The origins of cloud computing go back more than 20 years, with the first reference appearing in a 1996 internal Compaq document (Antonio Regalado, “Who Coined ‘Cloud Computing?’,” MIT Technology Review, Oct. 31, 2011). As the cloud has begun to mature, a plethora of service models has emerged, including Infrastructure as a Service (IaaS) and Software as a Service (SaaS). Each shares common features:
- Rapid real-time provisioning of virtual machines to respond to demand
- Lower cost entry points for storage and processing power than the traditional model
- The ability to grow or shrink one’s cloud footprint without the cost of decommissioning hardware and software
- Embedded redundancy, such as backup, disaster recovery (DR), and business continuity planning (BCP).
Cloud offerings come in several “flavors”:
- Public Cloud—the computing service resides on an open network available to anyone. This includes Amazon Web Services (AWS), Oracle, Microsoft, Google, Apple, IBM.
- Hybrid Cloud—a mix of two or more cloud services. This can include public, community, and private cloud services from multiple service providers. Parts of a hybrid cloud solution may be restricted, while other parts may be generally accessible.
- Private Cloud—a computing environment operated only for one organization, hosted either on the organization’s premises or off-premises and operated by the organization and a third party. Private cloud is often viewed as an adjunct to an organization’s existing data center environment.
A Growing Trend
Why is the cloud so popular? The simple answer is money. Data centers are capitally intensive environments. Aside from the realestate concerns, there is the ongoing cost of maintenance for the hardware and the software, the HVAC plant, and the networking infrastructure. If assets are underused, then the unit cost of processing resources goes up dramatically. If the data center runs out of room, electricity, or cooling, then the remediation costs become significant. And as the hardware and software age, refreshing the infrastructure results in significant capital outlays.
Doing all of the above in a cloud environment becomes a much easier, less expensive, and less time-consuming activity. But there is a downside. In using a cloud service, one gives up a critical feature: control. There is an adage in the computing industry: “The most privileged user is the user with access to the front panel of the computer.” While computers no longer have front panels, the fact remains that anyone with physical access to a computer is, by definition, the most privileged user.
In using a cloud service, the organization that buys the cloud offering surrenders physical control of the computing resource to someone who does not work for the organization. The following are some of the risks:
- Someone not vetted by the organization gets full and complete access to all of the data, usernames, and passwords.
- Data such as PII (Personally Identifiable Information), PHI (Protected Health Information) and PCI (Payment Card Industry) are all available to the third-party cloud provider.
- Critical data can be breached without the company being engaged.
- Critical data can be destroyed without the company choosing to do so.
- Regulatory issues exist without the company doing anything to create risk. These include CCPA, GDPR, HIPAA, PCI, 23 NYCRR 500 violations, as well as GLBA and Dodd-Frank risks.
Managing the Risks
Consider the real-world example of VFEMail. VFEMail was started in 2001 and is 100% cloud based. On February 11, 2019, VFEMail experienced a catastrophic cyberattack and all (100%) of its U.S.-based data was lost. Every storage device on every server was wiped clean. Every client lost every email and all the data associated with it; even the backups were totally lost. The only reason this attack succeeded was that the attackers gained access to the physical infrastructure. VFEMail staff could not stop the attack, as they lacked physical access.
As this article goes to press, Capital One announced a massive data breach (https://on.wsj.com/2M0y939). Reporting indicates that the perpetrator of the breach was an ex-employee of AWS (Amazon Web Services) who leveraged her access to Capital One’s systems run by AWS to steal approximately 106 million credit card customers’ and applicants’ information. Estimates indicate this will cost Capital One $100 to $150 million.
How should an organization manage risk effectively in a cloud environment? The following are some basic best practices:
- Only put noncritical data onto the cloud.
- If one opts to put PCI, PII, or PHI data onto the cloud, ensure that the cloud provider is fully indemnifying the company for all costs, including regulatory fines in the event of a data breach due to nonfeasance or malfeasance by the cloud provider. (GDPR fines can go up to 4% of worldwide revenue or €20 million.)
- Create an offline backup of all cloud-based data, refresh it multiple times per year, and keep that backup on the company’s premises.
- Never put critical IP or a strategic plan onto the cloud.
- Restrict password, PIN, and security access information to only mandatory elements.
The cloud is a wonderful utility that makes everyone’s job easier. It is an inexpensive alternative to the traditional data center model. But it is also a doorway into a great deal of cost and pain, as the cloud takes away a company’s ability to control access to its most important asset—its data.