Tuesday, November 30, 2010

What WikiLeaks Can Tell Us About the Cloud and IT Risk?

WikiLeaks has just posted 250,000 American diplomatic cables for all to read.

http://www.nytimes.com/2010/11/29/world/29cables.html?_r=1

Imagine trying to do this 20 years ago, you know, before the internet was mainstream? We’d get our 250,000 manila folders. We get our list of major media outlets and fax each page, one at a time and hope the receivers don’t run out of paper and that they have the time to review 250,000 missives. Let’s say each cable was one page long and the fax gobbled it up in 10 seconds. It would someone a month working non-stop to send the lot (or you could run 30 fax machines non-stop for a day)

The internet, and computers in general, have removed the barrier of transporting massive amounts of information and manipulating it. The internet truly is the information superhighway. Unfortunately, in the case of WikiLeaks, some of the goods being transported are contraband.

As an aside, I would link you directly to the 250,000 documents but the Australian government is apparently fining people who link to WikiLeaks

http://www.timeslive.co.za/scitech/article788606.ece/Australian-Government-adds-Wikileaks-to-banned-website-list

(Whirlpool, use a bit.ly link, then they can’t fine you)

The US Government Move to the Cloud?

Imagine if the US Government announced they are moving all of their embassies to BPOS, or as it will soon be known Office 365? (http://office365.microsoft.com/en-US/online-services.aspx) They have the benefit of online Exchange to manage email, online SharePoint for document management, Lync for IM and knowing if a diplomat is available in an instant in times of crisis. Later on they will also have access to Dynamics CRM, when that gets folded in (http://finance.yahoo.com/news/Microsoft-Announces-Office-prnews-2648833826.html?x=0), allowing their daily processes to be managed with ease.

All for a few dollars per month per user, fantastic. Not only that but all of the benefits of the cloud come to the fore. Geo-redundancy of data, guaranteed uptime, no infrastructure to manage, no servers to constantly patch etc.

So What’s Wrong With Cloud Services?

Would the move ‘to the cloud’ be embraced? Despite the potential upside, I doubt it. People would cry outrage over security issues. Geo-redundancy of data? Do we want valuable US data being pinged around the world potentially landing on the servers in a ‘rogue state’?

There is no doubt that whether an organisation goes to a public or private cloud there has to be a level of trust with the people administering the cloud. My thinking is the larger the company managing the cloud, the better.

As an analogy, a friend of mine works for a large Australian agricultural supply company. I was speaking to him about “farmer’s markets” and his thoughts. He was very clear on the subject: “I never buy from farmer’s markets, only major supermarket chains”. When I asked why he explained that farmer’s markets are populated with small operations. With the products my friend supplies there are often strict rules on when the products can be used. For example, in some cases, they cannot be used close to harvest time as this will introduce undesirable residues in the crop.

“I am always on the phone talking to the smaller suppliers explaining the rules, they never read the instructions on the bag” he explained. “At the farmer’s market you never know which farmers are following the rules. The major chains have it written in their contracts that their suppliers will follow the rules. Neither the supermarket chain nor the supplier can afford for a mistake to be made.” he concluded.

This logic is also started to be employed to fight issues such as deforestation and child labour.

http://www.ted.com/talks/jason_clay_how_big_brands_can_save_biodiversity.html

http://www.ted.com/talks/auret_van_heerden_making_global_labor_fair.html

While there are, without doubt, small operations running world-class cloud services, the larger organisations cannot afford a mistake. The reason we know? Because when mistakes are made, the effects are devastating.

http://www.eweek.com/c/a/Security/Salesforcecom-Employee-Hands-Customer-List-to-Phisher/

So What Does WikiLeaks Have to do With the Fear of the Cloud?

In the case of WikiLeaks and, to a lesser extent, the Salesforce gaffe of three years ago, the issue was not some inherent insecurity in the computer systems, whether they are on-premise or in the cloud, but the issue was one factor that is still the hardest to control: people.

Kevin Mitnick, arguably the world’s most famous hacker, considered social engineering (http://en.wikipedia.org/wiki/Social_engineering_(security)) to be his most effective tool. While you can convince people to willingly hand over their password to a stranger, the strength of your systems to resist ‘traditional’ hacking is irrelevant. Similarly if someone with legitimate access is going to hand over sensitive information to a third party, you can have all the security measures in the world and it won’t matter.

What the latest WikiLeaks episode shows us is that even one of the (presumably) most secure computer systems in the world, that of the US government, is susceptible to attack because the enemy is often within, not outside.

Conclusion

There is no doubt that organisations should do a risk assessment when outsourcing any process to a third party, including IT administration, as warned by APRA (http://www.itnews.com.au/News/238817,regulator-warns-australias-finance-industry-on-cloud-risks.aspx). However, the fear of data being compromised simply because it is being housed outside of the firewall is a nonsense. Security is a relative measure, not an absolute one, and an organisation really needs to look inward before pointing the finger outside. If an organisation is following good practices such as regular patching and have a well managed firewall then they are in a position to scrutinise cloud offerings. Even then, it is likely that what they will find is the cloud offering of a major organisation introduces no additional risk compared to their own internal systems.

Finally, the focus of an organisation, in regards to IT security risk, should be in training users to be smart about how they use the technology and be responsible with the data they hold. Whether it’s leaving a next-generation iPhone in a bar, leaving a laptop unsecured or having a weak password, IT departments need to realise their biggest risk is uninformed users, not the cloud.

2 comments:

Tikno said...

Internet technology (email, messenger via mobile phone) has turned off many traditional post office in my town and change the way people send a letter or message.

And now, with the advancement of cloud computing, I'm musings about whether someday my office will be shifted to virtual, and all non-physical workers just work at home.

Tikno said...

btw, security risk is a big reason for the implementation of virtual office.