Proactive IT Security
 

Pros and cons of using "the cloud" as a partner

2009-02-20 [Privacy issues, Trends & predictions]

Introduction

"The cloud" is one of the new magic words used to describe new and fancy technology. Briefly the idea is that resources outside the organization's (or person's) own premises are used for computing. The Internet is usually where these resources are accessed and resides.

The use of resources outside the organization itself has some obvious advantages. However, it also has disadvantages - some of which are less obvious. Both will be discussed in this week's security information article.

A definition and some examples

Once again we choose Wikipedia as the resource for finding a definition of "the cloud" and "cloud computing", and will use this:

Cloud computing is Internet (cloud) based development and use of computer technology (computing), whereby dynamically scalable and often virtualised resources are provided as a service over the Internet. Users need not have knowledge of, expertise in, or control over the technology infrastructure "in the cloud" that supports them.

One may view remote storage over the Internet as a special case of computing in the cloud, as it uses remote resources, and the end user often does not know were these reside. Remote storage of e.g. pictures is probably one of the oldest ways to "interact with the cloud" in the context discussed here.

Another example of cloud computing that has been available for some time, is web-based email systems. Among the more popular ones are Gmail from Google and Hotmail from Microsoft.

Lately more and more office applications have also been available as "in the cloud" systems. From a browser one can use word processing and database systems that are located somewhere on the Internet to perform daily tasks from anywhere. For years it has been possible to store e.g. personal photos on systems set up particularly for this purpose. General back-up and synchronizing systems are also available as popular alternatives using "in the cloud" principles.

Security software is also entering into this field. See e.g. the CloudAv project, which incorporates several third-party antivirus engines in its solution. McAfee's Artemis technology, and our own Norman Online Protection antivirus system for emails, may also be viewed in this context.

Advantages

There are several advantages with the cloud computing concept - both for the end users and, not least, for the application developers. To mention some:

  • The software vendors reduce enormously the increasingly cumbersome (and expensive) task of updating the software on the end-users' computers. Software updates can be done on "the cloud systems" only.

    This is a major advantage as the software vendors only have to update the applications on systems where they have full control and knowledge.

    The cost of distributing software updates to millions of end users' computers is significant for application vendors. Imagine e.g. the antivirus industry that updates its malware signature files increasingly frequent - several times each day is not unusual.
     
  • End users do not have to worry about installation and updating the application that resides in the cloud. They can rely on the application vendor to keep the system up-to-date (and secure).
     
  • End users can usually reduce the cost of purchasing end user software. The cloud alternatives are often more inexpensive, at seen in the short view.
     
  • End users can rely on the application vendor (or system supplier) to keep the systems secure. It seems fair to assume that in average the developers (or suppliers) are more competent to secure the application than the average end user.

    "Systems" in this context may refer to applications as well as data storage.

Disadvantages

Of course cloud computing is not only hunky-dory. The major general disadvantage is that one transfers control of the application and data/information to a third party. This has several potential implications, some of which are not even possible to really know in full when one decides to use a system that resides  in the cloud.

Consider e.g. the following:

  • If you decide to use a cloud-based  word processing or other office system - can you be absolutely certain that
    • the text that is written is seen by the writer only; technically it is not a problem to store each and every key stroke and mouse movement in an additional "secret place",
    • the system you use cannot access other data on your internal system - information that you had no intention whatsoever of putting into the cloud.
       
  • If you decide to use a cloud-based storage system for your data - can you be absolutely certain that
    • your data is secure and not seen by a third-party or someone employed in "the cloud's organization" that is not supposed to see your confidential data,
    • your data is not changed by someone, with potential disastrous effect as you no longer can trust your own information,
    • your data is not sold to someone (a competitor?) who gave an offer which an employee in the organization could not refuse.
       
  • If you decide to use a cloud-based system, do you know with absolute certainty what will happen if
    • your supplier goes bankrupt,
    • your supplier is bought by another entity (which may even be one of your competitors),
    • your supplier is investigated by a governmental agency, which accesses the supplier's data systems.
       
  • If you decide to use a cloud-based system, do you know what security mechanisms the supplier have in place to mitigate the risks from the abovementioned - or do you trust the supplier fully to take care of your interests?
    Remember that your interests may not fully comply with the supplier's, as your security needs may require expensive systems to be set up on the supplier's side.

Evaluate the pros and cons and make a decision

As we have seen above there are substantial advantages involved in using the cloud computing technologies. Presumably personal users and small businesses and other smaller organizations have a greater advantage in using this technology, than larger organizations.

On the other hand, there are some risks involved. Some of these may be reduced on your side by setting up appropriate systems (e.g. encrypting your data before allowing it to enter the cloud) and secure agreements between you and the supplier.

The conclusion is that if/when you are in the process of evaluating using in the cloud technologies for your need, you should as always:

  • evaluate the gain (economical and other)
  • evaluate the risks involved (economical and other).

Make the optimal choice for your needs based on acceptable risk versus advantages.