Supply Chain Management Blog
This blog is dedicated to the Manufacturing and Distribution Industries, it focuses on subjects such as Innovation, Sustainability, Product Development &amp, Engineering, the Supply Chain, Procurement, Supplier Collaboration and a series of new technologies such as Cloud Computing.

Cloud, Security & Compliance, don't put your head in the sand

Regularly I have the opportunity to talk about Cloud Computing with CIO’s of large manufacturing customers. When we talk about the public cloud, most CIO’s tell me they fear for the security of their information. This actually confirms IDC’s Survey about risks in the cloud.  So, I was quite astonished last week, when hearing a CIO refuting public cloud security issues pointing out we did not have them with telcos either.

I thought about that for a while, and really have to disagree with that statement. First, there have been a number of wire tapings in telecommunications over the decades, but that is not what I am driving to. There is one great difference between the public cloud and telecom services. In telecom information transits through the network, but does not stay there (with the exception of voicemail I suppose), whereas data resides for periods of time in the public cloud. And it is that data in particular that is vulnerable.

So, I decided to go back to the Top Threats to Cloud Computing report released by the Cloud Security Alliance last march. They recognize 7 key threats. I wanted to check whether any of them had implications to manufacturing enterprises and whether a similar threat was present in telecommunications.

The first one recognized is labeled “Abuse and Nefarious Use of Cloud Computing” and point out how criminals can leverage these new technologies to improve their reach, using the relative anonymity of the cloud in doing so. This is a fact, but is not directly related to enterprises, so should not interfere in the debate.

The second one is labeled “Insecure Interfaces and API’s”. As soon as an enterprise wants to integrate what it does in the public cloud with its own back-end environments, such API’s need to be used. Today we have no standard interfaces, and although a number of bodies are working on that, many lack robustness in areas such as authentication, access control, encryption and activity monitoring. There is no equivalent in the telecommunication world, in the sense that telcos typically provide carrying services not requiring automated interactions with their systems.

The third one is “Malicious Insiders” and addresses the possibility for insiders of the service provider to gain access to customer information. What makes it even more complex is that many cloud service providers use third parties to provide part of their services. Their “supply chain” is absolutely not transparent, and audits are typically refused. The situation is similar for telcos, and one could consider they have mitigated this risk rather well as there are not that many issues. However, many cloud service providers are start-ups and may not have the rigor of larger enterprises built into their processes yet.

Number four is titled “Shared technology issue” and highlight the fact scale is achieved by sharing infrastructure whose components were not designed to offer strong isolation properties. This is different in the telecommunication space where the hardware was designed specifically for the purpose of communication. So again, in this area differences outweigh analogies.

The fifth one is related to “Data Loss or Leakage”.  As data is permanently in the cloud, it can be deleted or altered without notice. Again this does not apply to telcos.

Account or Service Hijacking” is not new and not specific to cloud either. Phishing, fraud and exploitation of software vulnerabilities have been there since the internet is available. Similar fraud can happen with telcos, so yes, looking at how they address such threats is a must.

And the last one is “Unknown Risk profile”. Fundamentally, we don’t know what we don’t know. The same applies in the telecommunication space, but we can rely on a track record of many years for most of them. This is not the case with cloud service providers and the lack of transparency does not help build the warm and fuzzy feeling of comfort.

Companies want to make sure their key information is protected. They also require being compliant with a number of legislations, going from privacy to data export regulations. Gaining a better understanding of what happens to their data while in the cloud is critical to assess potential risks. Yes, we have gone through similar issues with the telecommunication space, but the transient nature of the information reduced the potential risks. Let’s not put our head in the sand and believe it’s just resistance to change or fear of the unknown that pushes us to be cautious as far as the security and compliance issues related to the public cloud.

Labels: cloud computing
About the Author
Christian is responsible for building services focused on advising clients in their move to cloud, particularly from a business process and ...

Follow Us