07 August 2009

Cloud Security: OPS Risk in a Virtual Infrastructure...

"Cloud Computing" is heating up as the information centric business enterprise looks for new economic strategies to reduce costs, save energy, and share expensive resources. Cloud Security is getting into the discussion simultaneously as the lobbyist alliances make their way around the "Obama Beltway." The Cloud Security Alliance held it's symposium this past week at Mitre to set the stage for it's 501(c)(6) activities in the federal agencies.

Welcome to the topic of more effective "Operational Risk Management" as an increasing relevant strategic mandate for the future of enabling enterprise business resilience and achieving a defensible standard of care. Cloud Computing is already here and rapidly accelerating into the way business is leveraging the economies of scale, efficiency of provisioning new users, lowering energy and overhead costs and rapidly gaining new found applications. Why wait around for the IT department any longer? All the headaches of procuring, maintaining and supporting the physical infrastructure of large Information Technology operations is seemingly going to disappear. Or is it?

What once could be called that minor headache could quickly turn into a major migraine or subarachnoid hemorrhage. When a data breach, denial of service (DoS) or business disruption occurs it will most certainly be on a more massive scale that requires a substantial response to contain the bleeding. If you thought disaster recovery and continuity of operations (COOP) was something you could ignore until you ultimately had an incident, that mindset is certainly over.

Attack on Twitter Came in Two Waves

The meltdown that left 45 million Twitter users unable to access the service on Thursday came in two waves and was directed at a single blogger who has voiced his support for the Republic of Georgia in that country’s continuing conflict with Russia.

Facebook’s chief security officer, Max Kelly, told CNet that the attack was aimed at a user known as Cyxymu, who had accounts on Facebook, Twitter, LiveJournal and other sites affected by Thursday’s cyberassault.

In an interview with The Guardian, the blogger said he believed the strike was an attempt to silence his criticism on the behavior of Russia in the conflict over the South Ossetia region in Georgia, which began a year ago on Friday.

How did a targeted attack against a single user manage to cripple Twitter for almost an entire day?

As Cloud Computing takes businesses into a greater degree of "Domestic Outsourcing" the risk factors change along with the legal risks of 3rd party or 4th party liability. Contractual service level agreements (SLA) that were used in the past for hosting a web site will be far greater in scope and with a table of loss events and their respective costs per incident by the minute of downtime. And this is just the beginning of the "What if's?" Some of these will be different than the normal offshoring risk management question sets.

Take eDiscovery and digital forensics for a minute. What is the difference between a lawful intercept and economic espionage? The name of the government behind it. With no perimeter and data everywhere who can say where your vital mission critical data actually is in the midst of the 100,000 sq. ft. server farm full of VMWare and racks of EMC storage? Even if you new exactly where it was located in the U.S., India or Singapore, what are the assurances that it is safe or safer than in your own facility? Even with 16 pages of security documentation controls and a SAS 70 Type II certification it may not be enough to defeat the "Fuzzing of VMware" and Hypervisor "Blue Pills".

At the MidAmerica Industrial Park in Oklahoma, amid a Gatorade plant, a pipe manufacturer and nearly 80 other companies, Google is piecing together a plain-looking 100,000-square-foot building it will stock with servers. Next to the industrial park stands a coal-fired electrical generating plant operated by the Grand River Dam Authority.

It helps that the price is right. Google's corporate headquarters sit in Mountain View, Calif. The average industrial electrical rate in the Golden State runs about 9 cents per kilowatt hour. In Iowa and Oklahoma, the meter runs at between 4 and 5.5 cents.

"Google is ... not the type of industry that is really dependent on location, since its product is Internet-based," said Justin Alberty, Grand River spokesman. "The real factors in choosing a location tend to be land, water and electricity."

Server farms, also referred to as data centers by the industry, are also becoming more common with the growth of "cloud computing." The term refers to companies building massive computing power and then renting that capacity out to other firms. Amazon, for one, sells not just books, but time on its servers to run Web sites or store electronic records.

In that way, computing is starting to look like the next utility. In the same way it would be inefficient for each home to have its own electrical generator, it can make sense for consumers and businesses to farm out their computing needs. Some analysts even see consumers buying less highly powered personal computers in the future and relying on firms like Google to fire up the necessary microprocessors when the demand requires.

Operational Risk is a key facet of Cloud Computing and the security of this growing IT strategy. Navigating the laws on the ground in advance of the unseen barriers in the cloud will provide the enterprise with significant hedges against the new emerging risks of the virtual infrastructure before you.

1 comment:

  1. There are certainly new challenges with regard to managing Operational Risk in the cloud. This week my own website at http://wwww.riskfriends.net moved completely to the cloud exploiting various kinds of web services and putting almost all logic in the client environment. The advantages of using services from the cloud are many. The drawbacks of using cloud services depend primarily on the contractual agreement you have with the web service provider. This agreement has to cover the same areas as in an agreement with a service provider in a traditional data centre environment. A denial of service attack like that on Twitter can also hit the website of any bank. The services that are behind an API can also manage risks better than services directly accessible via HTTP. I agree that it does require a thorough understanding of (operational) risks involved.