hosted
sfa
CRM Software Quotes
CRM search»Cloud Computing»Cloud Computing Security Risks

 Chuck Cloud Computing and the Risks for Security Breaches

4 stars Average rating: 4 (from 76 votes)
 By Chuck Schaeffer

Does The Cloud Put Your Company's Security at Risk?

The global recession may be relenting, but the pressure to cut costs has not abated. Inevitably, the chatter in boardrooms and break rooms centers on the cloud as the most promising opportunity to acquire the technology the company wants at a price the company can afford. IT leaders know that there is plenty of promise in the cloud, but there can be pain too. So how can you tell if the cloud is right for your company?

The elephant in the room is this raging rogue bull that can destroy a company in a single instance, and its name is Security Breach. Everyone shudders at the thought of a security compromise. And many are concerned that Software as a Service (SaaS) is a virtual red flag that entices that bull elephant to attack. The problem with this fear is that it is overly broad and requires deeper examination in order to separate fact from fiction. Consider the facts.

Fact #1: Cloud Providers Offer Information Security Seldom Matched by Private Enterprises

As a matter of normal practice, cloud and SaaS CRM providers offer impressive security postures, including:

  • A security infrastructure which includes expert staff, a comprehensive and living information security plan, multiple layers of security defense, trained and verified processes, periodic and random vulnerability assessment audits, controlled penetration tests, redundant hot sites and a verified and tested Business Continuity (BC) and Disaster Recovery Plan (DRP)
  • Independent annual information security certifications and attestations, from authorities such as the United States Federal Government (NIST C&A) or international standards organization (ISO 27001)
  • Independently certified multiple layer and Deep Packet Inspection (DPI) firewalls managed 24 by 7 by security experts
  • Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS) and Incident Response Systems managed 24 by 7 by security experts
  • Independently issued digital certificates, secured SSL encrypted traffic and encrypted data at rest
  • Multiple commercial anti-virus products redundantly installed at multiple network layers, including the Gateway, the application layer and web server farms
  • Physical security infrastructures with measures such as mantrap staging areas, multiple factor biometric scanning and card combination access authorization, dual-identification entry systems, 24 hour security guard monitoring, facility-wide indoor and outdoor closed-circuit TV, individually secured cabinets, integrated alarm systems and 24 by 7 environmental monitoring

"Do you really have the right measures in place for security threats and business continuity issues?" asks Rob Käll, president of Bookt, a web services provider to the global vacation rental and hotel industry. "For example, what happens if someone steals all your servers?"

Indeed, what happens upon a natural disaster such as a tornado, flood or earthquake – or an accident such as a fire – or if a hacker gains access to your network or acquires credentials through a stolen thumb drive, a forgotten smartphone or an unguarded laptop? Do your internal staff, tools and processes offer the same level of preparedness and response as the cloud providers?

Also consider that on top of all those risks, the biggest risk of security compromise comes from your own people. Most information security studies consistently show employees as the number one threat to your data. In fact, security breaches are four times more likely to stem from employees than external hackers. Does storing your data on-site increase or decrease the risk of theft by employees?

Is confidential or sensitive data any safer on your own servers than in the cloud? Probably not. Data stored in the cloud is subject to comparable threats as if it were stored on the server in your own data center, down the street, in the next city or elsewhere. The difference is that cloud providers assume much greater preparedness for such events.

If security concerns are the only thing holding you back from adopting a cloud solution, compare your current risk exposure to that if you go with a cloud provider. You will most likely be gaining much improved security by enlisting the services of cloud providers.

It's not that individual companies cannot make the efforts and investments to implement state of the art information security infrastructures, its just that security is not their core competency and the investment probably wouldn't make business sense.

"Cloud-computing providers can solve these security and business continuity problems on a much greater scale and the savings are passed to the consumers of the services," says Käll. "They are also likely to have more seasoned staff and every Software as a Service (SaaS) provider knows that their reputation lives and dies with their security and uptime performance."

Fact #2: WWW is Not the Wild Wild West

To the uninformed, the Internet is a dangerous place that threatens your company's security. However, to the informed, business and IT leaders recognize risk, and the need to mitigate that risk, because they cannot survive or thrive without the Web.

Even non-cloud companies spend plenty of time connected to the web – for email, making remote presentations, supporting remote staff, transferring files, downloading information and much more. When you purchase on-premise software, you likely download it from the Web and not actually install it from a CD, DVD or anything that is plugged into your servers. And, you'll probably get your updates and patches off the Web. So there you are, back on the 'Net again.

The only way to avoid most threats coming from the Internet is to not connect to the Web at all. But the highest threat of compromise from internal staff continues to exist, and more importantly, abstinence will kill your company. Companies would be unable to capitalize on business growth opportunities without online interaction.

Fact #3: Other Cloud Concerns Remain

Ironically, security is generally the first and most frequently cited cloud concern yet adopting cloud solutions can dramatically improve security preparedness, incident response and business continuity. However, while not receiving the same initial attention, other concerns to cloud adoption – such as total cost of ownership, cloud contracts, cloud tools and portability – remain relevant.

Due to the subscription pricing model there's no argument that up-front cloud or SaaS costs are dramatically cheaper than there on-premise counterparts. Also, with quick provisioning of new systems and no hardware or platform software (i.e. operating systems, relational databases, security programs, management tools, etc.) to install, SaaS CRM software implementations go faster and cost less. And, with less hardware to maintain and less need for application system administrators, database administrators and overall support, IT labor costs are clearly reduced. However, subscription pricing is recurring billing so whether cloud systems deliver reduced total cost of ownership (TCO) over the life of the application compared to their licensed counterparts becomes a TCO calculation that will vary for each organization.

Contracts for cloud solutions lack standardization and if not understood by buyers may inherit unforeseen risk. Some cloud CRM vendors offer Service Level Agreements (SLAs), some do not. Some CRM vendors such as Salesforce.com offer SLAs to some customers but not other customers. Some SLAs contain financially-backed credits or penalties for SLA non-conformance, while others do not. Some SLAs exclude "scheduled maintenance" from uptime guarantees while others do not. Most cloud vendors charge varying storage rates beyond their allotted per user storage amount and most vendors include automatic renewals, however, terms and conditions of renewals vary. Several SaaS vendors include a "coterminous" provision when adding users during the contract term, meaning that any users added during the contract period retroactively result in increased subscription fees for the original users as well. Some CRM vendors include language reinforcing the customers ability to retrieve their data timely; while others do not. The lack of continuity among cloud solutions imposes increased diligence upon cloud buyers and their legal advisors.

Despite powerful Platform as a Service (PaaS) and custom development tools from cloud and SaaS providers, many IT shops lack cloud tools to help them support their infrastructures, policies and user communities. Simple tools such as real-time monitoring of cloud services, may be unavailable, blocked by cloud providers or contractually prohibited in cloud vendor contracts. This prevents IT shops from obtaining performance metrics and impairs their ability to provide real-time support to their user communities. Other tools such as integrated identity management solutions are in short supply. Companies that subscribe to multiple SaaS products without a common easy to install and easy to use single sign on (SSO) or other identity management method will force users to manage multiple logon ID's and passwords.

Cloud portability is becoming a casualty of proprietary PaaS tools. For example, companies can use the Salesforce.com Force.com development environment to build custom applications and add-on solutions, however, such solutions only work on Salesforce.com's cloud. Similarly, don't expect custom solutions built with NetSuite's NS-BOS platform or SAP's (Business By Design) NetWeaver platform to work outside of their own clouds. Salesforce.com's announcement in late 2010 of database.com, and its more open and agnostic approach, is a welcome sign to CIO's and application teams, and is expected to begin a slow trend of making clouds solutions more portable.

According to Daryl Plummer, Gartner VP and Fellow, many of the remaining cloud concerns will be addressed over the next few years. He advises that by 2015 cloud providers will understand that customers need audit tools for cloud services and contractual guarantees about the vendors' liability should their systems fail. Plummer also predicts "cloud brokerages" or intermediaries will emerge to help companies get what they want from the cloud.

The Cloud is Coming, Whether You're Ready or Not

On top of everything else, recognize the cloud will grow despite any efforts to keep it at a distance.

"While the on-premise model is the use of internal services with a few forays into the cloud, in the future it will certainly be the opposite," says Ed Lyons, Chief Engineer at Keane. "Business services will increasingly be in the cloud, and there will be rare exceptions when something must be brought 'in-house.'"

"We don't have to imagine this model, startups with millions of users already operate this way," he added.

There are far more clouds developing on the horizon - private clouds, public clouds and hybrid. "An increasing focus will be on private clouds, and companies will see significant changes in the cost structure and accounting treatment within their organizations," says Amit Sen, Director at Patni Americas' Business Consulting Services group.

Next time you're in the "do we do the cloud?" discussion in a board room or a break room, recognize the real question isn't whether the company moves to the cloud, but when and under what conditions does the cloud make sense for your business. End

How would you rate this article?   

Call Centers
 Filed In Categories: Cloud Computing
Categories
 Tags Tags: information Security
Tags
Trackback Permalink: www.crmsearch.com/cloud-security.php
Trackback
Author  Author: Chuck Schaeffer
Author
 Share Share:    Bookmark and Share
Share

Comments (8) — Comments for this page are closed —

Guest Kent Ellis
  We're about to buy a cloud CRM software solution. We're leaning toward Salesforce.com who has a SAS 70 certification. It's unclear to me whether this cert really ensures thorough security or not. Is a SAS 70 enough to put our security concerns behind us?
  Chuck Chuck Schaeffer
    That depends upon the sensitivity of your data and your appetite for risk. A SAS 70, Type II, (or its SSAE No. 16 replacement) is not prescriptive, meaning that there are not specific and measurable objectives, guidelines and internal controls that must be satisfied in order to achieve the certification. SAS 70's are granted by CPAs who with their clients input apply their own discretion to determine their unique goals and subjective criteria that satisfy the audit and certification. SAS 70's are most often used to audit service providers of companies going through a Sarbanes-Oxley (SOX) audit. Because the audit is subjective, and every CPA auditor may apply different rigour and interpretation, and in fact, two auditors looking at the same situation may derive different conclusions, I am personally not a believer in SAS 70's and give them no credence as a measure of a company's information security posture. In fact, I think they're little more than an employment act for accountants created by the AICPA (American Institute of CPAs) that opportunistically crafted the audit and associated it with the roll out of the Sarbanes-Oxley Act at the time when the country and politicians were livid about the corporate scandals and egregious behaviors of unethical companies such as Enron, WorldCom and Tyco. As an alternative, I suggest audits and attestations from ISO or NIST provide much more meaning and confidence. The ISO 27001 and the NIST C&A (Certification and Accreditation) are both prescriptive audits. They offer varying information security levels, and specifically defined internal controls for each level that must be objectively satisfied each year to acquire and maintain the certification. Fortunately for your situation, Salesforce.com retains both a SAS 70 and an ISO 27001.

Guest Jeff Atkinson
  Wow, please tell me how you really feel about the SAS 70. Do you place any reliance of this audit or is it just worthless?
  Chuck Chuck Schaeffer
    I wouldn't say a SAS 70 Type II is necessarily worthless, I'd just say its worth less than a more objective, measurable audit such as an ISO 27001. Because every SAS 70 may have different objectives, audit criteria and assumptions, you'll need to read the report to understand the scope and results of the particular audit.

Guest Cathy Meek
  I find this topic critical in the CRM software selection process. So what are the best ways to test a cloud vendors security to get piece of mind?
  Chuck Chuck Schaeffer
    To validate information security, I suggest starting by reviewing the 3 P's - People, Processes and Proof. Security begins and ends with people. Make sure the cloud vendor has experienced, trained, certified and dedicated information security staff. Security processes include the methods, routines and over-lapping layers of redundant security measures which safeguard data in transit and data at rest. Proof generally consists of independent audits and third party attestations from recognized authorities. If you are not well versed with information security, I highly recommend seeking an outside expert. As you may have gathered by now, I personally like the ISO 27001 and NIST C&A annual certifications and attestations.

Guest Roberto Hernandez
  Do you expect the SSAE 16 to be better than the SAS 70? What's different with the new standard?
  Chuck Chuck Schaeffer
   

The SSAE No. 16 replaces the SAS 70 effective June 2011. My review of SSAE No. 16 a few months ago leads me to believe the changes are minor, however, I recommend you seek out a CPA experienced with the new standard to get a better opinion. My opinion is that the primary changes to the SSAE No. 16 from the SAS 70, while not significant, include the following:

    • The new standard is an attest standard, not an audit standard. Companies should expect a separate audit standard to be issued addressing the requirements of the user auditor.
    • In the new reporting standards, management will be required to provide a written assertion. I like this inclusion as it steps up management accountability.
    • Service organizations are required to provide a similar assertion when the inclusive method is used.
    • Type 1 and Type 2 reports may still be issued by the service auditor. I expect these reports will largely continue as they're the major revenue producing projects for CPAs.
    • Type 2 reports require the service auditor to express an opinion on the suitability of the design of controls related to the control objectives throughout the entire period. The format of the service auditor's opinion will change. This provision steps up skin in the game by the auditor, however, will likely be severely watered down by loose control objectives and reduction of liability clauses that will now be inserted to the reports.
    • The service auditor is required to disclose any reliance on the work of Internal Audit or other independent management testing functions within the report.
 

 

Share This Article

 

Quote

While the on-premise model is the use of internal services with a few forays into the cloud, in the future it will certainly be the opposite. Business services will increasingly be in the cloud, and there will be rare exceptions when something must be brought in-house."

~ Ed Lyons, Chief Engineer, Keane

 

Related Articles

 


More Articles By Chuck

 

 

CRM Price Quote

Follow Us
social
social
social
social

crm search

Home   |  CRM  |  Sales  |  Marketing  |  Service  |  Call Centers  |  Channels  |  Resources  |  Blog