Cloudpocalypse - When the Cloud Eats Your Corporate IP

Tuesday, August 30, 2011

Rafal Los


First off, I didn't coin this term, so I can't take credit for it.  While I have no idea who said it first, it's been floating around on Twitter for a while...

"Cloudpocalypse" has loosely been termed as the point at which Cloud Computing causes a catastrophic failure. 

For the sake of this post, let's assume that this has to do with enterprise computing, Intellectual Property (IP), and the damage created from intense confusion.

For many enterprises and SMBs alike, their intellectual property is what keeps them in business.  The customer lists, the secret formulas, and latest design plans are what propels them over their competition, and allows them to live to fight another quarter. 

The heart of the cloudpocalypse comes from the fact that increasingly, enterprises are losing sight of their intellectual property either through data sprawl, technology sprawl, or simply from the blistering fast pace of business.  No matter what the vector, the threat to your business is real.

Picture this, even in reasonably tightly-controlled environments where technology is centrally managed, ITIL processes are followed, and procedures are at a premium it only take a credit card to stand up a cloud-based computing platform, commonly the Platform-as-a-Service (PaaS) at a service like Amazon's Elastic Compute Cloud (EC2).  Take just a second to think over what that means to the security posture of your business.

While you may have absolute control over your enterprise's technology (or at least you fool yourself enough to believe it) while the data is 'in house', you have to acknowledge that there is no such control today when the critical IP leaves your organization's technical boundaries. Unstructured data and even structured data is at risk of being extracted, packaged up, and moved out of your control at any given time. 

Whether the sales guy emails himself that quarterly report to his GMail account for access from home, your customer service team starts to store their contact and customer data on a service like Dropbox, or one of your project managers has gotten fed up with your well-orchestrated, tightly controlled processes for project release - it's easy to imagine how quickly your critical, can't-live-without-it corporate intellectual property can walk out into the cloud.

There are many legitimate avenues that will lead you to a Cloudpocalypse...

  • SaaS-a-frass- Your organization may very well be legitimately moving some of your data to cloud-based Software-as-a-Service providers like SalesForce or others.  There is absolutely nothing with this type of strategy, since it enables your business to grow faster, not have to buy software and all the other tangible benefits.
  • Cloudpocalyptic end: In this scenario, service levels and not properly vetting your provider is your downfall.  Failing to set expectations around service levels, not carefully reading agreements searching for the word "liability", and other non-technical due-diligence can be your undoing.  Remember that you need to know what your vendor is responsible for, and what they will try and wash their hands of.  Data corruption, service outages, and service degradation - or worse yet - data leakage/breach... make sure you know who's responsible and for how much.
  • Public Cloud Confusion- This scenario is probably most common.  As described earlier someone gets the notion to stop using your own vetted, controlled IT infrastructure and to hastily move to "the cloud".  Misunderstanding the basic principles of multi-tenancy, service availability, service resiliency, and other core functions will lead to disaster and most likely a state where your expectations for a public cloud service clearly don't match up with what your vendor is supplying ...and you probably have no recourse.  Next stop, Cloudpocalypse-ville.
  • Cloudpocalyptic end: This generally ends badly for those that haven't taken the time to understand just what cloud computing actually is.  Yes, there is a data center (or more) somewhere that has your data running on physical hardware that can and likely will fail.  How you prepare for, and handle that failure is what separates Cloud Computing from the stuff in your corporate data closet.
  • Private Disaster - There are plenty of organization that have started building private clouds.  I can name a few, and you probably can as well ... and this isn't a bad thing.  Provisioning and orchestrating a cloud environment is critical to the way that cloud succeeds in delivering IT as a service.  The problem comes when we start to give too many people the power to virtualize and move things around.  While the concepts of self-service hold numerous benefits to the business user, this can also spell disaster on an epic scale.  Drawing from experience I witnessed one organization private cloud itself to death... bringing up and tearing down platforms, infrastructure and applications at blurring speeds.  When things are so abstracted from the physical, it can be relatively easy to lose track of what's really going on, especially when what you're looking at is a dashboard with a bunch of 'service names' rather than physical systems and such.  So you can see how easy it is that when someone brings up an instance of an application to test based on a template, then pushes real data to it for 'testing' and replication of the real environment, how easy it is to get confused and mis-label things.  In a self-service model there aren't IT people to stop you from nuking your own data... months of your own data.
  • Cloudpocalyptic end: The comes for many self-service portals when they fail to stop users from causing destructive actions against themselves.  When spinning up 'IT' is so easy a caveman can do it, they often will... and will later regret decommissioning that giant database-application pair they spent a month working on.  Oops.

There are other scenarios here but what it generally breaks down to is that we haven't rationalized our capabilities, liabilities and uses of cloud computing yet.  Unfortunately, that doesn't stop our co-workers, project managers and business owners from consuming these services faster than IT can realize what's going on.

In the end, you want to avoid a Cloudpocalypse where you've bought into a cloud service, neglected to understand what you're buying into (service level, liability, etc) and then are left crying onto your keyboard as your cloud provider tells you "sorry, we've lost all your data... but you have a backup somewhere, right?"

Cross-posted from Following the White Rabbit

Possibly Related Articles:
Cloud Security
Service Provider
Cloud Security Enterprise Security SaaS Managed Services Data Center Cloudpocalypse
Post Rating I Like this!
Lawrence Pingree Love the candid remarks on cloud. Yep, one thing that comes to mind is a recent complete loss of a cloud web hosting provider where the backups were stored on the cloud as VM images rather than on backup tape. Hacker deleted, company dissolved and all customer websites and apps deleted. Oops.
Rafal Los @Lawrence - wasn't that almost exactly (minus the hacker, insert 'oops') to Amazon AWS? :)

"But it's in the cloud, how can it be down, missing, gone?"
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.