In the last Virtualization Security Podcast on 12/16 we had with us James Urquhart who manages cloud computing infrastructure strategy for the Server Provider Systems Unit of Cisco Systems. Author of the popular C|NET Network blog, The Wisdom of Clouds. James shared with us some of his Wisdom over the hour. The discussion covered what is preventing people from Entry into the Cloud and why private and hybrid clouds are going to stick around for quite a while and are not a passing fad. We answered the question of why people are reluctant to enter the cloud.The Wisdom of the Clouds with respect to virtualization and cloud security is not an easily solvable security issue, but more a legal issue. For low risk endeavors people, companies, and organizations use the cloud all the time. How can I say this? Look at how many people use Google Docs, Google Mail, Dropbox, and other SaaS plays. We do not see high risk intellectual property or data enter the cloud except is very specific normalized ways. Ways used to reduce the impact and remove from the data any identifying marks. Specifically, we know that the payment card industry uses SaaS within the cloud, yet the data sent is lacking personal identifiable information, so its value has been degraded and its risk has been lowered.
Entry into the cloud is about risk basically. How much value is associated with the data you plan on using within the cloud and how does the risk of loosing that data stack up against your organizations appetite for risk. This has been the deciding factor for nearly all computing designs and choices since computers were first used within businesses. The decision has not changed much with the introduction of the cloud. The decision was still there when it was a decision about whether or not to host computers at co-location facilities and managed services locations. The decision was there when companies started to outsource to other countries and locations.
However, with the cloud we add to the mix of legal issues items like jurisdiction. For example, if you have data hosted within one country, how can you be sure that the data in transit is not being routed through a country that has a law that all data once it enters its borders, whether physical or electronic, looses all foreign copyright and patent protections. Such laws exist, specifically with respect to China. The network being what it is, there is no guarantee of where your network traffic will go once it leaves your facility. So how do you protect yourself from this possibility?
There are two ways, one is to employ encryption, but if you do this, you also need to be concerned about jurisdiction. Some countries have laws about sending anything outside its borders without the ability to decrypt the data or for your organization to be able to decrypt the data. The other method is to change the routing protocols so allow selectors based on data requirements. In other words, create a jurisdictional or compliance based routing protocol to only allow traffic to route to locations that are within compliance and the proper jurisdiction. This however would require a multi-level routing fabric spanning the globe.
At the very end we discussed the impact of WikiLeaks on the Entry into the cloud and decided that while it brings up interesting legal issues that could prevent cloud service providers from serving your data to others, it does not add much to the already existing issues with the cloud.
Entry into the cloud is gated now by legal concerns specifically around jurisdiction and an organization’s appetite for Risk. However, this is no different than when the organizations outsourced or used hosting providers. To limit the risk, private clouds and hybrid clouds will continue to be used. Public Cloud is being used today for SaaS and for low-risk PaaS projects, but high risk projects are not yet within the Public Cloud.
Do your due diligence, determine your risk (and value of your data), determine your audit requirements, and determine the cloud options available that best fit your appetite for risk, audit requirements, and PLAN your entry into the cloud: Planning is required. But a good plan will limit your overall risk and allow you to maintain audit-ability even within the cloud.