The enemy within

• Article 1 of 1
• The Times, October 2010

Page 1 | Page 2 | All 2 Pages

A survey by IDC last year showed that over the previous 12 months, organisations experienced an average of 14.4 incidents of unintentional data loss through employee negligence. While about half of the organisations surveyed thought the losses were accidental, 20% thought they were deliberate. Cloud computing has the potential to increase these risks since organisations are no longer fully in control of their own security, with even Google having to fire site reliability engineer David Barksdale this year for allegedly accessing the personal data of its cloud computing customers. So what can be done to reduce the risks posed by cloud computing insiders?

Richard Messik, author of “Cloud Computing – Buzz Word or Byword?”, argues that in most cases, “cloud computing security is going to be as good as if not better than internal security”. Security standards, such as ISO27002 and SAS70 Type 2, that all potential cloud computing customers should look for in their providers demonstrate better security than many organisations could ever afford themselves. For example, Patrick Nash, chief executive of Connect Assist, says that before his organisation adopted cloud computing five years ago, its internally managed security suffered a number of breaches. But since moving to the RightNow CX platform, there have been no breaches.

However, some cloud providers have relatively immature security models that make security more about trust than proper process. Kenny Holden, head of IT of Applied Language Solutions, says that he trusts Google to have good security because of its size, media profile and security white papers. But he says that while he “would like to be able to drill into logs for more information about where someone’s logged in from, what time they logged in from, whether they were accessing from Eastern Europe with a US account and so on”, he can only download some of the logs – and hopes that if he emailed technical support, Google would give him the information he needs.

Nevertheless, perfect security is impossible and what’s written in a standards audit isn’t necessarily going to be true a few months later. Deloitte’s internal head of security, Avtar Sehmbi, has investigated various cloud providers for use by the company. He says that a site visit can often give you a much better idea of what a cloud provider is like – and whether its employees present a risk. One provider seemed secure on paper, he says, and the servers were in a secure bunker with three metres of steel around it. But when he visited the site, there were “10 people looking at 20 screens and they were very unhappy.” He discovered there was a high staff attrition rate and low morale. “Disgruntled employees are a big risk.”

Processes should therefore be in place at the provider to prevent anyone but a select few from accessing the organisation’s data. Peter Linas, MD of cloud provider Bullhorn, says, “We have our own internal procedures and policies to ring fence data. I can’t get into client data. Only those with key training – real trusted souls with appropriate levels of vetting – are allowed.”

But in the event there is a breach, ensuring data is encrypted, not just in the cloud but in transit, should make the data unreadable and so unusable. If possible, the encryption keys – or access to those keys – should only be held by a trusted employee in your own organisation, although if the cloud provider needs to process the data as well, this might prove impossible.

There should also be auditing and logging tools to demonstrate the cause of the breach. There are products available for cloud providers to monitor their staff and the security of the data and physical access to servers. Overtis offers VigilancePro, which enables providers to monitor user access and activity on their servers and workstations. Included in its functions is the ability to link with biometrics, RFID and other physical security measures to provide an audit trail. “You can link the physical access with a swipe card at the door to a particular admin, include the CCTV image of him in front of rack and you’ll have an irrefutable evidence trail if anything happens,” says CTO Richard Walters.

By contrast, the techniques of reducing the risks presented by your own employees on your own systems are relatively well known, and include encryption, auditing, access control, identity management, account management and layered security that elevates in strength the further outside the firewall the user is. However, once systems are in the cloud, reducing this risk becomes far harder, particularly with regards to access control, says Forrester Research analyst Chenxi Wang. “It’s a difficult thing to achieve the same kind of granularity in the cloud as in an organisation. Most times, there’s only authentication, with only primitive access control through business groups.“ Ensuring that the cloud provider has sufficiently granular access capabilities will ensure that no one has greater rights than they should have – and therefore access to data they shouldn’t have.

If possible, you should try to ensure that as many of your own security best practices are exported to the cloud provider as possible, potentially by integrating systems. “An organisation may have spent years developing processes. With the cloud, there is expectation you should have the same architecture, integrated into the existing architecture,” says EMC/RSA’s senior product director for security Eric Baize.

Getting a provider to integrate their access directories with your own will not only reduce the workload of administrators and reduce the chances of making mistakes – such as deleting the internal account of a recently fired employee but forgetting to delete their cloud account – but ensure the same levels of security are maintained inside and outside the organisation. Certain cloud providers already allow that degree of integration, but the technology is becoming more common. This month, Novell is releasing Novell Identity Manager 4.0, which enable internal security properties to be propagated into the cloud. “As soon as you expose data to the cloud, the problem you have is applying policy to that infrastructure. ID Manager 4 allows you to push security information out to the cloud using STML,” says Mark Oldroyd, senior technology specialist in identity and security at Novell.

Page 1 | Page 2 | All 2 Pages