Cloud Computing – Security versus Industrialization

Some of you asked me to write more about Cloud Computing and issues related to this topic from the security and forensics space.

I would like to share some experiences that I made during the last year mainly from (Public) cloud projects where my team and I discussed security issues with business owners but also with security experts. Sometimes I am really worried about what I see and hear.

The Mystery of Cloud Computing Hardware

I can’t resist to write this paragraph because it was so surprising to me. In one of the project kick offs an experienced penetration tester of major German security firm said:

“Hm – the stuff I saw in the presentation was ordinary IT – I am missing the cloud technology!”

I found this comment a little bit bizarre because it shows that there is not yet a common understanding of what Cloud Computing is.

According to the NIST definition it is not a hardware or software model. It is a service delivery approach for IT services. The conclusion must be: Never expect to see a hardware register or a software register that tells you “This is a Cloud”.

Key criteria to name a service a cloud service are:

  • On demand self service
  • Broad network access
  • Ressource pooling
  • Rapid elasticity
  • Metered service

Taylormade Public Clouds for each Client – lessons learnt about cloud strategy

Just in case a security advisor tells you:

Let me take a look at the cloud offering of provider XYZ and I’ll tell you what you need to change to be secure.

What is wrong about this statement? From my perspective this approach helps you to leave your path of industrialization and helps you to move back to IT manufacturing. I know that this is sarcastic thinking but the reason why I believe that you are a on a path of industrialization is that you are thinking about a highly automated delivery approach for IT when thinking about Cloud Computing. In case that you will tell your provider

  • “Implement this control”
  • “Create that report”
  • “Change authorizations in this way”
  • “Move my data to a single datastore”
  • “Do not host any other clients in the same environment you are using for me”

you are loosing the efficiency of a cloud service that is usually designed to run without paying attention to individual needs.

If you want to have your own resources you are stepping back to traditional service delivery concepts which are called “IT Outsourcing”.

Let me clarify my thoughts: It is the right idea to test your suppliers and find out whether they are able to deliver the level of security you need. But it is the wrong idea to start negotiating what they need to change to meet your expectation. The only moment when I feel that this is acceptable is the moment when your requirements would be accepted as general requirements to be implemented for each cloud user.

The consequence of negotiating hardware and software architecture as well as the delivery model and individualizations of a service model would be one of the following or even both in combination:

  1. Service Quality would remain the same like the contracted while other clients will benefit from continuous improvement processes.
  2. Cost model for the service will be higher than for the “standard service” due to individualizations.

I think you would not want to experience this.

Just in case that you experience breach of regulations you might want to discuss this with a cloud provider because complying with regulations is mandatory and not optional and is in the interest of the provider.


I want to summarize some basic Do’s and Dont’s when negotiating cloud service contracts:

  • Never change the delivery model – Do not try to change the IT architecture
  • Always test the service if it meets your requirements
  • Check for compliance
  • Never change the reporting format

I know that it attracts a huge number of consulting firms that tell you to negotiate changes with cloud providers to meet your expectations. Resist!

If you are talking about your own custom made cloud you can do whatever you want – but not with a public cloud service!

Next Generation Security – See how Facebook, Cloud Computing and Tablets change our lives!

The use of IT has gone through radical change in recent years and will see increasingly radical change in the future. More and more enterprises are getting involved in the opportunities and risks of cloud computing in all its different forms. This would therefore be a good place to clarify what other hot topics would be wise to consider in the context of cloud computing and what this will all mean for information security in particular.

For instance, seeing cloud computing in connection with Bring Your Own Device (BYOD) and social networks – two of the latest IT hypes –can be particularly exciting as this raises new information security issues.

The first question is why there has been so much hype around BYOD and how it relates to cloud computing.

Given the demographic shift, the related lack of qualified experts and the resultant general employee situation among today’s enterprises – a veritable job-seeker’s market – it is now more important than ever before for enterprises to take the needs of their employees to heart so as not to lose sight of the target markets. New employees are attracted to enterprises that have their individual, personal needs in mind, while long-time employees expect their employers to offer an evolving personal working environment that keeps pace with the times.

By now, the use of consumer devices has grown to become part and parcel of an attractive working environment. An IDC study from 2010 shows that about 95% of all employees also use consumer devices. So it is only logical for them to want those devices to be more integrated into the business structure. That integration is increasingly made possible by web based services, which are provided as cloud services.

One good example is the provision of storage capacity, which can be accessed through enterprise devices, consumer devices or a range of general device types. Cloud services make it possible to use to these consumer devices all at one and the same work location. This is also evident from the number of cloud users: since the launch of Android-based consumer devices in 2008, public cloud computing services have grown. While this trend might not be directly attributable to the new generation of devices, the statistics show a define connection.

By analysing different studies on cloud computing (e.g. Cloud Monitor 2012 – one can conclude that public and private cloud services, in spite of the difference in popularity between the two cloud types at present, will converge in the future. The hybrid cloud will therefore be the de-facto cloud model of the future.

The proliferation of social networks can be seen as another phenomenon. While we see different social networks, whose business model is based on actual ‘networking’, the ‘main players’ in this industry see the network as a means to an end to generate large numbers of users. These are then marketed (e.g. advertising) as the actual value added. In particular, some networks have specialised in reusing the identities in their database for authentication services. Facebook, Twitter, Google Yahoo and LinkedIn can be cited as the main examples. Who the market leader is depends on the field of use ( Facebook and Twitter almost always range among the top three.

Banks, mobile telephone providers or government agencies would be more likely candidates for B2B authentication systems given the confidentiality issues. And yet, Facebook has grown to become the leading provider of authentication systems (Facebook: 39% market share followed by Google with 19%, source: Gigya, 14 July 2012). In the first year of Facebook Connect alone, Facebook had signed up 80,000 websites and continues to sign up about 100,000 website a year. That social networks have become the dominant public authentication providers is something we simply cannot ignore.

So what do BYOD and social networks mean for cloud computing? Assuming that the proliferation of mobile consumer devices will promote the growth of hybrid clouds, it will likewise be necessary to use authentication providers that support authentication across the widest range of different platforms, both public and private. That is exactly what the social networks are pushing for here.

If we follow this logic, we also see a change in the need for information security.

Neither social networks nor public clouds can be swayed by enterprise security measures. Security in the sense of conventional border defences is only effective to a limited extent. That makes it increasing important to protect enterprise value while being able to react effectively to security incidents in cloud environments once they are detected. In the end, the data – whether stored on mobile consumer devices, social networks or in a cloud – are owned by company management. They remain responsible!

This results in three main aspects, which are dealt with below:

  1. Prevention of security incidents through risk-oriented measures
  2. Detection of security incidents
  3. Effective incident reaction