed by the service provider. By the sheer nature of the description, sitting on a shared server and sharing resources is not as secure as having a physical server on-prem that hosts your corporate applications and data storage. It is also worth noting that the world of cloud computing is rather young, and most software-as-a-service (SaaS) vendors are less mature than they would lead us to believe.
While the original development of the architectural blueprint may have been thorough and secure with massive QA testing, in reality, it is the immaturity of the vendor business and change processes that introduce risk into the equation. The key takeaway to this being that when it comes to cloud service providers, one may want to analyze their level of business maturity. Partnering with a young, entrepreneurial cloud service provider may not be in our best interest. Where shortcuts are taken, security gaps live.
Lack of standards
Closely related to the points above, I would like to introduce standards. Standards are the younger sibling of business maturity. There is a basic rule that we learn early in the world of business process optimization. There needs to be evidence of documentation, evidence of implementation, and evidence that the process is repeatable. If we all write down and follow a different process to complete a business objective, it does not constitute a standard, and it would not pass the business process optimization smell test. Standards, or more likely the lack of them, will become evident early when working with a cloud service provider that has not yet achieved a level of business maturity.
An API, or application programming interface, is a gateway that enables different applications to communicate and access data. They are commonly used to move data from back and forth between a cloud environment and another application. When we move applications to the cloud, there is a high likelihood that we will continue to move data between other, already existing applications that our organization needs to do business with.
The challenge lies in that we are often limited to using APIs developed by the vendor, which also means that we must trust that the proper security is in place. API gateways are a target of hackers as they present a point-of-entry. If the plan is to continue to move data between the cloud service and internal applications, it is worth considering the deployment of API security that is implemented and controlled by your enterprise.
Inability to extract your data
When you subscribe to a cloud service, never lose sight of the fact that the data belongs to your organization. Part of any migration strategy should be how to extract your corporate data if your strategy changes. Ideally, you want to be the one with the control. Whether there are reporting capabilities that allow you to run this information on-demand or if there is a more technical strategy via the use of APIs. Prior to archiving historical applications, ensure that you know how to extract your data and where it will land once extracted. This can become part of the biannual backup and restore testing. We all do that twice a year, right?
Lack of control over who can access your data
This is a tough one. During the configuration and implementation of any cloud migration project, we need to work closely and collaboratively with our cloud service provider. In many cases, this will include the engagement of an implementation partner for more complex implementations. This means knowing that subject matter experts from one or more external organizations may have full access to our data. While strategies can be employed to utilize cleansed or scrambled data, in many cases, such as financial or payroll systems, we ultimately need to use real data for parallel and user acceptance testing.
This is when it becomes of great importance to collaborate with named resources and understand the service provider’s policies around secure landing spots for file transfers. In light of the recent work from home strategies that most of us currently employ, we need assurance that our data is not sitting on the hard drive of someone’s home PC. Understand the standards employed by any cloud service providers you are in negotiation with, and of course, nondisclosure agreements are a necessary administrative tool.
With great power, comes great responsibility
As we gain acceptance and harness the power of the cloud, we need to ensure that we continue to take ownership of the security of our technology. While we can assume certain security expectations from a cloud service provider, the reality is that we will be moving in beside neighbors whom we know nothing about. At best, let’s hope that they will keep a tidy yard. But remember that every city hosts at least a few crack houses.
Louise Chalupiak is a cynical and often irritating project manager currently residing in Calgary, Alberta, Canada who is not personally responsible for anything oil sands-related. She often eats popcorn for dinner and fears that her dog judges her. Special skills include milking a cow as well as the ability to uncork a wine bottle without the use of a corkscrew.