WHAT MAKES CLOUD RISKS MORE OR LESS RISKY?

Risk aversion is part of the calculation into your business decisions. This is especially true for cloud services. What happens if the cloud provider goes bankrupt? What hap-

pens if the cloud provider is compromised? Figure 9.6,

control of your risk, shows that the more control you give away to your cloud vendors, the more risk you have due to that loss in control. The inherent risk relationship

with cloud service delivery and deployment models [1]

shows that risks will affect system uptime, cost, and access to your data. Clearly, the COSO Enterprise risk management for cloud computing publication points out that the more cloud you have the more risk you have, and the less direct control you have.

Employing the computer “rental” or private cloud option gives you more control and less risk. It is under- standable that if other applications or servers are running on the same hardware, they can cause your application to slow down or cause unforeseen problems with the server and in some cases, a server crash. Bandwidth can also be an issue when a server farm has very high usage. Another risk is your cost. The more your model is based on a pay-as-you-go services model, the more risk you have for your costs rising due to use or overuse.

9.4.1 Mitigating the Risks

The best way to mitigate the risks of a cloud system is to have full system backups of your environment. This includes the ability to move your system to a new cloud hardware platform as well as all of the software and data

to get your business back up and running. Depending upon the critical nature of the system, you may want to have a “hot site” that has a constant feed from the pro- duction site and can failover to the hot site, in case of a failure at the primary data center. One problem with mitigating the risk in this way is the cost savings you have from moving to the cloud evaporate when you have to have two of everything. Collecting information at the

front end is another way to mitigate the risk. Figure 9.7,

questions to ask, just scratches the surface and you should consider making a list of questions and asking the cloud service provider for answers in writing. These should then be part of your contract with the cloud ser- vice provider.

Similarly, you can mitigate the risk of other servers utilizing too many resources by purchasing the hard- ware and colocating it at the cloud service provider’s site. Again, this is a costly endeavor as you may not want to purchase a server or group of servers that is big enough to handle your worst case for usage. The beauty of the cloud is its flexibility to add resources and grow on demand. There are some minimum resource utilization metrics that can be part of your service level agreement (SLA) that address the speed and resource demands on the system. The trick is to be able to tell when the resources are not available and have some kind of pen- alty to the cloud provider for not meeting  the  SLA.

As mentioned earlier, performance needs to be tracked and a warning should be sent when the performance is not up to the SLA. A reliability measure should also be added to your SLA; server uptime should not be an issue in most cloud environments, but if the server fails, there should be a recovery plan.

One great advantage of the cloud model is the ability for the hosting company to have multiple vendors sup- port their Internet, thus giving you a built-in backup Internet in case of an outage by one of the Internet providers to your hosting company. Most of the top tier hosting providers have redundant Internet lines that will automatically fail over and keep the hosting site up.

There are many types of attacks on computer net- works and servers. One of the most effective in the past

Less control

SaaS

PaaS

Deployment models Increased risk

Less direct control, more inherent risk More direct control,

less inherent risk

De

liver

y mo

dels

IaaS

Private Hybrid Public

FIGURE  9.6 Control of your risk (COSO Enterprise Risk Management for Cloud Computing. © 2012 Committee of Sponsoring Organizations of the Treadway Commission. Available at http://www.coso.org/documents/ CloudComputingThoughtPaper.pdf. With permission.)

Who has physical access to the servers? Do you have physical access to the servers? Who has remote access to the servers?

Is there a log of who is accessing your servers – through login/logout and through direct connection to your system without logging in and out? Can you get a copy of the log if needed or does it require a court order?

Will you help to investigate a breach?

has been the DoS attack. Most cloud service providers have the technology to block this type of attack and send messages upstream to keep the attacks from getting into our servers.

9.4.1.1 Hackers

Hackers pose a special threat to cloud servers. One way to mitigate this is for remote login to require a two-step authentication. There are many services that are set- ting up systems where you enter your user ID and pass- word, then the system sends a code to your cell phone to authenticate you as the user. This extra step could pre- vent a person from gaining access to your system even if they have your username and password. There are also secure token systems that change your password every

30 seconds. RSA Secure ID [2] tokens can be integrated

into most cloud systems. You enter your username and then press a button on the token and put in the random number generated by the token as your password, plus some extra digits that only you know. Sometimes this type of system is deployed at the edge of the network and once past the first security, you enter a second user- name and password to get final access to the server. This is often referred to as two-factor authentication.

Having big targets like government, financial institu- tions, or retailers at your data center may attract hack- ers to the site. Most cloud service companies will not disclose all of their clients, but many will have long lists on their website to make you feel comfortable in your choice of service providers. Do the research and make an informed decision.

9.4.1.2 Biometrics

In addition to the password authentication, many new systems are requiring biometrics to gain access to the system. Some systems use fingerprints for access. As

seen in Figure 9.8, biometric fingerprints have a unique

pattern that can be scanned and compared to a captured print on the system. In 2014, Apple created a fingerprint access to the iPhone. By holding your finger over the camera, it is able to discern different minutia to allow

for a positive match, thus allowing the user access just by placing their fingerprint on the camera. With the advent of the iPhone 6, the fingerprint is taken directly from the home button. Apples Touch ID technology allows for quick access to your phone without having to enter a passcode. For more information on the technol- ogy Apple uses, check out www.apple.com/iphone-6/

touch-id/ [3].

Many schools also use this technology for purchas- ing lunches. Instead of having a debit card, the schools employ fingerprint technology to charge the lunch to the students account. At least one cloud hosting provider in Chicago requires hand geometry for access to the server area. Finally, we have all seen the great retinal eye scan- ning in some science fiction movies. There are several companies who offer this technology in the real world for door access; it may be coming soon to a computer laptop. Move in close and let the camera take a picture of the blood vessels in your eye for confirmation of iden- tity. Even HP has a facial recognition program on their all-in-one computers. Take a picture and it will use facial recognition technology to match it to your stored image

and allow you access to the computer. Figure 9.9 shows

eye scans are also used as a biometric capture. Although it has been in use since the 1970s, it is still considered super high tech. It was also used in the 1980s and 1990s in Chicago at the Cook County detention center to track the inmates coming in and out of the facility.

9.4.1.3 Password Chances

There have been many prominent actresses’ photo accounts being hacked by persistent password tries. In  some cases in 2014, top photo sites did not have a counter for bad passwords. Once the password was guessed, the hackers got their hands on the celebrity photos. It is a good idea to have a lockout time if a cer- tain number of invalid password attempts are made.

Password strength—another way to mitigate the risk of someone guessing your password is to make it strong. Make it more than 12 characters; include capital letters, numbers, and special characters, thus creating a night- mare for the program or human to guess. Keep your

FIGURE 9.8 Biometric fingerprint.

passwords private and do not use the same password on every system you login to.

One other important technology is one time passwords

(OTP) [4]. This has been around for a few years as Mark

Diodati wrote about encouraging companies to use OTPs in 2010. Using a secure token that generates random OTP passwords every 30–60 seconds gives you a much more secure environment than the passwords that last for months or years. For a quick quiz on your infrastructure you can take the Are your passwords at risk? quiz at pass-

wordsarerisky.emc.webcontentor.com [5].

9.4.1.4 Data Leaks

Employees can be one of the most common threats to a system. Edward Snowden being able to copy top secret documents from the U.S. government is a great example of a data leak on steroids. The sheer amount of data being copied should have set warning bells ring- ing, as well as the type of data being copied. I am sure the U.S. National Security Agency has new policies in place to prevent these types of data leaks, but most corporations—think of Sony being hacked by North Korea—probably do not.

Vendor viability—be careful who you jump in bed with. Is the vendor able to meet their income require- ments to stay in business? Are they solvent? Search for any court cases against them.