5 Things that Should Never Go Into the Cloud (2)

Identity Management Systems

Your identity management systems enable you to confirm that when a person claims to be a someone, he/she is actually that person. If you’re using Active Directory, then the Active Directory database is part of your identify management system. You might also be using smart cards, biometrics, or one-time passwords as well, as part of a multi-factor authentication system. And you are most likely hosting your identify management systems in-house.

Your identity management system, although not as sexy or cool as some technologies, is the life’s blood of your organization’s security. If the integrity of your identify management system is compromised, everything in your organization is “up for grabs”- and I do mean everything. The entity that compromises your identity management system will be able to claim the identity of anyone in your organization and carry on a wide range of activities under the guise of the person whose identity has been compromised. If that person happens to have administrative privileges, you’re in deep trouble. From the point in time when the identity management system is compromised to the time when incident response is completed, all user activities during that interim must be considered suspect and any information that was touched, as well as any activities carried out on the corporate systems, must be considered to be invalid until an audit is completed.

Are there identity management systems in the cloud now? Sure. Facebook, Windows Live, Google, and Yahoo are just a few, and there are many other smaller players. The big question is: Do you trust these entities and the security of their identity management systems? How many times have you heard about some compromise of each of these providers’ identity management systems that ended up with user names and passwords of accounts being compromised? Given the critical nature of identity management to all of your business processes, you should be very wary of trusting identity management to the cloud.

Core Intellectual Property

When you consider storing critical data in the cloud, there are a number of questions you need to ask:

• How does the cloud provider secure your data?
• Do they use NTFS?
• Do they use EFS?
• Do they use some other method of encrypting information while it’s on the disk?
• What about information existing in memory on the servers? Is there a way to compromise the data while in memory?
• If a machine crashes, does it dump memory contents to disk which can be retrieved by an attacker?
• How do they protect the information when it’s in transit between your clients and their servers? Are they using SSL? TLS? IPsec? Some other encryption protocol? Can an attacker located between you and where your core intellectual property is stored intercept that information “on the wire” and replay the sessions and gain knowledge of the contents of the communication?
• Is the data itself secured? What if an authorized user gains access to core intellectual property and then decides that he wants to derail the company by sending that data to a competitor? Does the cloud provider enable rights management for all information stored in the cloud?

Unlike your intranet, where you are using IPsec, TLS, NTLS, EFS, BitLocker, and Rights Management Services, you may not know whether all of these security features are available when information is hosted by a cloud provider. There are too many vectors of attack for any data stored in the cloud, which makes it a less than ideal place to store any core intellectual property.  After all, compromise of core intellectual property can put you out of business.

Customers’ Personally Identifiable Information

Many of the regulations you may have to deal with, depending on your industry, relate to protection of personally identifying information (PII) of your partners and your customers. There can be some significant negative consequences in the event that someone gets hold of your customers’ private information. This data could be something as simple as the customer’s name, or something as dangerous as compromise of a customer’s social security number or credit card numbers.

This can be challenging. For example, let’s say you provide products or services that can be purchased online. It’s clear that, by the very nature of online sales, customers are going to have to interact with a cloud service to participate in the transaction. In this context, the important distinction is whether it’s your own cloud or someone else’s cloud that is storing this information.

If it’s your cloud, then you have tight command and control over what PII is obtained, what PII is stored, and the lifetime of the PII that is stored in an Internet accessible location. If it’s a cloud provider, you have to ask yourself what they’re doing to secure your customers’ and partners’ PII. Do they have a published policy? If there is a compromise, is there any kind of indemnification? What if you are fined or sued because of mishandling of PII? Does the cloud provider pay the fine, or are you left on the hook for the whole thing? What about damage to your firm’s brand equity? Is there anything the cloud provider can do about that? And does it really help for you to blame your cloud provider?

This is why I believe PII should remain in-house. When something goes wrong, it doesn’t matter whose “fault” it is; all the fingers are going to be pointed at you, so you should make sure that you do everything you can to ensure that PII is protected. When you have the control, you can do everything possible to keep PII safe; if you give it over to the cloud provider, you are limited in what you can do to protect PII.