Cloud computing ? computation, software, data access and storage services that don?t require end-user knowledge of the physical location and configuration of the system that delivers the services -?is appealing to organisations and consumers alike as it?offers many benefits over traditional, server or desktop-based computing.
However, with these benefits come?corresponding risks which should not be overlooked, particularly around security and privacy. We know that technology is dynamic and complicated, and is an ongoing headache for law makers who strive to provide levels of certainty for the majority of us using it. Make no mistake that laws and regulations NEVER catch up with technology, but simply evolve to meet new circumstances. Cloud computing is by no means different with law makers setting down markers in order to shape the future of this exciting and cutting-edge technology
This article therefore provides a SWOT (strengths, weaknesses, opportunities and threats) analysis of the technology for organisations looking into cloud investment. It compliments my earlier article entitled?The Law and Cloud Computing.
The key strengths for cloud computing lay in business continuity, flexibility and agility, and mobility.
- ?Shared computer resources
Instead of wasting?precious and costly computing power, an inherent?drawback of the current client server model, cloud?computing allows for a more efficient and affordable use?of computing resources.
The end user is no longer burdened?with the expense of maintaining and updating servers,?data centres and software. Instead, the cloud computing provider carries these IT costs, while organisations simply pay a low monthly subscription fee.
The all-in one package based upon a subscription fee does away with complicated and expensive software licences that need managing and updating regularly.
- Reduced reliance on external consultants?
The provider now handles the updates and installation of software patches ? dangerous security loop holes. Conflicts in software incompatibility is no longer your problem so there?s no need for external IT consultants to troubleshoot your business systems.
Data stored in the cloud can be accessed from virtually anywhere with an internet connection.
Small and medium-sized organisations are more likely to embrace the benefits of the cloud than larger companies which may have complicated legacy systems.
- User attitude and control
Organisations will still need to have ?control? over data and information to meet business, legal and regulatory requirements. For many, the?idea of giving up?control of the hardware that carries business critical data and?outsourcing confidential customer data to a third party is an?unsettling concept.
All segments of the cloud computing market ? Software as a Service (SaaS),?Infrastructure-as-a-service (IaaS) and?Platform as a Service (PaaS) -?will be influenced by the overall state of the economy and global demand for IT services.
Smaller firms are nimble and thus more easily able to move to the cloud and take advantage of cloud computing?s ?many cost-saving benefits.Cloud services will continue to grow with increasing competition from both established players and new entrants. Some observers estimate that the cloud market will top $270 billion in 2020?with SaaS?offering more growth opportunities than any other segment
- Consolidation in legal and regulatory environment
Many IT professionals will need to re-invent themselves as organisations do away with expensive IT Departments.
European Union (EU) law states that organisations can only transfer data outside the EU if that country?s data protection laws are adequate (to European standards). With cloud computing, you don?t know where in the world your data is held even though you are still liable for it.
Should a court or tribunal require your organisation to produce data or information (e.g. to defend allegations of breach of contract or for an employment disciplinary), can it retrieve them easily and guarantee that they meet evidential standards?
How secure is your data? What track record does you cloud supplier have in the technology markets. No type?of data storage system is risk free and for that reason,?absolute security is impossible.?Consider the following traditional security risks in the context of cloud computing:
- Physical equipment
- Physical environment
- Physical by-products
- Identity authentication
- Application privileges
- Input validation
- Appropriate behaviour patterns
- Reporting logs
- Permanent network connections
- Intermittent network connections
- Network maintenance
- Remote censors and control systems
- Back-up procedures
- Human maintenance of security procedures
- Intentional actions threatening security
- Internal policies for software development
- Policies for dealing with external vendors
Questions to ask your cloud services provider
Organisations should consider online security when purchasing software products from vendors. We?ve suggested some basic questions to ask below, albeit it is not an exhaustive list. Additional protections can then be built into the supplier contract.
- Which SDL (Secure Development Life-cycle) programme does your development team adhere to?
- What methodologies do you use for security testing your products? (Automated testing, code-review, fuzzing, manual tests etc.)
- How frequently and using which methodology do third parties conduct security assessments on your products?
- What training do your development and testing teams receive specific to application security?
- Do you have a dedicated team to assess and respond to security vulnerabilities reported in your products?
- What is your patch release strategy and what tools do you offer for patch deployment?
- Do you disclose all vulnerabilities that affect your software, and how/when are customers notified?
- How did you Threat-Model the application?
- Do you conduct security testing separately from functional testing?
- What technical guidance do you provide about vulnerabilities, including how they could be exploited, how they are currently being exploited, and how to mitigate vulnerability?
- For applications developed on Microsoft platforms: do you utilise Microsoft?s D.R.E.A.D model to assess the security of your software?
- What is a typical vulnerability to patch delivery time frame?
- Would you support a future product Health Check?
- Are there any outsourced / subcontracted components related to your product? And how do you assess the security impact of such components?
- Who do I talk to if there is a (security) problem with your product?
- If the operating system is patched or upgraded, will the application continue to work and how will security be affected?
- Is your organisation ISO 27000 compliant?