Trust in cloud service providers no different than for other outsourced IT

As the private sector embraces outsourced IT services and the federal government apparently eager to follow suit, it should come as no surprise that both proponents and skeptics of IT service outsourcing (now under the new and more exciting moniker of “cloud computing” instead of the more pedestrian “software as a service” or “application service provider”) are highlighting positive and negatives examples of the potential for this business model. Security remains a top consideration, particularly when discussing public cloud computing providers, but some of the security incidents brought to light recently actually do more to emphasize the similarity between cloud computing requirements and those associated with conventional IT outsourcing. For any organization to move applications or services or infrastructure out of its own environment and direct control and give that responsibility to some other entity, the organization and the service provider have to establish a sufficient level of trust, which itself encompasses many factors falling under security and privacy. The basis of that trust will vary for different organizations seeking outsourcing services, but the key for service providers will be to ensure that once that level of trust is agreed upon, the provider can deliver on its promises.

To illustrate this simple concept, consider the case last month when T-Mobile users were notified by Microsoft that the Danger data storage service that provided data storage and backup to T-Mobile Sidekick users had failed, with all data lost without hope of recovery. Despite that dire message initially communicated by Microsoft to users, it turned out that the data was recoverable after all, but the incident itself suggests a breakdown in internal data backup procedures — just the sort of thing that would be addressed in the service level agreements negotiated between outsourcing customers and cloud computing providers. While any such SLA would likely have financial or other penalties should the provider fail to deliver the contracted level of service, without confidence that providers can actually do what they say they will, even companies whose customers who are compensated for their losses are unlikely to stick with the providers over time. There was actually some debate as to whether this specific incident was really a failure of cloud computing or not, but the semantic distinction is not important. Organizations considering outsourcing their applications and services need to assess the likelihood that the outsourced service provider can implement and execute on the processes and functions on which the applications depend, at least as reliably as the organizations themselves could if they kept operations in-house.

Even where the risks in question are more specific to the cloud model (such as the cross-over platform attacks to which logically separate or virtual applications may be vulnerable), the key issues are the same as those seen in more conventional environments. The risks of application co-location when there is insufficient exists just as surely in internally managed IT environments as it does in the cloud. A fairly well-publicized example occurred several years ago in the U.S. Senate, when Democratic party-specific documents stored on servers that were supposed to be tightly access controlled instead were available to GOP staffers, the problem was traced to poor configuration on servers used by the Senate Judiciary Committee that were shared by members of both parties. The Senate has since implemented physical separation of computing resources in addition to logical access controls based on committee membership and party affiliation.

These examples highlight the importance of maintaining focus on fundamental security considerations — like server and application configuration, access controls, and administrative services like patching and backup — whether you’re running your own applications on your own infrastructure or relying on the cloud or any other outsourcing model.