By Monica Crocker CRM, PMP, CIP, and Robert Smallwood
Cloud computing represents one of the most significant paradigm shifts in information technology (IT) history. It may have evolved as an extension of sharing an application-hosting provider, which has been around for a half century and was common in highly regulated vertical industries, such as banks and health care institutions. But cloud computing is a very different computing resource, utilizing advances in IT architecture, system software, improved hardware speeds, and lower storage costs.
The impetus behind cloud computing is that it provides economies of scale by spreading costs across many client organizations and pooling computing resources while matching client computing needs to consumption in a flexible, (nearly) realtime way. Cloud computing can be treated as a utility that is vastly scalable and can be readily modulated, just as the temperature control on your furnace regulates your energy consumption. This approach has great potential, promising on-demand computing power, off-site backups, strong security, and “innovations we cannot yet imagine.”1
When executives hear of the potential cost savings and elimination of capital outlays associated with cloud computing, their ears perk up. Cloud deployments can give users some autonomy and independence from their IT department, and IT departments are enthused to have instant resources at their disposal and to shed some of the responsibilities for infrastructure so they can focus on business applications. Most of all, they are excited by the agility offered by the on-demand provisioning of computing and the ability to align IT with business strategies more nimbly and readily.
But for all the hoopla and excitement, there are also grave concerns about security risks and loss of direct IT control, which call for strict information governance (IG) policies and processes. Managers and IT leaders who are customers of cloud computing services are ultimately responsible for IT performance. A number of critical IG challenges associated with cloud computing must be addressed. These include privacy and security issues, records management (RM) issues, and compliance issues, such as the ability to respond to legal discovery orders. In addition, there are metadata management and custody challenges to consider. An investigation and analysis of how the cloud services provider(s) will deliver RM capability is crucial to supporting IG functions, such as archiving and e-discovery, and meeting IG policy requirements.
Organizations need to understand the security risks of cloud computing, and they must have IG policies and controls in place for leveraging cloud technology to manage electronic information before moving forward with a cloud computing strategy.
The definition of cloud computing is, rather, well, cloudy, if you will. The flurry of developments in cloud computing makes it difficult for managers and policy makers to define it clearly and succinctly, and to evaluate available options. Many misconceptions and vagaries surround cloud computing. Some misconceptions and questions include:
Cloud computing is a shared resource that provides dynamic access to computing services that may range from raw computing power, to basic infrastructure, to fully operational and supported applications.
It is a set of newer information technologies that provides for on-demand, modulated, shared use of computing services remotely. This is accomplished by telecommunications via the Internet or a virtual private network (which may provide more security). It eliminates the need to purchase server hardware and deploy IT infrastructure to support computing resources and gives users access to applications, data, and storage within their own business unit environments or networks.3 Perhaps the best feature of all is that services can be turned on or off, increased or decreased, depending on user needs.
There are a range of interpretations and definitions of cloud computing, some of which are not completely accurate. Some merely define it as renting storage space or applications on a host organization's servers; others center definitions around Web-based applications like social media and hosted application services.
Someone has to be the official referee, especially in the public sector. The National Institute of Standards and Technology (NIST) is the official federal arbiter of definitions, standards, and guidelines for cloud computing. NIST defines cloud computing as:
“Cloud computing encompasses any subscription-based or pay-per-use service that, in (near) real time over the Internet, extends IT's existing capabilities.”
a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.4
NIST has offered its official definition, but “the problem is that (as with Web 2.0) everyone seems to have a different definition.”5 The phrase “the cloud” has entered the mainstream—it is promoted on prime-time TV—but its meaning and description are in flux: that is, if you ask 10 different people to define it, you will likely get 10 different answers. According to Eric Knorr and Galen Gruman in InfoWorld, it's really just “a metaphor for the Internet,” but when you throw in “computing” alongside it, “the meaning gets bigger and fuzzier.” Cloud computing provides “a way to increase capacity [e.g., computing power, network connections, storage] or add capabilities dynamically on the fly without investing in new infrastructure, training new personnel, or licensing new software. Cloud computing encompasses any subscription-based or pay-per-use service that, in (near) real time over the Internet, extends IT's existing capabilities.”6
Given the changing nature of IT, especially for newer developments, NIST has stated that the definition of cloud computing “is evolving.” People looking for the latest official definition should consult the most current definition available from NIST's Web site at www.nist.gov (and other resources).
NIST also identifies five essential characteristics of cloud computing:
Cloud computing enables convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned.
Cloud computing growth is expected to continue to climb dramatically. A recent Gartner study shows that the United States is the leader in adopting cloud computing, and the market is expanding rapidly.8 The cloud computing market is expected to grow 21 percent annually from 2012 to 2016, exceeding $16 billion in 2014 and growing to over $22 billion in 2016.9
The use of service-oriented architecture—which separates infrastructure, applications, and data into layers—permeates enterprise applications, and the idea of loosely coupled services running on an agile, scalable infrastructure may eventually “make every enterprise a node in the cloud.” That is the direction the trend is headed.
Au: Please provide the citation here.
A common misconception is that an organization “moves to the cloud.” In reality, the organization may decide to transition some specific business applications to the cloud. Those specific business applications are selected because a cloud architecture may offer crucial functions that the internally hosted solution does not or because the internal solution is burdensome to maintain. Some examples of business applications that frequently are moved to the cloud include advertising, collaboration, e-mail, office productivity applications, sales support solutions, customer response systems, file storage, and system backups.
Another common misconception is that if your organization does not decide to migrate to a cloud solution, you are protected from all the dangers of cloud computing. The hard facts are that, for the vast majority of organizations, users are already putting information in the cloud. They are simply using cloud solutions to compensate for limitations of the current environment. They may be using Box.com to get at information when working remotely or Dropbox.com to share information with an outside business partner. Or they are using SkyDrive get to documents from their iPad. They may not even realize they have posted company information to a cloud environment, so they do not realize they violated any policy against doing that. To complicate matters, they probably also left a copy of the information within your organization's firewall. Internal users might not realize they are not using the current version, and your records manager does not know another copy is floating around out there. This is completely ungoverned information in the cloud. The best defense against it is to deliver solutions for those business needs so that users do not have to find their own.
Among metatrends, “Cloud computing is the hardest one to argue with in the long term.”
The idea of loosely coupled services running on an agile, scalable infrastructure should eventually “make every enterprise a node in the cloud.”
Depending on user needs and other considerations, cloud computing services typically are deployed using one of four models, as defined by NIST:
There are four basic cloud computing models: private, public, community, and hybrid (which is a combined approach).
Cloud computing comes with serious security risks—some of which have not yet been uncovered. In planning your cloud deployment, these risks must be borne in mind and dealt with through controls and countermeasures. Controls must be tested and audited, and the actual enforcement must be carried out by management. Key cloud computing security threats are discussed next, along with specific examples and remedial measures that can be taken (fixes). The majority of this information and quotations are from the Cloud Security Alliance.12
When information is deleted or altered without a backup, it may be lost forever. Information also can be lost by unlinking it from its indices, deleting its identifying metadata, or losing its encoding key, which may render it unrecoverable. Another way data/document loss can occur is by storing it on unreliable media. And as with any architecture—not just cloud computing—unauthorized parties must be prevented from hacking into the system and gaining access to sensitive data. In general, providers of cloud services have more resources at their disposal than their individual clients typically have.
Examples
The Fixes
Cloud computing carries serious security risks—some of which have not yet been uncovered.
Many times damage to information is malicious, while other times damage is unintentional. Lack of training and awareness, for example, can cause an information user to accidentally compromise sensitive data. Organizations must have proactive IG policies that combat either type of breach. The loss of data, documents, and records is always a threat and can occur whether cloud computing is utilized or not.
But the threat of data compromise inherently increases when using cloud computing, due to “the number of and interactions between risks and challenges which are either unique to cloud, or more dangerous because of the architectural or operational characteristics of the cloud environment.”
Examples
The Fixes
Since the advent of the National Security Agency controversy and the slew of examples in the corporate world, the threat of the malicious insider is well known. “This threat is amplified for consumers of cloud services by the convergence of IT services and customers under a single management domain, combined with a general lack of transparency into provider process and procedure” (emphasis added). It is important to understand your cloud provider's security procedures for its employees: How are they screened? Are background checks performed? How is physical access to the building and data center granted and monitored? What are its remedial procedures for noncompliance?
It is prudent to investigate the security and personnel screening processes of a potential cloud provider.
When these security, privacy, and support issues are not fully investigated, it creates an opportunity for identity thieves, industrial spies, and even “nation-state sponsored intrusion. The level of access granted could enable such an adversary to harvest confidential data or gain complete control over the cloud services with little or no risk of detection.”
Examples
The Fixes
Although cloud computing providers, as a rule, invest heavily in security, they also can be the target of attacks, and those attacks can affect many client enterprises. Providers of cloud infrastructure service (e.g., network management, computing power, databases, storage) offer their customers the illusion of unlimited infrastructure expansion in the form of computing, network resources, and storage capacity. Often this is coupled with a very easy sign-up process, free trials (even for anonymous users), and simple activation with a credit card. This is a boon to hackers who can assume multiple identities. Using these anonymous accounts to their advantage, hackers and spammers can engage in criminal operations while remaining elusive.
Easy sign-up procedures for cloud services mean that hackers can easily assume multiple identities and carry out malicious attacks.
Examples
The Fixes
By their very nature, cloud computing solutions involve the movement of information. Information moves from a workstation in your network to the cloud, from the cloud to a mobile device user, from an external partner to the cloud and then to one of your workstations, and so on. Further, information may be moved automatically from an application in the cloud to an application you host internally and vice versa. The movement of information complicates the process of securing it, as it now must be protected at the point of origin, the point of receipt, on the device that transmits it, on the device that receives it and at all times when it is in transit.
An application programming interface (API) is a way of standardizing the connection between two software applications. APIs are essentially standard hooks that an application uses to connect to another software application—in this case, a system in the cloud. System actions like provisioning, management, orchestration, and monitoring can be performed using these API interfaces.
APIs must be thoroughly tested to ensure they are secure and abide by policy.
It comes down to this: A chain is only as strong as its weakest link, so APIs must be thoroughly tested to ensure that all connections abide by established policy. Doing this will thwart hackers seeking work-arounds for ill intent as well as valid users who have made a mistake. It is possible for third parties to piggyback value-added services on APIs, resulting in a layered interface that is more vulnerable to security breaches.
Examples
The Fixes
Basic cloud infrastructure is designed to leverage scale through the sharing of components. Despite this, many component manufacturers have not designed their products to function in a multitenant system. Newer architectures will evolve to address this issue.
In the meantime, virtual computing is often used, allowing for multiple instances of an operating system (OS) (and applications) to be walled off from others that are running on the same computer. Essentially, each instance of the OS runs independently, as if it were the only one on the computer. A “visualization hypervisor mediates access between guest operating systems and the physical compute resources” (like central processing unit processing power). Yet flaws have been found in these hypervisors “that have enabled guest operating systems to gain inappropriate levels of control or influence on the underlying platform”—and therefore indirectly impact the other guest OSs running on the machine. To combat this, “security enforcement and monitoring” of all shared computing resources must be employed. Solid partitions between the guest OSs—known as compartmentalization—should be employed to ensure that one client's activities do not interfere with others running on the same cloud provider. Customers should never have access to any other tenant's “actual or residual data, network traffic” or other proprietary data.
Cloud providers use virtualization heavily and hypervisors may allow intrusions.
Examples
The Fixes
Hacking into accounts to assume the identity of an authorized user has been happening almost since personal e-mail existed. It can be as simple as stealing passwords with a keystroke logger. Attack methods such as social engineering (e.g., phishing), fraud by identity theft, and exploitation of software vulnerabilities are still effective at compromising systems. Most people recycle a few passwords and reuse them for multiple accounts, so once one is breached, criminals can gain access to additional accounts. If login credentials are compromised, a hacker can monitor nearly everything your organization is doing: A less passive hacker might alter or destroy sensitive documents, create false information, or replace your links with fraudulent ones that direct users to sites harboring malware or phishing scams. Once they have control, it can look like your organization is the origin of the malicious downloads or information capture. From here, the attackers can assume the good name and reputation of an organization to further their attacks.
The Fixes
Knowing your neighbors—those who are sharing the same infrastructure with you—is also important, and, as we all know, good fences make good neighbors. If the cloud services provider will not or cannot be forthcoming about who else is sharing its infrastructure services with your organization and this becomes a significant issue, you may want to insert contract language that forbids any direct competitor from sharing your servers. These types of terms are always difficult to verify and enforce, so moving to a private cloud architecture may be the best option.
Examples
It is important to know what other clients are being hosted with your cloud services provider, as they may represent a threat. Moving to a private cloud architecture is a solution.
A primary selling point of cloud computing is that enterprises are freed up to focus on their core business rather than being focused on providing IT services. Modulating computer hardware and software resources without making capital expenditures is another key advantage. Both of these business benefits allow companies to invest more heavily in line-of-business activities and focus on their core products, services, and operations. However, the security risks must be weighed against the financial and operational advantages. Further complicating things is the fact that cloud deployments often are enthusiastically driven by advocates who focus inordinately on potential benefits and do not factor in risk and security issues. Additional examples of IG concerns are listed next.
An analysis of an organization's exposure to risk must include checking on software versions and revision levels, overall security design, and general IG practices. This includes updating software, tools, and policy, as needed.
Finally, for each of these challenges, “IG policies and controls to secure information assets” and “IG policies and controls to protect the most sensitive documents and data” are a key part of the solution.
The risks and security vulnerabilities of cloud computing have been reviewed in this chapter—so much so that perhaps some readers wondering whether cloud computing really is worth it. The answer is a qualified yes—it can be, based on your organization's business needs and computing resource capabilities. Besides the obvious benefit of getting your company out of the IT infrastructure business and back to focusing on its real business goals, there are many benefits to be gained from cloud computing solutions.
Some of the specific benefits offered by cloud computing solution are listed next.
The business benefits of cloud computing may largely outweigh the security threats for the vast majority of enterprises, so long as they are anticipated and the preventive actions described are taken.
The National Archives and Records Administration has established guidelines for creating standards and policies for managing an organization's e-documents records that are created, used, or stored in cloud computing environments.
A set of guidelines aimed at helping you leverage cloud computing in a way that meets your business objectives without compromising your IG profile is presented next.
Utilizing cloud computing resources provides an economic way to scale IT resources which allows more focus on core business operations. It can render significant business benefits, but its risks must be carefully weighed, and specific threats must be countered, in the context of a long-range cloud deployment plan.
Most cloud services providers do not have mass content migration or RM capabilities.
1. Cloud Security Alliance, “Top Threats to Cloud Computing V1.0,” March 2010, https://cloudsecurity-alliance.org/topthreats/csathreats.v1.0.pdf, p. 6.
2. R. “Ray” Wang, “Tuesday's Tip: Understanding the Many Flavors of Cloud Computing and SaaS,” March 22, 2010, http://blog.softwareinsider.org/2010/03/22/tuesdays-tip-understanding-the-many-flavors-of-cloud-computing-and-saas/.
3. NARA Bulletin 2010-05, “Guidance on Managing Records in Cloud Computing Environments,” September 8, 2010, www.archives.gov/records-mgmt/bulletins/2010/2010-05.html.
4. Peter Mell and Tim Grance, “NIST Definition of Cloud Computing,” Version 15, 10-07-09, www.nist.gov/itl/cloud/upload/cloud-def-v15.pdf (accessed December 12, 2013).
5. Knorr and Gruman, “What Cloud Computing Really Means.”
7. Mell and Grance, “NIST Definition of Cloud Computing.”
8. Gartner Press Release, “Gartner Says Worldwide Public Cloud Services Market to Total $131 Billion,” February 28, 2013, www.gartner.com/newsroom/id/2352816 (accessed October 11, 2013).
9. This and the next quotes in this section are from Louis Columbus, “451 Research: Cloud-Enabling Technologies Revenue Will Reach $22.6B by 2016,” September 26, 2013, http://softwarestrategies-blog.com/2013/09/26/451-research-cloud-enabling-technologies-revenue-will-reach-22-6b-by-2016/ (accessed October 11, 2013).
10. It's a long-running trend with a far-out horizon. But among big metatrends, cloud computing is the hardest one to argue with in the long term. (emphasis added).
11. All definitions are from Mell and Grance, “NIST Definition of Cloud Computing.”
12. Cloud Security Alliance, “Top Threats to Cloud Computing V1.0.”
13. Gordon E. J. Hoke, CRM, e-mail to author, June 10, 2012.
14. NARA Bulletin 2010-05, “Guidance on Managing Records in Cloud Computing Environments.”
* Portions of this chapter are adapted from Chapter 12, Robert F. Smallwood, Managing Electronic Records: Methods, Best Practices, and Technologies, © John Wiley & Sons, Inc., 2013. Reproduced with permission of John Wiley & Sons, Inc.
18.118.27.119