The work by Cloud Security Alliance and Cloud Audit are making good progress in delivering a set of recommended controls specific for the cloud, along with a mechanism for third-party evaluation of conformance but in the mean time customers just have to exercise caveat emptor on a case-by-case basis.
Jay Heiser of Gartner makes some interesting points in his recent blog post -especially regarding the suitability of existing security standards and certifications to evaluate vendors utilising what is a fairly new and evolving delivery model.
Customer due diligence is the key in choosing a Cloud provider, but this due diligence has to take into account what you actually do on-premise as a baseline and not have some utopian expectation.
As Mimecast’s CSO I can't tell you the number of 300 - 400 hundred question RFPs we receive from customers who've searched for them on the Internet. On closer inspection of the customer's current solution you find PST files scattered across their network, unencrypted archive databases, countless email and archive administrators, single points of failure and fragmented inconsistent administration across the multiple platforms that form their email infrastructure.
In these instances moving to the cloud is going to instantly deliver improvements over their existing security, but still these customers hold irrational fears because they are nervous about moving their data from a data centre where they can touch and feel the hardware to a service that abstracts it all away. They deliberately build a level of expectation that far exceeds their currently level of security as a mechanism to justify not moving to the cloud.
Security breaches are bad for cloud service providers: they elongate the sales cycle increasing the cost-to-sell; they impact renewal revenue, which is the means of survival for most cloud vendors; and breaches play into the hands of on-premise vendors using FUD to put customers off considering the cloud. Cloud vendors cannot get away with throwing a bunch of hardware and software into a customer data centre and disappearing for three years until the next upgrade is due.
Cloud vendors are judged day-in day-out by the performance and the security of their services. Due to this, most cloud providers take considerable effort to ensure their environments, platforms and services are secure.
Not all cloud vendors are created equal, and in fact many aren't true cloud services. They are the latest incarnation of what were application service provider or management service provider platforms, re-purposing on-premise appliances or software by just creating a web front-end to these products which are often ill-suited to run in multi-tenant environments. Customer due diligence must identify these kinds of 'cloud' offerings and the risks that are inherent to these environments (for instance client separation; end-to-end encryption; chains-of-custody of data that may need to be used as evidence at a later date).
Email is a critical business tool, but also a commodity, which makes it prime candidate for outsourcing to a cloud provider. Cloud providers will often deliver immediate benefits in security, but potential customers must exercise the appropriate due diligence and weigh the results against their current environments as a baseline. Many customers will find themselves pleasantly surprised by decreased cost, increased functionality and increased security.
The Telecommunications Regulatory Authority (TRA), the body responsible for the management of telecommunications and information technology industries within the United Arab Emirates is threatening to block critical functionality of Research In Motion's popular BlackBerry messaging devices.
BlackBerries encrypt data between the handset and servers in the infrastructure, making it impossible for eavesdropping government agencies to easily intercept any emails, Instant Messages or other Internet traffic.
The TRA is asking RIM to provide access by October 11 2010, on request, to information on specific users' activity and if RIM refuses to comply the TRA will limit the functionality of the Blackberry devices to voice and SMS messaging (which they can intercept through the carrier networks). This action would risk nearly a million BlackBerry subscribers in the UAE territory - not to mention visitors from overseas.
Some of the Emirates have already taken unilateral action. Etisalat, a Abu Dhabi-based mobile carrier part owned by Dubai governmentshipped a 'service enhancement' patch to 145,000 Blackberry subscribers in Dubai around this time last year that turned out to contain spyware.
Update- Saudi Arabia is also banning BlackBerries on the grounds of national security according to the WSJ.
Mimecast is preparing to go through our ISO 27001 certification at the moment and it struck me quite how different it is to certify as a cloud service vendor rather than as a traditional company.
Excuse my over simplification of the ISO 27001 process for those not involved in it, but effectively there are four stages:
1. Define the organization’s acceptable risk
2. Work out what risk the organization is exposed to
3. Apply controls to reduce the residual risk to a level at or below the acceptable risk
4. Rinse, repeat A common method is to conduct a risk assessment, perhaps using the methodology covered in ISO 27001’s sister publication ISO 27005, and then apply controls to manage the identified risks from another sister publication ISO 27002.
Now an organization is normally free to choose whatever acceptable level of risk they feel the organization is able to bear. Often a higher level of acceptable risk is what gives an organization a competitive advantage, allowing them to be nimble enough to take advantages that other, more risk adverse, organizations cannot.
In a traditional vendor this level of higher risk acceptance won’t normally impact on the customer – short of a leak of customer information, a continuity incident affecting the ability to support customers or too many incidents driving the company out of business.
In a cloud vendor this is very different – the vendor’s security is your security. Rather than using the vendor’s equipment within your own environment, your data is used within the vendor’s environment and vendor’s equipment. The vendor’s approach to security needs to reflect the sensitivity of the data the cloud vendor is processing or storing on your behalf.
The good news is that we are seeing a definite acknowledgement of this in the market. When we receive RFI/RFPs from prospective customers they’ve often had the foresight to ask questions about which specific controls have been implemented rather than just asking a boilerplate question around whether we possess ISO 27001 certification.
Organization’s such as the Cloud Security Alliance are promoting best practice within the industry, but one of the tenets I repeat again-and-again for those moving to the cloud is caveat emptor (“buyer beware”). Make sure that your due diligence includes questions about the areas of risk you’ve identified within your own business – look for alignment of controls whether your processing and storing on-premise, or outsourcing to a cloud services company.
Every year Tech Media, in association with The Guardian, publish their list of 100 companies that have provided leadership in innovation and creativity in technology, this year Mimecast has been choosen for our cloud-based unified email management services.