Switching Cloud Provider

31.03.2011 by Mike Small

In Brussels on March 22nd Neelie Kroes, Vice-President of the European Commission responsible for Digital Agenda European Cloud Computing Strategy, made a speech at the opening of the Microsoft Centre for Cloud Computing and Interoperability. In this she said “…to offer a true utility in a truly competitive digital single market, users must be able to change their cloud provider easily. It must be as fast and easy as changing one’s internet or mobile phone provider has become in many places…” So what are the difficulties to achieving that goal and how far are we away from it now?

Well – it depends upon what Cloud model you consider and which Cloud service you are using. For an e-mail service – then standards like SMTP and MIME make it very easy to switch or even to use multiple providers at the same time, providing you download your e-mail data. If you hold your e-mails in the Cloud then it is a different story. The same is true if you use any other Cloud service which holds your data for example: file backup, word processing, accounting etc.

So here is the rub – connection standards make it easy to connect to any Cloud service. However moving data between Cloud providers is much more difficult.  For most practical purposes the only way to move data is to download it to your own computer and then upload to the new provider. This may also involve a lot of work to reformat data into a different standard.

In the last week Amazon announced their “Cloud Player”, which allows users to play songs across a number of computers and Android smart phones. Music lovers will be able to upload most of their existing music library – including tracks bought through Apple’s iTunes – to Amazon, as well as buy new songs for digital playback. This service has opened another concern – who owns the music (i.e. data) in the Cloud. Amazon said it has sidestepped legal uncertainties about allowing users to upload music from their computer – some of which may have been downloaded illegally – by the service being the equivalent of any other storage device, such as an external hard drive. This means that if you decide to switch to another service say from Google later – you may need to download and then upload to the new provider!

So – there is a long way to go before it will be possible to switch Cloud provider as quickly and easily as your mobile phone service. The problems include legal issues relating to ownership of data and service agreements that allow users to painlessly transfer their data between Cloud providers when they switch.


Posted in Uncategorized | Comments Off

Identity Management – Process or Technology

20.03.2011 by Mike Small

Identity Management – Process or Technology?

RSA recently announced SEC 8-K filing a security breach, relating its SecureID authentication technology.   This reopens the question of which is the most important factor in identity management – processes or technology?

One line of thinking has been that the major cause of identity theft and data loss is poor process and that strengthening the process is the key approach. Strong processes are indeed required but a strong process can be undermined by a weakness in  technology.

 

Authentication:

The electronic identity of someone depends upon the process for managing that establishing that identity. Even biometrics depends upon the identity of the person being confirmed through a process or paper trail.

However the mechanism for proving the identity (authentication) needs to be chosen according to the risk. Traditionally this risk was fixed by the circumstances under which the identity is used – for example to access email internally. A password is cheap but relatively weak; however stronger forms like smart cards are expensive. The RSA SecureID was a nice compromise.

Wrongly assessing the risk or choosing the wrong technology undermines the process. The recent closure of the European Carbon Trading Market is an example of what happens when this goes wrong. Most operations at Europe’s 30 registries for greenhouse-gas emissions were suspended on Jan. 19 after a Czech trader reviewing his $9 million account found “nothing was there.” The EU estimates permits worth as many as 29 million Euros ($39 million) may be missing. Was this process or technology?

Now that systems are regularly accessed via the internet, for example by mobile employees or adoption of the Cloud, a more resilient technology is needed. An emerging solution to this is “versatile authentication” – where multiple factors like: the location of the request, the time, the value of the transaction, are taken into account. A versatile approach can be quickly reconfigured to take account of a new vulnerability to demand further proof of identity.

Data Leakage

During the 1980 and 1990 the value of sharing information through “Groupware” was very high and the need for security was downgraded.  The normal access mechanism implemented in most environments is called “Discretionary Access Control” or DAC.  In this – if you have legitimate access to some information – you have discretion over what you do with it.  You can copy it, print it e-mail it etc.  This makes it easy for someone who has access to steal or misuse information.  During the 1970 a stronger form of access control was invented called “Mandatory Access Control” or DAC.  In this data is tagged so that only people authorized to access it are able to, and it is not possible for one person to copy the data to give it to another unauthorised person.  This approach has now been reinvented under the name of Data Loss Prevention and Digital Rights Management technology.

Many organizations have poor processes for identifying valuable information and poor technology to prevent that information from leaking.  See the recent example of a former Goldman Sachs programmer who stole key intellectual property. http://www.bloomberg.com/news/2011-03-16/ex-goldman-programmer-aleynikov-s-conviction-is-upheld-by-trial-judge.html

Abuse of Privilege

The infrastructure upon which cloud computing is built needs to be managed and maintained.  To perform these tasks the servers, platforms and applications need powerful administrator accounts.  These accounts are used by the Cloud Service provider to perform essential administration, yet they represent a potential risk because they allow powerful actions which include: bypassing normal access controls to read application data and changing or erasing entries in the system log.  Managing the identity of these administrators is a critical issue for information security in the Cloud.

Distributed systems technology has an inherent weakness – the privileged accounts.  Many organizations do not have process in place to compensate for this.  See the recent example of an administrator who held the City of San Francisco to ransom. http://www.pcworld.com/businesscenter/article/148469/it_admin_locks_up_san_franciscos_network.html

Privilege Management (PxM) technology is an emerging solution to manage this weakness.

Bottom line – strong process always needs to be backed by good technology.  Many of the technologies in use today have significant weaknesses and vendors need to work to remove these.


Posted in Uncategorized | Comments Off
Services
© 2014 Mike Small, KuppingerCole