In the wake of the recent WikiLeaks episode, midmarket CIOs are taking another look at public cloud computing risks....
They may need to drive new policies for transparency about who is behind the curtain, as well as next door.
After all, hosting WikiLeaks made Amazon.com "a honeypot for attack," said Drue Reeves, vice president and research director for cloud computing and data center strategies at Gartner Inc.
The irony is that WikiLeaks went to Amazon because Amazon had better security against a denial-of-service (DoS) attack than WikiLeaks could provide, Reeves said. "Anybody who can't afford to protect against a DoS goes to Amazon," he said. "Yet the provider could be attacked."
When it became known that WikiLeaks had contracted with Amazon Web Services for cloud computing space -- and later, that Amazon had booted the whistleblower from its cloud for violations of its terms of service-- midmarket IT managers and industry experts ruminated on the incident's ramifications for the multi-tenant model.
Sharing resources with organizations that might be targets for attack is just one public cloud computing risk -- one that midmarket companies assume when they sign onto the multi-tenant environment, according to Tanya Forsheit, founder of the Information Law Group LLP in Los Angeles, and an expert on cloud contracts.
"It's not just about your own [business] practices," Forsheit said. "It's important for any organization with a business relationship with another company to plan for contractual provisions that deal with risks, and allocation of risks. This [WikiLeaks episode] is a fairly unique circumstance, but all organizations in the cloud are going to have those issues.
"The point of the cloud is that you're sharing space," Forsheit said. "If you're going to use the cloud, you have to accept the notion that that's true, or use a private cloud to segment data."
Until such liability issues associated with the public cloud are more commonly known and accepted, some midmarket firms, such as the Austin Radiological Association, will continue to keep the cloud private.
"Personally, I'd like to see how companies are tackling the security issues for their particular industries in the public cloud," said Todd Thomas, CIO of Austin Radiological,, which provides imaging services to hospitals in central Texas. "I don't think the security is well understood yet."
Won't you be my neighbor?
Customers should be demanding transparency in terms of safeguards against other tenants wherever possible, Gartner's Reeves said: "Ask, 'Is my provider reasonable in terms and conditions, and also actively watching other tenants to make sure no activity is happening that could bring in the Feds to shut down the cloud? Have they taken appropriate actions in the past? Is it a responsible provider that looks at the constituency?'"
Transparency in cloud policies should be a given, Prateek Dwivedi, CIO of Mount Sinai Hospital in Toronto, believes. Otherwise, cloud providers will base their defenses against claims on "acceptable use of technology. They'll say, 'If you had an issue with [the policy], you should have done something about it a long time ago,'" he said.
Public cloud computing risks go beyond naughty neighbors to the policies the providers have for their own employees. "I want to know who has access to my data; what kind of background checks do they run?" said a data center manager at a division of a nationwide appliance manufacturer in the Southwest.
Minimize cloud computing risks
How to find out the answers to all those questions? Ask, Forsheit said. Plenty of cloud providers will answer questions about criminal background checks: "That's one of their value-adds," she said. "Some will provide more information. It gives them a basis for competition."
Ask, 'Is my provider reasonable in terms and conditions, and also actively watching other tenants?'
Drue Reeves, vice president and research director, Gartner Inc.
Now also would be a good time for a trusted third party to emerge as a cloud broker, Reeves suggested, to do employee background checks and audit the rotation of employees. "We do think a trusted broker would verify security procedures," he said, "but there are no full-service brokers yet. I don't know if anyone is doing background checks."
A few cloud intermediaries have sprung up, including Freedom Open Source Solutions (Freedom OSS), a professional services organization in Newtown, Pa., and Cloudswitch Inc. in Burlington, Mass.
Forsheit agreed that the cloud, which "has turned into an industry in itself," creates opportunities for brokers. "A broker is just that -- a conduit. One way or the other, a business going into the cloud -- even if they don't know who else is there -- does want to know security policies," she said.
Regardless of the risks, there is a lot of interest in the public cloud, according to Forsheit. "Companies want to do it, but they want to have certain kinds of protections, to transfer the liability in a certain way. The cloud can be a big positive if they can get those assurances and protections."
Let us know what you think about the story; email Laura Smith, Features Writer.