Executive SummaryCloud computing is the new buzz word on the internet and seen as the key to the future of IT services. Because it is still an emerging trend, its definition is still a bit hazy, however the cloud is simply a virtual data center shared by several organizations. Cloud applications involve multiple customers sharing application, even though they only have access to their own data.
No doubt, there are several business intelligence advantages derivable from operating in the cloud that allows for powerful combination of high-assurance remote serve integrity and cryptographic protocols that are consistent with policies, whether within the enterprise or in the cloud. To the most part, they mostly lend themselves to small and medium scale corporations who want to save money and infrastructure. Yet these advantages do not at this point in the maturity matrix of cloud sourcing, out-weight the inherent dangers of adopting such an emerging trend for public regulatory institutions such as Central Banks.
These inherent dangers underscore the well documented fear of being at the “Bleeding Edge” of technology. Complications experienced by early adopters of emerging trends in IT are well documented. Cloud computing has unique attributes that are fraught with security risks, smart customers should err on the side of caution and reappraise their dream of being on the Cloud.
This paper explains in simple terms, the idea of the Cloud sourcing, the advantages accruable to implementing it, against the backdrop of recent developments and Federal Governments desire to adopt a portal service hosted on the cloud. It also details the pit falls and explains why other public and government institutions have shied away from doing the same.
Cloud computing has unique attributes that require risk assessment in areas such as data integrity, At the forefront of this challenges is that of the security of sensitive data and information stored in countries where we have no legal jurisdiction on how these data is used or managed.
There is no better cautionary statement to set the tone like
“I am nervous to host corporate information on someone else’s server? Yes, even if its Google” – Shukry Tiab. There are several reasons experts’ advice caution in moving to “cloudosphere”. Some identified risks include;
- Loss of service if your provider has downtime or goes out of business.
- Regulatory problems when critical data is stored internationally.
- Security concerns when users lose control of how their data is protected.
- One-sided service agreements that give clients little redress in the event of a calamity, acquisitions, etc.
- Lock-in dependency on proprietary cloud applications.
Early on in the evolution of any new technology, there are concern about how it will be used. These concerns are what is termed “Privacy Hump” – they represent a barrier to the acceptance and adoption of a potentially intrusive technology… if the business case for the technology is strong, the hump may fade over time – that time has not come yet for Cloud sourcing and the Government Institutions.
PreambleIn furtherance of its mandate to provide support to the Board of an apex regulator through the monitoring of the decisions of the Board and assurance of the highest level of oversight for internal and public complaints and managing, (from creation to archival), all their documents. The Department that manages the Board recently launched a portal service for the Board.
This portal designed by messers Digital Board Book Limited is accessible via the internet to all members and accords them the ease of collaborating with other members regardless of where they are in the world.
While these may be laudable objectives, we are of the opinion the regulator may have inadvertently by coerced into approving the deployment of sensitive Board decisions to the Cloud. The paper tries to draw the attention of the regulator to the huge risk associated with the cloud and government sensitive information. More especially as the President of the federation has recently directed that a similar portal be developed for the Federal Executive Council (FEC) for the Government.
IntroductionWhat is the Cloud?
Ostensibly, most people think the cloud is the same as the internet. The name cloud is inspired by the cloud symbol often used to represent the internet in diagrams and workflow, but that is where the similarity ends… it is more complicated than that.
The definition of the cloud is still hazy, but the Guardian defined it as “a means of putting more of your materials out ‘there’ and the less on you PC or Server” while the US National Institute of Standards and Technology defined it as “a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction”.
These services are broadly divided into three categories;
- Infrastructure-As-a-Service (IaaS),
- Platform-as-a-Service (PaaS), and
- Software-as-a-Service (SaaS)
Early on in the life of any technology, there are concern about how these technologies will be used. These concerns are what is termed “Privacy Hump” – they represent a barrier to the acceptance and adoption of a potentially intrusive technology… if the business case for the technology is strong, the hump may fade over time – that time has not come yet for Cloud sourcing and the Government Institutions.
Who is the Cloud meant for?It is perhaps too easy to start using a cloud service – that’s exactly how it is designed to be. It is easier to setup a Yahoo, Gmail, or American Online account than installing and running an exchange server. However, while the later is more expensive to maintain, it can be easily controlled to protect sensitive data for an enterprise. – Cloud sourcing easily lends itself to small, medium companies who do not wish to incur, waste or underutilize resources, be it monetary or otherwise.
Presently cloud computing is been embraced by private businesses as a means of saving cost on computer hardware. Cost saving has been identified as the single most important factor for cloud computing services. Most public institutions are slow in embracing the technology as there has to be a strong case of cost savings aligned to security of sensitive data.
What is preventing its early adoption?Security of sensitive data remains the major concern for public institutions the world over. One myth that cloud computing is sold on is that though it is a shared service, it can be implementation independent. But in reality, due to the “Openness of the Internet” and its inscribed transparency, industry regulatory compliance is another kettle of fish. The following section summarizes the challenges of adopting Cloud sourcing.
Current ConcernsThe question is, can multi-tenant services ever be as secure as your own server? Concerns are beginning to grow about just how safe an environment the cloud is for holding sensitive data and information. Analysts warn that the cloud is becoming particularly attractive to cyber crooks. Reformed hacker, Michael Calce agrees that trouble looms ahead if companies fail to apply the right security measures.
Standards & RegulationsThere are No Regulations and Standards when using or implementing cloud computing due to lack of long-term experience. This exposes other unique challenges such as follows:-
Privileged User Access.Sensitive data that is processed outside the enterprise brings with it an inherent risk that it may fall into the “wrong Hands”. The most prominent issue in cloud services is security of user data as the user has no control over its business data files containing valuable information. This is because a proper security model for cloud computing has not yet been developed.
Contractual ObligationsManaging problems with another companies infrastructure is not practical due to a mis-alignment of interests. I cite Amazons “Non-Assertion” terms of reference. Other contractual gaps are:-
- Dependency:
Cloud services make the user totally dependent on the Cloud Service Provider. The user is denied control on quality and maintenance issues and plays no role in back up and disaster recovery activities. They level of dependency is so high that the user existence is tied to the financial health of the cloud service provider. If the CSP goes under, the user’s business goes with it. This lack of control means that if a user decides to terminate his contract with the service provider, there is no way the user will ensure the provider does not retain his data in his database.
- Data/Information Location
Another security issue is that physical location of hardware and software is unknown making site inspections and audits difficult.
- Cost and Flexibility:
There is presently no customization of product as the whole essence is for many businesses to store data within the same environment. There is also the likelihood of hidden cost such as compliancy regulations, backup, restore, disaster recovery and problem solving costs been introduced by the CSP.
- Legislation:
Users of cloud services don't know where their information is held which raises the question of loyalty by the Cloud Service Provider. The danger this poses can be highlighted by considering the America laws such as the US Patriot Act which empowers government and other agencies to access information including that belonging to companies as long as this information is held by companies operating within the United States. A subpoena or legal action can compel a cloud provider to give up sensitive information/data. This is further exuberated by the widespread use of freedom of information acts in the west.
It also entails that critical information could be moved across boundaries without the knowledge of the user. Legal implications of data and applications being held by a third party are complex and not clearly understood. Potential risk of giving up sensitive data due to transparency.
Contractual commitments to obey local privacy requirements across international jurisdiction is a burning issue for providers of sensitive information.
- Long-term Viability:
Moose law suggests the fast pace of technological development, with cloud in its infancy, and there are little known information about the requirements and conditions for implementing and managing service level agreements contracts with CSPs. This hands the advantage to CSPs and exposes the user in case of disagreements in SLA. chances are that CSP will increase, small providers maybe bought over by new ones, leaving clients with few options.
- Provider Espionage:
Espionage may not seem like a threat to a public regulatory institution, But it is however expedient that confidentiality and availability of the data and information be assured at all times.
Data in the cloud is typically in a shared environment with other customers. Enforcing encryption across such a complex terrain is impractical considering that other customer may want avoid it due to its disruptive nature.
Auditability of a distributed and dynamic application spread all over the globe is not practical and may not satisfy auditors that data is properly isolated and cannot be viewed by the wrong persons. One popular audit guideline is tha SAS 70 – it defines guidelines for the assess internal controls over processing of sensitive information. Other guidelines like the SOX and HIPAA. US government agencies are mandated to follow these guidelines.
There have been well publicized accounts of cloud outages, down time of critical applications and services. When compared to traditional forms of investigative support, forensics in the cloud face huge difficulties if even possible. The scale of the cloud and the rate at which data is overwritten is of concern due to the logging and data for multiple customers often co-located and spread across an ever changing set of host and data centers.
Suggestions on The way forward:
The Board Book Portal Project has come a long way, a compelling business need that justifies its creation are well noted, however it is clear that the proper project initialization processes have not been followed leading to the unwitty decision to host on a public cloud. It is therefore expedient that a more detailed look is taken at the portal to ensure that sensitive board decisions are protected. This is even more crucial as the Presidency has muted its desire to adopt the same portal service for the Federal Executive Council of Nigeria.
We therefore recommend as follows: The legal and IT departments of the regulator conduct a due diligent exercises; Read and fully understand the legislation, reasonability and terms of both providers and users in case of loss of sensitive data.
Create Internal/Private Clouds or utilities:
The quest to use the Cloud is on for several public institutions, Most countries opt for a private cloud with more consistent and controlled governance to mitigate the identified risk enumerated above.
The UK government is setting up its own cloud to make savings of up to £3.2bn – a 20% reduction in costs. The UK government is working to build its own secured cloud called GCloud while the US government is working to build its own cloud called GovCloud. Both governments are avoiding the commercial environments primarily because of security concerns. Both governments have also identified savings of over $3b in computer hardware and software purchases over the next few years.
According to the analyst Gartner – the first step before committing to cloud source is to Seek security assessment from a neutral third party to assess the security risks associated with the present CSP. An external IT audit may signal how secure these cloud providers facilities are, and will no doubt suggest how trivial information should be published on the portal.
Proper project initiation processes be followed for all strategic projects such as this. This will ensure that all stakeholders are carried along and properly enrolled, as it has a significant impact on the quality of the project execution.
Government should determine security and privacy requirements, develop standards, gather data, and benchmark costs and performance against risks and trust.
Conclusion:
Cloud computing technologies have not reached maturity. Users are at the mercy of their cloud service providers for the availability and integrity of their data. Presently cloud computing is been used mostly by private firms, while public sector explores creating private Cloudscapes to protect sensitive government information.
In order for government institutions to embrace cloud technology, there is need to determine the business needs and benefits of cloud services and its fit with our policies, processes and legislation.
Thank You.