Any IT system has the potential to go in the wrong direction, but the new versatility of cloud services will introduce whole new ways to go off the rails. Here are ten for starters
1. Assumption: the mother of all calamities
Vladimir Jirasek non executive director of CSA UK says that in migrating to and between different SaaS (software as a service) clouds, that there were an awful lot of assumptions made that weren’t actually true.
“IT managers don’t realise that in IaaS (infrastructure as a service) the responsibility to manage operating systems and application still rest on their shoulders,” says Jirasek.
So they continue on, oblivious to the fact that no one is taking care of the details. As they say in project management: who’s in charge of the clattering train?
In this case, the cloud provider is really a virtual hardware provider. This will cost you when you finally realise that the bulk of IT responsible for application integration and possibly for infrastructure management (operating system layer) is still needed.
The same applies to PaaS (platform as a service) though here the CIO is responsible for application integration only.
2. Shunted into an expensive siding
If you want to change Cloud offerings, that will cost you too. As will a retreat back into an internally managed service or an internal cloud.
“This is especially painful in SaaS where a bespoke application like SalesForce doesn’t give you a standard form of data that can be exported,” say Jirasek.
The migration from SaaS application has huge hidden dangers that will hurt many companies, should they ever dare to leave the SaaS provider. The cost, complexity and disruption of migration from SaaS will lock the company in to one provider.
“Many contracts don’t clarify who owns the data in the cloud and how you can get it back when the contract ends,” says Mike Small member of London Chapter ISACA Security Advisory Group. “This has caught out more than one large organisation.”
Mission cloud computing was supposed to give companies greater choice. Instead, many are imprisoned in an expensive contract. It is vital that the service contract clarifies ownership of data as well as the terms for the return of that data. It is also important, says Small, to ensure that the data is returned in a form that can be used without extensive processing
3. When you unwittingly move into a bad cloud neighbourhood
You wouldn’t open up a shop in Hackney in the middle of the riots, because you’d be able to see the risks. The problem with the cloud is you don’t know who your neighbours are, or how they’ll affect you.
What if the police had to seize your equipment as part of a sting against suspected criminals? It happens.
When the FBI raided a data centre in Reston, in Virginia, the ramifications were felt by Swiss-based DigitalOne, whose clients included New York publisher Curbed Network, service provider Instapaper and bookmarking site Pinboard.
The FBI was taking part in a co-ordinated operation with the CIA and various Western and Eastern European cybercrime bureaus. That’s a pretty comprehensive sweep and the all-encompassing seizures were bound to affect innocent users of the cloud.
DigitalOne’s chief executive, Sergej Ostroumow, was unhappy that the company’s web servers were seized and that he had to satisfy clients who were hit by up to three days of downtime.
“In the night the FBI took three enclosures with equipment plugged into them,” he told clients, “possibly including your server – we cannot check it. This problem has been caused by the FBI, not us.”
Though it was only interested in one of the company’s clients the FBI took servers used by “tens of clients,” Ostroumow said at the time.
His complaints about the FBI’s ‘unprofessional work’ fell on deaf ears. With the authorities conducting a cyberwar on the likes of Lulz and other hacking organisations, there could be a lot of victims of friendly fire in the cloud, warns Small.
While this example comes from the US, laws in most jurisdictions allow law enforcement agencies to seize equipment and data. Some countries may be an even higher risk – for example where there is a corrupt or autocratic regime that ignores international agreement
4. When your data is destroyed accidentally by your service provider
These things happen in the cloud. Microsoft reported that its Windows Live service had been experiencing problems dating from 30 December. “We had an issue with Windows Live Hotmail that impacted 17,355 accounts,” it admitted on a Windows team blog.
Customers affected temporarily lost the contents of their mailbox through the course of mailbox load balancing between servers. “We identified the root cause and restored mail to the impacted accounts,” Microsoft reported.
It assured customers that, with the problem solved, it would investigate, as it does with all incidents like this and take steps to prevent this from happening again.
Not good enough, according to one complainant, who testified the impact this loss of data had on his business.
“My inbox of over 8000 emails from the start of this address over 10 years ago is still gone. My emails were completely gone from late Oct 10 and prior. I am devastated by this loss, my life, business and tax info was all in this email I accessed daily,” said the user, known only as Westcoastborn, on the WindowsLive site.
“I was given some inadequate responses and then ignored by hotmail support,” he complained. After ten years of doing business in the cloud, he’d lost everything.
5. When the FSA finds out your cloud service is not compliant with FSA regulations
Whatever the regulations your organisation is bound by, a cloud service provider will claim to understand them. For example, personal data must be processed in accordance with the EU personal data protections laws.
If your cloud service provider holds that data somewhere where it is cheaper to do so than in the EU (and how likely is that to happen) your company won’t have the appropriate processing contracts in place. In the case of data privacy remember that the buck stops with the data controller (ie the organisation) owning the data not the data processor (ie the cloud provider).
Data privacy is not the only compliance issue and it is vitally important that the regulatory requirements for the cloud service are made clear to the provider and that the provider is legally bound by a contract to provide a service that meets these requirements.
6. When your intellectual property is stolen by a cloud service administrator.
Cloud service providers are no different from previous generations of service or product vendors. They can’t afford to re-invent the wheel for every client. Service providers only enjoy the economies of scale if they can find a model that can be mass-produced. Otherwise, your profits will be eaten away by a labour-intensive production process.
So the work you put in to create your cloud administration – effectively your intellectual property – could be used as a model for others. The service provider doesn’t want to re-invent the wheel for each client. It’s far cheaper to get you to do the work or use your installation as a learning experience.
This presents security problems that could cause your company enormous grief later. The cloud infrastructure needs to be maintained. To achieve this there are a number of very powerful admin accounts that can bypass normal security controls, warns ISACA’s Small.
7. Disaster strikes when your data is found on the hard drives sold by the cloud provider.
We all know that data deleted from a hard drive is not really destroyed. It is merely rendered inaccessible and the data blocks are marked as available. Even most end users know that, until someone overwrites that data, it can still be found.
Clearly, some cloud providers didn’t know that. Or care to take the steps to shred this data.
Researchers from BT and the University of Glamorgan who bought disks from a variety of global sources found all kinds of sensitive information. Bank details and NHS records were found, along with enough information to help shoot down intercontinental missiles.
Of the 300 hard disks it bought randomly, 34 percent still held personal data. The information was enough to expose individuals and firms to fraud and identity theft, says Professor Andrew Blyth, who led the research.
Along with bank account details and medical records, they found data about a proposed $50bn currency exchange through Spain.
Most organisations still have no idea about the potential volume and type of information that is stored on hard disks says Blyth.
8. When the Cloud is breached and your valuable secrets come tumbling out
In the cloud everyone can see your silver lining. That’s not always the case, but there is evidence to show that your data is easier for criminals to get their hands on.
Hackers can burst through your shop window and loot your database, as long as they can find one of the user names and password combinations that are floating about.
The European Union had to suspend registries on its spot carbon-emissions market after permits were stolen. It can’t lift restrictions until members beef up security.
On 19 January this year one Czech trader found his $9 million account had gone. As many €29 million worth of permits are missing, according to the EC’s accounts. Given that no EC accounts are ever signed off, who knows how bug the real fraud could be. Holcim, the Swiss cement maker, lost 1.6 million permits to CO2 thieves.
The EU market was supposed to be the model for a future global carbon programme. It went from being an 80 billion euros market, in 2010, to no market. That’s an 80 billion euro cloudburst, and all because nobody secured the permits. In one of the classic cases of assumption, the EU left this job to the national registries. Who in turn assumed it was somebody else’s job.
It could take “a long time, possibly years,” to finally resolve who are rightful owners of any stolen EU allowances, says Owen Lomas, a London-based consultant at Allen & Overy LLP’s climate change practice.
9. When your cloud service provider’s provider goes bust and lawyers circle the building
The cloud service you buy might be reliant on a Cloud service that it buys from some anther cloud outfit. Who knows where they get their service from.
When one of them goes bust, your chances of retrieving the situation are slim chance and no chance. If more than one goes under – and it’s likely that they’ll tumble like a house of cards – that last slim chance will disappear too.
“It is really important to understand who is involved in providing the service to you and where these organisations are located,” says Mike Small (referenced above) a member of the London Chapter ISACA Security Advisory Group. This is not just a question of whether the supplier will go bust, it also concerns the compliance issues regarding where data is located as well as the reliability of the service provided to you.
Beware the legal costs involved in trying to unpick the cloud service agreement that one of your subsidiaries signed, says Small.
Most large cloud service providers offer a take it or leave it contract. This usually involves the whole organisation in the deal even though it may have only been signed by one employee.
10. When the Cloud Service Becomes Obsolete
Logica’s UK cloud lead, Stephen Simpson, says clients can end-up buying a vendor’s re-branded proprietary solution and associated services that the vendor does not evolve in step with the market.
“Cloud solutions and services are immature, and we know that there will be significant advances and changes in how they are engineered and delivered over the next few years,” says Simpson.
“We want our clients to be in a position to take full advantage of what is happening,” he says. “But this means getting the right balance between the risks of lock-in, short term delivery pressures and the longer term uncertainty over which technologies and vendors will win through.”
A balance that many companies won’t get right. So are the risks worth taking? Hang on, is it a risk? Surely the cloud is about avoiding risk, isn’t it?
Mike Small believes that the risks of not adopting the cloud often outweigh those of adoption. This is because cloud providers are big to afford the skills and equipment needed to provide a secure and resilient IT service. They can also invest in improving their services.
Cloud computing is a tactical investment and it can help you avoid the risks inherent in big IT projects. But, as we shall see, it brings a new generation of uncertainty. Having said that, it’s true to say that while client server computing didn’t kill off the mainframe, it was massively successful in its own right.
Cloud computing does eliminate many of the risks of owning your own infrastructure. Just make sure you are fully aware of the new ones.