Some of you asked me to write more about Cloud Computing and issues related to this topic from the security and forensics space.
I would like to share some experiences that I made during the last year mainly from (Public) cloud projects where my team and I discussed security issues with business owners but also with security experts. Sometimes I am really worried about what I see and hear.
The Mystery of Cloud Computing Hardware
I can’t resist to write this paragraph because it was so surprising to me. In one of the project kick offs an experienced penetration tester of major German security firm said:
“Hm – the stuff I saw in the presentation was ordinary IT – I am missing the cloud technology!”
I found this comment a little bit bizarre because it shows that there is not yet a common understanding of what Cloud Computing is.
According to the NIST definition it is not a hardware or software model. It is a service delivery approach for IT services. The conclusion must be: Never expect to see a hardware register or a software register that tells you “This is a Cloud”.
Key criteria to name a service a cloud service are:
- On demand self service
- Broad network access
- Ressource pooling
- Rapid elasticity
- Metered service
Taylormade Public Clouds for each Client – lessons learnt about cloud strategy
Just in case a security advisor tells you:
Let me take a look at the cloud offering of provider XYZ and I’ll tell you what you need to change to be secure.
What is wrong about this statement? From my perspective this approach helps you to leave your path of industrialization and helps you to move back to IT manufacturing. I know that this is sarcastic thinking but the reason why I believe that you are a on a path of industrialization is that you are thinking about a highly automated delivery approach for IT when thinking about Cloud Computing. In case that you will tell your provider
- “Implement this control”
- “Create that report”
- “Change authorizations in this way”
- “Move my data to a single datastore”
- “Do not host any other clients in the same environment you are using for me”
you are loosing the efficiency of a cloud service that is usually designed to run without paying attention to individual needs.
If you want to have your own resources you are stepping back to traditional service delivery concepts which are called “IT Outsourcing”.
Let me clarify my thoughts: It is the right idea to test your suppliers and find out whether they are able to deliver the level of security you need. But it is the wrong idea to start negotiating what they need to change to meet your expectation. The only moment when I feel that this is acceptable is the moment when your requirements would be accepted as general requirements to be implemented for each cloud user.
The consequence of negotiating hardware and software architecture as well as the delivery model and individualizations of a service model would be one of the following or even both in combination:
- Service Quality would remain the same like the contracted while other clients will benefit from continuous improvement processes.
- Cost model for the service will be higher than for the “standard service” due to individualizations.
I think you would not want to experience this.
Just in case that you experience breach of regulations you might want to discuss this with a cloud provider because complying with regulations is mandatory and not optional and is in the interest of the provider.
I want to summarize some basic Do’s and Dont’s when negotiating cloud service contracts:
- Never change the delivery model – Do not try to change the IT architecture
- Always test the service if it meets your requirements
- Check for compliance
- Never change the reporting format
I know that it attracts a huge number of consulting firms that tell you to negotiate changes with cloud providers to meet your expectations. Resist!
If you are talking about your own custom made cloud you can do whatever you want – but not with a public cloud service!