Catching The Cloud: Managing Risk When Utilizing Cloud Computing
ERICH BUBLITZ
A recent survey by London-based independent research firm Loudhouse found that approximately 51 percent of organizations are now utilizing cloud services as part of their IT infrastructure. There is growing concern, however, that cloud computing poses a security risk, and that risk is being debated throughout the technology community. (Results of the June 2010 Loudhouse survey are available at http://www.mimecast.com/barometerresearch2010.)
WHAT IS IT?
The term “cloud computing” refers to the practice of “outsourcing” a portion of a company’s technology environment to a shared third-party environment. Although the terminology is relatively new, cloud computing is not an entirely new concept. In the past, similar offerings were known as “application service providers.”
Some common examples of cloud computing include Salesforce.com, a company that can fully host its clients’ customer relationship management (CRM) needs, or Google’s Gmail platform for businesses, in which the client’s e-mail environment exists almost entirely within Google’s systems rather than onsite at the business.
UNDERSTANDING THE RISKS
One of the most common questions related to cloud computing is: In what ways does reliance on cloud computing expose a company to additional risk?
The simple answer is that there is no simple answer.
While there are valid concerns, this may not be the appropriate question for many organizations. The issue is a moot point for many companies as the services they can obtain through a cloud environment simply are not obtainable otherwise, as a result of the cost and complexity of replicating those services internally. Indeed, the use of cloud computing has become so pervasive that the Obama administration has launched a Federal Cloud Computing Initiative to identify possible cloud computing applications across the federal government.
That means that most companies need to focus their energy not on debating whether to embrace the cloud model but rather on managing cloud computing appropriately so that the risks are mitigated.
In order to appropriately manage the security risks of cloud computing, an organization must come to the realization that outsourcing functions to a third party is not the same as outsourcing the risk.
Cloud-based services too often are perceived as an opportunity to buy service that doesn’t have to be managed. But this fallacy is the greatest risk to any company that is utilizing services within the cloud. While the data may be residing on another company’s systems, the responsibility for that data has not fully transferred to the cloud service.
If a company that sells widgets online is using a hosting company like Rackspace Hosting to host in the cloud, that fact is likely to be invisible to the customers. They are entrusting, and holding accountable, the widget retailer, not Rackspace.
In March 2009, Google experienced a security flaw with their Google Docs service, an online service that allows creating and saving documents over the web. Documents that were set not to be shared were being shared due to a coding error by Google.
While Google estimates that only .05 percent of documents were affected, the number of documents stored on Google’s service is massive. Though no one is sure of the impact, even one document leaking from this error containing a customer list, Social Security numbers, or other sensitive information could cause the user thousands if not millions of dollars in first- and third-party expenses.Any company that chooses to use cloud computing should treat the cloud provider just as they would any other independent contractor or vendor it hires. This means:
-
Actively managing the provider
-
Reviewing contracts
-
Securing indemnity
-
Understanding the vendor’s security practices
-
Thinking through the insurance implications
SECURITY PRINCIPLES
The first principle to effective cloud security is to remember who has responsibility to the customer. Companies are responsible to their users regardless of whether or not they are utilizing a cloud provider or any other independent contractor. It is their names that will be published, their offices that receive calls from unhappy customers, and their cost (at least initially) to remediate the issue.
All decisions should be made with the thought that they are still responsible even when the data lives in the cloud. It is important to realize that things can go wrong—and in a cloud computing model, when things go wrong they may be outside the user’s immediate control.
The second principle of effective cloud security is to ensure that the legal relationship between company and its cloud provider covers the company for the cloud service’s failure. Companies should ensure that the contract allows them to hold the cloud provider accountable for security failures caused by their errors.
Many contracts with cloud operators have a hold-harmless clause within the contract that favors the cloud operator. This runs counter to what companies should expect, since it places all of the costs on the company, without providing the company the ability to control the circumstances.
If a cloud computing provider insists on such a provision, companies should seriously consider other options.
On the other hand, from the cloud providers’ perspective (and their professional liability underwriters!), they need to obtain as much indemnity as they can, as a single error or omission might affect a large number of customers.
A balancing act must be performed to make sure neither side is taking excessive risk. The fairest result is probably a “cross-indemnification” provision under which each side takes responsibility for losses resulting from its own errors or omissions.
Another key part of the contractual analysis is ensuring that the cloud provider has appropriate errors & omission insurance that will cover the company’s costs if a breach occurs. The coverage amount should be appropriate to not only cover the company’s loss but the cloud provider’s other customers’ losses as well.
As noted above, part of the issue with cloud computing is that a failure of security will likely affect numerous customers simultaneously. Making sure that a provider is responsible for its actions is part of a larger principle of cloud security, namely vendor selection and management.
Organizations must remember that these providers and their employees will have access to data and be responsible for making the data available and secure. It is critical that companies develop an understanding of the cloud providers before they hand this data over to them.
Companies need to know about the cloud provider they are selecting. How long has it been providing cloud-based services?
A company doesn’t want the cloud provider to be learning with its account and its data.
What is its financial situation? A cloud provider that is struggling financially will more likely take shortcuts that put a company’s data at risk than one which has adequate resources.
What vendors does the cloud provider use and how do those vendors affect the company using cloud services? If a cloud provider is relying on a managed security firm, a company should know that and do due diligence on the managed security firm.
Many cloud providers rent space in larger data centers, which is something that can affect the cloud company’s client’s security.
What kinds of audits or assessments has the cloud provider undergone? Companies want to know they not only enact security properly but that they are having that verified with outside parties.
One of the keys to the vendor management principle is continuous monitoring. While it is important to undergo good vendor selection, companies should not forget to reevaluate these concerns on a regular basis. If a cloud vendor’s financial condition deteriorates, a company wants to know. If they fail an audit, that should be known as soon as possible.
Companies should make vendor management of their cloud providers a continuous process with reviews at least annually, but more often if possible.
E&O INSURANCE BASICS
The final principle of good cloud security is to transfer some of the risk a company takes to a third party. Even though companies should be holding cloud computing providers liable for their actions, frequently the liability coverage they provide is not enough to cover all costs associated with the breach.
Moreover, not all security breaches in the cloud are the fault of the cloud provider. Just because data is breached in the cloud does not mean the cloud provider was at fault, or that its insurance will respond.
For example, the use of poor passwords to protect a company’s data is not the fault of the provider nor are actions taken by a company’s rogue employee. In these cases, companies need coverage of their own.
Businesses using cloud models—and their agents—should make sure that their insurance coverage will respond regardless of whether the security breach occurs on their own systems, or “in the cloud.” For example, when evaluating network security and privacy insurance, companies need to secure coverage broad enough to apply to personal data maintained by others on the insured’s behalf.
Appropriate coverage should include notification costs to inform customers of a breach, reputation repair coverage that will provide resources to help with the public relations, credit monitoring costs that will provide end customers with credit monitoring services, and cyber extortion coverage that will pay ransoms if a system is taken over by an extortionist.
If a company applies these principles of good cloud computing security, it will be in a much better position to utilize cloud computing as part of its overall IT infrastructure.
It is very difficult, especially for small and medium-sized business, to operate without cloud services, and so the key is appropriate risk management of those services, not necessarily avoidance. Failure to manage it appropriately will either put a company at more risk than they want or close the door to services that would otherwise improve their technology environment.
Erich Bublitz is the Technology Practice Leader at ThinkRisk Underwriting Agency, a managing general underwriter in Kansas City, MO, specializing in media, technology and network security risks. He may be reached at ebublitz@thinkriskins.com.
Security Principles
Companies that use cloud service providers should:
-
Remember that they are responsible to their customers, not their cloud providers.
-
Ensure that the contract allows them to hold the provider accountable for security failures caused by their errors.
-
Ensure the cloud provider has enough errors & omission insurance to cover company’s costs if a breach occurs, as well as losses of other customers.
-
Know their selected cloud provider, asking questions about how long they’ve offered services, what their financial situation is and what vendors they use.
-
Make vendor management of cloud providers a continuous process.
-
Transfer some risk to a third-party insurer, since the cloud providers liability coverage may be insufficient to cover all costs associated with a breach.
Sept. 1, 2010