Synopsis:

The effective weak link of cloud computing: An oversight by a single vendor creates a single point of failure that can have devastating effects on an untold number of its customers.

Commentary:

Cloud computing is Internet based development and use of computer technology. It is a style of computing in which dynamically scalable and frequently virtualized computing resources are provided as a service over the Internet. End users need not have knowledge of, expertise in, or control over the technology infrastructure “in the cloud” that supports them. The concept incorporates Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS) and several other technology trends such as Web 2.0 which have the common theme of reliance on the Internet for satisfying the computing needs of the users. The vendor provides common business applications online, or company specific applications online that are accessed from a web browser, while the software and application data is stored on the vendor’s servers.

There are strong inherent risks when you rely on a single provider. It’s not that cloud computing is automatically a bad idea, since outages and security flaws happen in-house or with ASP relationships too. Should the vendor have just a single vulnerability in any Internet facing application they host, perhaps a web application flaw such as a simple and very common cross-site scripting error, a lapse in network security, or a physical security indiscretion, its clients and their customers all share the same risk. The enterprise is only as strong as its weakest link, and if someone else is managing that link for you, you have some questions to ask before conjoining your business to theirs.

Application vulnerabilities are the single most prevalent threat to information assets today. Attackers who are motivated by financial gains are finding ways to exploit vulnerabilities in legitimate Internet business applications, as well as consumer applications. Cloud Computing cannot be viewed as a panacea and due care must be taken to assess a provider’s safety and security. Vendors should be held to higher standards than traditional product providers.

Physical separation is vital to protecting information assets. By eliminating fundamental threats introduced by virtualized infrastructure, shared environments, or other virtualized environments such as cloud computing, you exponentially decrease risk. The simple approach to infrastructure reduces complex points of failure.

Conclusion:

The following practices will go a long way to eliminating many threats introduced by emerging virtualized or shared technologies.

A stronger demand for the regular local environmental assessments of service providers to assure that security and safety measures meet or exceed our expectations. I would strongly recommend we do not rely heavily on third party assessments such as SAS70 given the level of security expertise the common auditor possesses.

Physical separation is vital to protecting information assets. Eliminating fundamental threats introduced by shared environments and virtualized infrastructure positively eliminates all threats that simple segregation has always provided.

A more vigilant vulnerability and penetration assessment schedule be performed on a near perpetual basis to assure that our applications are secure. It will be most certainly impossible to perform these tests on the other companies being hosted by the SaaS vendor. This does pose the biggest threat to our environment hands down.

Data encryption must be mandatory to help protect our company information assets and customer sensitive data in the event that a breach occurs. That breach may come through another customer’s web application, but the collateral damage might become us.

An increased need for disaster recovery should the SaaS vendor experience a compromise with our services or any other customers.