Why Ownership Questions Reveal Governance Gaps Sarah was preparing documentation for an upcoming compliance review…
Why Do Clouds Crash and What Can You Do?
There are five types of clouds: Cumulus, Cirrus, Stratus, and Nimbus. Oh, and that computer thing. You know “THE Cloud”. Or, as it is often referred to, the Clowd – a combination of the words Clown and Cloud. See what they did there?
What Exactly Is “The Cloud”?
Essentially, a ‘Cloud’ is a system for providing on-demand, scalable computer systems (servers) and data storage, but does not require ongoing customer administration. What makes them different from a traditional web host, is that you can instantly scale (increase or decrease) your usage or volume as your business increases or slows down, and your cost goes up or down relatively. Most cloud providers also offer other ancillary products and services, but what it amounts to is renting computer space on someone else’s network. They do most of the maintenance and the behind-the-scenes hard work, and you do whatever it is you do. Usually, costs are based on the length of time spent using their systems, or on the amount of data you store with them, or on the traffic that flows through their networks, or some combination of all of those.
Another thing to consider is that on one hand, it is a product – hardware – solution, but it’s really a Services – software – offering. It’s like a hotel: You bring your things to their place, you agree to pay for a set of services, and they keep the rooms clean, the water running, and the lights on.
And, just like hotels, there are some premier brands and some low-cost providers. The great thing is that the cost of computing power, hard disk storage, memory, and other things like virtualization technology has evolved and significantly dropped in price. However, you usually get what you pay for.
There are private clouds – just for you or your company, or maybe also, your suppliers and customers. It is a closed environment and only selected users are allowed in.
There is the Public Cloud – where everyone can go visit, like an e-commerce store. You want as many possible customers as possible, so you want any user to be able to get to your cloud. They don’t get access to the back end, but they can buy widgets from your store.
There are also other types of Clouds, hybrid, community, big data, but if you go and Google ‘cloud types’, that’s not really the point here.
What Is the Point?
Well, really, there are four (4) points:
1. What is this cloud thing and how does it work? (already covered that)
2. If it is a network of computers, why would it go down?
3. Why do I hear so much about the Cloud leaking or revealing information?
4. What should I do to secure my cloud?
Why Does the Cloud Crash?
There will always be some hardware failures in the cloud or any computer system. Hard disks wear out, parts get old and brittle, wires fray, programming errors surface, it’s just the way it is. Most Cloud companies keep copies of your data in different locations for exactly this reason. Site 1 may go down, but not sites 2 or 3. Properly setting up and configuring your cloud is essential to have a successful program.
Other than time and poor configuration, why would a Cloud go down, you might ask? Well, that’s a good question. As we mentioned, there are many other products and services that Cloud companies offer, which is good because there are services you’ll want or need to integrate into your technology stack without a lot of hassle, but it is bad because every new introduction creates the possibility for conflict or failure.
Think about this: Currently, Amazon Web Services offers over twenty-six (26) different products/services categories on the various AWS Clouds. Within those categories, there are over 150 different individual products. What this means to you is that there are over 150 different systems (not to mention hypervisors (running virtual machines), physical hardware, etc.) and all need to play perfectly with each other every second of the day. It can (and is) certainly possible, but if you think that there are never mishaps or problems, you’re mistaken.
Of course, you also get people that don’t know what they’re doing, you get malicious criminals and pranksters trying to mess with systems, and it’s actually very impressive that they haven’t had a worse reputation. We are unaware of any cloud provider that has not suffered at least ONE significant downtime period.
Recently, for example, Microsoft’s Azure platform had an ‘issue’ with their DNS systems on and off again for about a week, culminating in massive outages for many users. This was not the first time for Azure, as about two weeks ago there was a similar problem and outage, but this was attributed more towards key rotation with their Active Directory identity access management solution (IAM), preventing people from logging into their accounts. We could go on and beat on Azure, but that’s not really the point. The point is that many interconnected systems have an exponential probability of failure.
Why Does the Cloud Leak (And Not Rain)?
There are several reasons why it seems like there’s another ‘leak’ in the news every day. But really, the biggest reason is simple: hubris. If you don’t know how the cloud works, or how each service is intended to work, AND you do not know how to secure the cloud…. you WILL do it wrong. It’s impossible to know everything about everything.
The cloud has what has been called a ‘shared responsibility security model’. Essentially the cloud provides what is necessary to maintain the systems IN the cloud, and companies provide whatever is necessary to secure their systems ON the cloud. At times it seems that some responsibilities cross over, but these need to be clearly defined and understood.
There’s a reason that certifications for understanding the basics of Cloud Computing on each platform exist (AWS Cloud Computing Professional Certification, Microsoft Certified Fundamentals programs, Google’s Associate Certification, etc.). Most of the incidents we read about were due to incorrectly or improperly configured security settings. It’s not that the team was not sophisticated, but ongoing issues, such as those encountered by Azure, suggest that they didn’t know exactly what needed to be done on the platform.
Moving data to the cloud exposes it to several vulnerabilities – most, but not all, of which can be mitigated. This is a prime time for social engineers and criminals to gain access and either steal data or get malware in the system before it is completely secured. Developers also tend to create a test environment (which is good practice) but do not delete it when they are done (which is bad) or leave real credentials in the unsecured development environment.
HOW TO SECURE YOUR CLOUDS
The biggest misconception about the cloud is that a virtual machine in the office is the same as the cloud. Because it is, and it’s not. Sure, there are similarities, but there are key differences. We could spend a lot of time addressing this, but we’re just talking about keeping you and your data safe today.
It seems to go back to the developers’ confidence, knowledge, experience, and, yes, arrogance in providing cloud solutions. Admitting that you do not know something does not make you dumb, or less respected. It makes you look like you are smart enough to know what you do not know, and not put the business at risk. That may be the key to why one cloud platform is more resilient than another.
So, with this in mind:
#1 Know what you don’t know. What you don’t know, get help for. Keep consultants in business.
#2 Have a PLAN if/when you move to the cloud and be sure that includes cleaning up any loose ends. Then have someone come and check your work. Wouldn’t you rather spend a few hundred dollars (ok, maybe more) than the alternative?
#3 Ask your provider for help or recommendations for qualified people to assist.
#4 It won’t hurt to have some of your team get certified in the platform of your choice.
#5 Learn what security offerings the provider has for you to utilize – and utilize them! Whether it’s a monitor (SIEM) or an audit tool, use it!
Enjoy the Clowd and all the benefits it brings – scalability, availability, lower costs, fewer capital expenditures, and hopefully a superior performing application.
About RegDOX Solutions Inc.
RegDOX Solution’s first-to-market ITAR and NIST SP 800-171 (DFARS) compliant online storage and collaboration product has redefined how export-controlled and CUI documents and electronic files can be handled within regulatory requirements. RegDOX’s unique capabilities were confirmed on August 20, 2019 when the US Patent and Trademark Office issued a patent covering RegDOX’s system to store and manage export-controlled documents in the cloud. (Patent No. 10,389,716). The RegDOX® ITAR/EAR solution provides ground-breaking and unsurpassed technology enabling the efficiency and flexibility of a cloud solution to allow multiple users located at numerous locations to collaborate using controlled data while remaining fully in compliance with the strict regulatory and licensing requirements of the ITAR and DFARS.
Click to rate this post!
[Total: 0 Average: 0]

This Post Has 0 Comments