Cloud computing security risks: Private and public cloudsDate: Dec 14, 2010
Cloud computing security issues are at the top of every cloud user's mind. Network professionals need to understand the scope of cloud computing security risks, and how threats should be handled.
In this video, senior site editor Rivka Little sits down with Drew Bartkiewicz, CEO of CyberRiskPartners. Bartkiewicz discusses the most prevalent security risks when it comes to public and private clouds, such as how other cloud users are compromised when it comes to public clouds. Bartkiewicz also addresses how cloud providers are addressing these cloud security issues in a public model vs. private model, compiling threat profiles based on the size of the cloud infrastructure.
About the speaker: Drew Bartkiewicz, CEO of CyberRiskPartners. CRP offers Cloud Computing providers and data-intensive traditional businesses the visibility, quantification, and risk transfer solutions to manage cyber risk on an ongoing, targeted, and actionable basis. Through the CRP proprietary platform we deliver risk dispersion market options to enable Cloud clients to grow with emerging applications such as cloud computing, API’s, SAAS, and social media. CloudRisks is a specialty hedging platform networked with various Cyber Insurance companies that enables Cloud Computing companies to deal with the future of financial, technical, and legal aggregation.
Read the full transcript from this video below:
Cloud computing security risks: Private and public clouds
Rivka Little: Hello. This is Rivka Little, Site Editor of SearchNetworking, and I am here today with Drew Bartkiewicz, CEO of Cyber Risk Partners. Hello, Drew.
Drew Bartkiewicz: Morning, Riv, how are you?
Rivka Little: Good. What is the perceived security risk in the public Cloud?
Drew Bartkiewicz: I think the greatest risk is not knowing what the risks are, and I think there are a lot of companies who are moving very quickly into cloud computing. There is enormous economic incentive to do it: it is less expensive, and there is perceived as greater security on many fronts. While security may be there, they are not necessarily lowering their risk profile by moving to the Cloud.
Rivka Little: Why is that?
Drew Bartkiewicz: It is not always a security breach that creates risk. We are a company that tracks cyber events, and we have been tracking, since 2005, over 3000 incidents that were created by technology. What we do is we track the financial impact of every event that occurred. Whether or not that had litigation, whether or not it had a lawsuit, whether or not it had fines, fees, or penalties, notification costs. What we found was that over the last few years, that severity was starting to creep in to the picture for technology errors, financial severity. If you apply that pattern of financial risk through technology incidents, and you move that into the movement of the Cloud, Clouds are just much larger aggregations of risk. You have more companies sharing the same infrastructure, they use the term Multi-Tenant Architectures. So you now have this dependency of tenants all in the same infrastructure, which means there is potential for catastrophic risk. The security for your company using the Cloud is now shared with the security of other companies using the Cloud. Cloud computing is somewhat of a new area of not just of a security problem but also a risk transfer problem.
Rivka Little: How is that risk different when building out a private Cloud?
Drew Bartkiewicz: I think if you manage a private Cloud, it is not terribly different from how you have been managing technology previously: it is within your domain, it is within your network. You are applying virtualization to it; that is the main difference. You still have, any time you are aggregating data into more central locations, you are creating also a concentration of risk. In the west coast, aggregation is always put in very positive terms: aggregating servers, aggregating data, lower cost, and more flexibility, on demand. Aggregation here on Wall Street is a four-letter word. Aggregation can translate to severity, and severity is something that I think the technology industry has not quite felt the impact of yet. We hear threats against Google, a successful attack by China, or a company like Blue Cross/Blue Shield that has a major data breach or Heartland Payment Systems right here in the northeast. They are good indicators that, as you start to depend more on centralized technology, your risk calculations become very different. I think Cloud computing is so new that, right now, it is really the domain of technologists but just because you can do something with technology, does not mean you always should do it with technology.
Rivka Little: How are public Cloud providers addressing this security risk?
Drew Bartkiewicz: I think they are doing a combination of mitigating the risk through contractual compliance and an enormous dose of hope that nothing happens to them. The first one is a pragmatic track, and most Cloud companies limit their financial or legal responsibilities to the value of the contract. If I pay a Cloud company $50,000 to $100,000 a year, if something were to go wrong -- a breach, a network outage, a rogue employee, then their contract would give me back my $50,000. In every other industry outside of technology, that model cannot sustain itself because if I placed all of something of great value, let us say to a bank, and they have a major theft of my assets, if that bank gives me a letter and says, 'Here is your $200 management fee. Sorry we lost $1 million dollars of your assets,' that does not work in other industries, and right now that is the model for Cloud computing. The problem is, again back to the pattern we see, the cost to use technology is going down over the last six to seven years, but the cost to fail of technology is rapidly going up. Right now there is just an imbalance in the Cloud computing industry because the cost to use is going down, and that is an enormous benefit. Who is absorbing the cost to fail? If, by contract, that $50,000 dollars back to my company is nothing if it is a $50 million financial impact to my business.
Rivka Little: Are you less likely to take that sort of risk if you are implementing a private Cloud?
Drew Bartkiewicz: I think a private Cloud gives you a greater emotional sense of control. It is private; we can at least control outcomes. In that case, I would say you have two different risk scenarios. If it is a private Cloud, let us compare that to a small fishing boat. You see everything on the boat, and if there was a torpedo in the water, it is harder to hit that fishing boat. On one hand, you are a smaller threat profile; you are not on the radar as much as a large Cloud company, but you still may not have the best-in-class security because you cannot spend as much as maybe an Amazon or Salesforce on security. You have a smaller boat, it is really well protected, but it is not going to have the same level of security, perhaps, as a Cloud. So you might think, 'A Cloud company then, is a better model for security.' Cloud companies are more like large battleships or large freight ships. They have enormous infrastructures; they have multiple data centers, which mean their threat profile, that surface area that a torpedo can hit, is much greater. So they might have really good state of the art controls, but because they are such a large target for attacks, hacks and criminal activity, then it is a little bit of a tradeoff. Do you go small with something you contain with a lower threat profile, or do you move to the Cloud that might have better levels of security, but they are also a bigger target? We are not the only ones anymore on the internet; there are very sophisticated threat patterns against US networks that are showing innovation from Central Europe, to Latin America, to China. Cloud companies are going to have to not just strengthen their hull for security, but they are going to have to solve this problem of, how do they bring more participants in to spread the risk? How do they bring insurance into their Cloud model to disperse this risk away from them?
Rivka Little: Technically speaking, if I were looking to invest in a public Cloud provider, what do you need to promise me you have, to deal with security?
Drew Bartkiewicz: If you are a cloud company, I think there is just a very base level of compliance. You have to show compliance with SAS 70, compliance with HIPAA if you are in the Health Care sector, and compliance with Gramm-Leach-Bliley in financial services. You have, to me, there are these three thresholds of de-risking the Cloud. The first one is compliance, so you are compliant with all the regulations that would apply to me and my company, as a user of your Cloud. Two, you invest in security, in terms of talent, technology, and monitoring in ways that my company could never invest, so you go above and beyond even the regulatory requirements. Today, that is really the biggest differentiation, and Cloud companies then have to win your business based on selling their security to you. I think most of the companies use this term trust, ‘You have to trust us.’ There is this third component though, that is absolutely missing. While they are saying, ‘You have to trust us,’ they are not absorbing your financial risk if something were to happen, if something were to go wrong; this is this third piece that is missing. If I am a company and I am evaluating two Cloud providers, and one cloud provider wows me with compliance, and the other provider does the same, and I think we are in that place right now, and the Cloud companies both tout how secure they are. They talk about Triple 9 availability in their network; they talk about the way they have technologically safeguarded it. I am now left with two cloud companies. What is my remaining criteria to make a decision? They are all telling they have great security, I cannot really verify that myself. There is one last component. This Cloud company actually has a rating that an insurance company is willing to give me $10 million of data privacy insurance in that Cloud, and this Cloud over here has no insurance offering. If I am going to spend $1 million a year with this Cloud, and for another $100,000 a year, I can get a catastrophic level of insurance, and this cloud company is only competing on security, guess what, this one gives me piece of mind, and this one I have to trust even more because there is no financial umbrella. Cloud Insure, which is a model of our company, is the direction it is heading. You need more industries like insurance to disperse these risks away from aggregation.
Rivka Little: Interesting.
Drew Bartkiewicz: There are two industries right now that absolutely do not talk to each other.
Rivka Little: Interesting.
Drew Bartkiewicz: That is a problem. You have technologists who are moving at extreme speed with Cloud computing. Then you have risk managers, actuaries, and insurance companies that do not understand how to insure that. What we do is we translate the risk these companies have into terms that insurance companies can understand so you can have more participants in this space to make it sustainable.
Rivka Little: Thank you for joining us Drew. I appreciate your time.
Drew Bartkiewicz: Thank you, Rivka, for having me.