So, you have your data in the cloud, what if it rains?
Cloud computing is one of the most controversial, misunderstood yet ingenious technologies to have existed. Thanks to some misconceptions and myths, many are unclear on exactly what this technology is all about. I have met several people who still think physical servers hosting services and data are in the clouds – literally.
Cloud computing is a general term for anything that involves delivering hosted services (including servers, storage, databases, networking, software, analytics, intelligence, etc.) over the Internet. These services are divided into three main categories: infrastructure as a service (IaaS), platform as a service (PaaS) and software as a service (SaaS).
A cloud can be private or public. A public cloud sells services to anyone on the Internet like AWS, Azure, Dropbox, Gmail, etc. A private cloud, on the other hand, offers services either over the Internet or a private internal (proprietary) network, and to only select users instead of the public.
A popular deployment model is a combination of public and private clouds. This is known as the Hybrid model. An organisation can have a mission-critical service hosted on their internal or on-premises cloud while keeping the front end on public clouds.
If you are using Microsoft Office 365 or Gmail for email, Apple cloud, Google photos/drive, or Dropbox for storage, congratulations! You are a proud consumer of cloud computing. It is called cloud because we mostly do not know where the data sits. Even if we knew which data centre the data is hosted, we hardly know which particular server is doing us the honours. Cloud, therefore, represents that ‘unknown’ element.
Like every other commodity, large-scale implementation or production makes a unit cheaper to purchase. The same applies to cloud computing. One of the benefits of this technology is the leverage on economies of scale.
A start-up company with limited resources can access computing power almost immediately, paying just the right amount for what they use, scale up and down depending on their usage, and compete with global powers without any capital investment in data centres. With cloud computing, service hosting can be multiplied across several data centres in different geographical locations to provide true redundancy, ensuring business continuity and agility.
Arguably, cloud computing provides better security than on-premises hosting of services. Statistically, most of the data breaches on cloud infrastructure are mainly due to the negligence of some administrators as opposed to the compromise of the cloud infrastructure itself.
Unfortunately, the same cannot be said of onpremises hosting which is often saddled with weak security and constant compromises through vulnerable systems and lagged security.
With the right mix of people, technology and processes, cloud computing provides one of the best security for any infrastructure.
If cloud computing is this secured, why then is there so much talk and uncertainty about its adoption? Cloud is like choosing a motorcycle over a car, the least mistake is unforgivable. Consumption of cloud services can be likened to when we eat at restaurants, we are hardly certain of the ingredients and hygienic conditions of the kitchen, but we trust the food is wholesome.
There are genuine concerns every organisation should worry about when deciding to adopt cloud technology. Yes, the cloud provides some very generous benefits that we should take advantage of, but the risks are also real to be considered.
For any organisation considering the cloud, a cloud strategy must be drawn up. Gartner has come up with a very interesting decision framework that can be used to evaluate the benefits and challenges of a cloud approach for specific application scenarios. This can be adopted to decide whether the service under consideration is cloud worthy.
Source: Gartner – Cloud Strategy Leadership Their approach is to consider how high the benefits or rewards that the cloud can offer versus the potential downsides or dangers of using cloud services. The four outcomes are either to consider a private cloud, embrace a public cloud, experiment or avoid the cloud completely.
I think cloud concerns are more about privacy than security. It is important to distinguish between the two, especially when discussing cloud computing. You can have solid security without privacy, not the other way round. There is no privacy without security. Privacy includes the laws and regulations requiring organisations to protect customer data while security encompasses the technical processes, technology, and policies to protect that data.
So many organisations today use Microsoft’s Office 365 email suite, for instance. All the organisation’s communication is hosted somewhere in the United States, United Kingdom, Australia, Greenland or perhaps the moon – we don’t know for sure. If the staff of these cloud service companies access our data, we will have no idea; we only trust they have enough policies and controls to reduce this risk.
If a fellow cloud tenant finds a way to exploit a vulnerability within the hosting infrastructure and accesses our data, we will have absolutely no idea. How true data disposal happens when an entity decides to discontinue the use of a cloud service. Whereas an on-premises hard disk can be physically destroyed, the same cannot be done with data stored on the cloud. There will be remnants of the data stored somewhere by the provider.
The situation becomes even more critical when personally Identifiable Information (PII) of a country’s citizens is hosted in another jurisdiction. Countries with the bilateral agreement may quickly have a fallout. If that happens, what happens to the data that sits with this other country? Now we are talking about a matter of national security.
A cloud service provider (CSP) can be subpoenaed to hand over data belonging to entities of the opposing country for further intelligence gathering. Imagine portions of services being rendered by critical entities are run on the cloud, hosted by a now hostile country. Assuming Ukraine hosts critical services in Russia or vice versa, I am pretty sure these services are going to be shut down right from the start of the conflict.
You find the European Union using GDPR to regulate and reduce the risk of lack of privacy irrespective of the jurisdiction the service is rendered from. The key question though is, can smaller countries or those without a strong union exert the same international power to cater for its data in the name of national security?
In Ghana, for instance, we are trying to support several businesses to digitise and go global. This requires being innovative while maintaining costs at the minimum due to limited capital. Should we, therefore, use regulation to limit the kind of data that can be stored in the cloud despite the numerous benefits of cloud computing? Whether we like it or not, cloud computing is here to stay, and businesses need these innovative and breakthrough technologies to survive and scale.
Should we perhaps empower entities like the National Information Technology Agency (NITA) to create Amazon-like data centres to host data locally? This way, companies can derive the benefits of the cloud while reducing the risks affecting privacy. Should we be deliberate about which countries can host our data when we go cloud? Without such alternatives, it will be practically impossible to restrict the use of the cloud for mission-critical services, or even for storing and processing personally identifiable information, given that almost every service requires the collection of same.
Cloud computing is inevitable if we want to be nimble, agile and innovative. Going cloud provides enormous benefits to organisations and it should be on the agenda of every entity. But, what if it rains?
>>>the writer is Head, Information Security at Stanbic Bank Ghana