Our most recent post looked at the benefits of cloud computing and some of the factors involved with the decision making process leading up to adoption. For the most part, it looks like it should always be a slam dunk call to go for the cloud, but are there downsides? I’d love to say they do not exist, but they do. But where are the possible “landmines” in adopting a cloud computing model for your enterprise?

The bottom line up front: my research has shown that important and sensitive data should not be stored or processed in a provider’s cloud unless the customer has visibility into the technology and processes used by that provider. The customer must know, with a high degree of certainty, that the provider can assure an appropriate level of data and infrastructure protection. Most organizations do not know what level of security and protection they are getting from their own legacy systems, which makes it nearly impossible to determine if a cloud model will improve or degrade their current security.

Regardless, customers must pressure cloud providers to continually improve security. This can be done as early adopters refine the balance between security and flexibility, between control and transparency. No one should consider using a cloud unless the vendor provides sufficient transparency to make it clear that it can meet the customer’s requirements for privacy, confidentiality, integrity, accountability and availability.

Externally provided services raise security issues. These include privileged user access, segregation between clients, physical security and application vulnerabilities. The many benefits discussed in the earlier posts also open up a host of challenging security issues. Cloud systems provide great economies of scale, and continuity, but they also run the risk of blending data, allowing inadvertent access to other customers’ proprietary information, and the concentration of multiple clients’ “crown jewels” all in one place. This makes for a very lucrative target for cyber criminals and spies. A lack of real transparency about processes, technology and organization, either because the provider does not want to give it or because the customer does not bother to seek it, makes difficult good decisions on how secure a particular cloud may be.

Clearly, you should never use an external service until you have an assurance that the system can properly handle and protect the data you ask them to control. You may be outsourcing the actual security requirements and methods, but you cannot outsource your responsibility and accountability. Ultimately, you are the one responsible to customers, employees, partners and regulators for that information. The recent loss of T-Mobile Sidekick client data is a grave embarrassment for the Microsoft subsidiary that “forgot” to back up their servers, but the customers are looking to T-Mobile for answers. The enterprise that chooses to ride into the cloud must be ready to accept responsibility for problems. Therefore, there are numerous potential issues that must be addressed, and good answers received, before you choose a cloud solution.

Privacy is one of the largest issues. There is a lack of clarity and agreement on how to protect privacy in the cyber realm writ large, and in the cloud, it gets worse. When individual customers and employees’ personal data moves outside your direct control, you as the adopter must ensure that it is properly protected. Laws and regulations vary greatly throughout the world on how private information must be protected. Some countries do not allow personal data to be stored outside their territory. It is nearly impossible for a provider to develop systems that will meet all these jurisdictional requirements. Many providers, however, are now willing to make strong contractual commitments to store data within certain countries. All this must be sorted out before you sign on with a cloud provider.

There are also broader jurisdictional issues, since national and state regulatory implications go well beyond privacy. These include, but are not limited to, defining appropriate practices, breach disclosure, and mandatory support of law enforcement or regulator investigations. Investigations of illegal or inappropriate behavior and electronic discovery are always hard and potentially expensive, regardless of whose infrastructure is used. If you are going to ask a cloud provider to keep business records or any data subject to future investigation (and truly, is there any today that is not?), you cannot assume that every cloud provider is willing or capable of supporting this. This becomes even more complicated when the provider houses data for many customers in one location or spreads your data over many locations. Unless you have proof of an ability to support electronic discovery, you should not assume it.

Government investigations are even more problematic. In the post-9/11 era, various governments’ different authorities and requirements can be quite intrusive. If a government investigation leads them to a cloud provider, and the provider’s hardware is seized pursuant of information included in another customer’s data, will it adversely affect your business? Many businesses have requirements to keep information for specified lengths of time. But does the cloud provider have the robust data retention processes and means to meet these requirements?

It is clear that many questions must be answered before an enterprise adopts a cloud model. It is highly recommended that you never “take their word for it.” This is too important an issue to go that way. If you have top notch folks, you can do your own assessment of the provider’s ability to deal with the above-mentioned issues. The other method is a third party assessment. This will cost more, but it gives you the most protection. Remember, for an assessment to work, regardless of who does it, one must first know how much security, data retention, search capability, etc. you really need. Then they can give you a fair call as to the provider’s ability to meet that need.

So, develop the questions, do you homework, work with well-known and reputable providers, and verify all claims. This is no time to scrimp on your investment. There are numerous challenges that must be understood and the risk associated with each must be assessed. We cannot cover all the potential issues here, but below is a list of questions you should pose to any potential cloud provider:

– What security measures do you provide?
– What kind of downtime can I expect?
– How would you recover from a disaster (man-made or natural)?
– Will I have access to logging and auditing data to evaluate what happened to my data during any downtime?
– Can I choose where my data is stored?
– Can I choose the key for encrypting my data?
– Can I choose the key for protocols handling my data transfers?
– What monitoring tools do you use to manage your data centers?
– What are your processes for hiring privileged administrators, and how do you control their access?

What can we conclude from all this? Is cloud adoption a good idea? Should enterprises go forward or wait? As stated in Part I, the Cloud is here, and it is the wave of the future. Eventually, most enterprises will migrate to some kind of cloud configuration. It is just too efficient and cost effective to avoid. But it must be done responsibly and wisely.

The customers must first evaluate their needs. Then, they must proceed with caution and some degree of skepticism. Use only proven, reputable providers who can answer your hard questions with proof, not only smiles and confident assurances. As the customer, you must remain in control, provide input, force the provider to meet your needs and only accept risk you think is prudent.

This is the way of the future. It is OK to get onboard the cloud train, but make sure you know the engineer, pick your car and control the destination. Using a cloud model does not mean you should lose control. Make the provider work for you, and your gains will far outweigh your risks.

Dr. Steven Bucci is director of the Allison Center for Foreign Policy Studies at The Heritage Foundation. He was previously a lead consultant to IBM on cyber security policy. Bucci’s military and government service make him a recognized expert in the interagency process and defense of U.S. interests, particularly with regard to critical infrastructure and what he calls the productive interplay of government and the private sector. Read More