Lately everything related to computers and Internet that does not use the word cloud seems to not as important or is not something new or innovative, technologically speaking clearly. The cloud is no longer a trend and is now a reality after the support of such well-known brands like Google, Amazon or Microsoft and other more recent as Salesforce and some other. Apart from the different advantages having to have our systems in the cloud and the various changes in the approach to corporate security policies that this entails, there are certain important aspects that are not normally taken into account; some of them are:
– SLAs (Service Level Agreement): service levels that are reflected in the different contracts agreements refer to the availability of the virtual machine. 99.9% availability figures are easily attainable by environments in the cloud, but no one takes into account the issue of the bandwidth and connectivity, that do not appear in any section or clause, and are, logically, important. Equipment will be available, but if there is no connectivity or cannot be accessed, little will that 99.9% guaranteed.
– DoS (Denial of Service): all systems in the cloud offer protection of denial of service (DDoS) attacks and the attack itself is not the main problem. Normally, when hiring a system in the cloud, it is charged by the resources available, number of transactions supported, wide band, etc. In an attack type of denial-of-service consumes more bandwidth, more resources, more memory, more CPU, etc are consumed and that an increase in the amount to pay for the service that, initially, is not usually weighed.
– Deleted data either accidentally or intentionally: in the cloud, storage tends to be dynamically so if, for example, we have assigned a new album and move or copy some of our information, the old virtual disk is reassigned and categorized as “available” within the storage and is then reassigned to anyone who demands new space. In this way, is enormously complicated to recover a deleted file or, even, the power to make a forensic analysis if necessary.
– Management Level Complications: if it is already difficult to manage from the point of view of systems and infrastructure a farm of servers and corporate teams, with cloud services incorporates a new layer which hinders its proper administration. A new panel of management for the system in the cloud. Not to mention the innate risk since a system of global management to a service in the cloud becomes a goal direct from potential attackers.
– Problems with other Users: systems anti-SPAM and, in general, in the latest security solutions (IPS, WAF, etc.) there are filtering and protection mechanisms based on reputation to detect possible malicious behaviors on the Internet and classify certain IP addresses or directly, according to their shares network segments what if it is being shared infrastructure in the cloud with a generator of SPAM or malware? Corporate mail systems might be affected by these mechanisms of reputation and appear on any blacklists or blacklist with the prejudice that entails.
– Hardening: any cloud service offering are virtual machines provisioned with a standard operating system. If at any time you want to change the operation and configuration of these systems – securizandolos, for example, resent the SLAs and, in short, all those contract clauses related to the availability of the machine, avoiding any liability by the provider of the service in the cloud (e.g. Amazon, Google, etc.)
– Legal risk: systems in the cloud – and forgive the repetition – they are in the cloud and that hinders enormously to place them in a specific geographical area. Legislation is not the same in each country and can occur in cases where the company is located, for example, in United States, and the datacenter of the Cloud service is situated in Europe, and is arises when a series of doubts: is it necessary to encrypt the information? Is it legally necessary to place an IPS and capture certain network traffic? The medical data of my clients, may exit the country? etc. Likewise, laws should be applied before a potential legal problem? those of the country of origin of the service where it is contracted? those of the country where you live physically datacenter? those of the country where it is registered to the company as such? Or, looking at issues of data protection, during much time is needed to retain and store the information of my users or my customers?
– Licensing: If, for example, my mail server is mounted on a system cloud offering protection and mechanisms for “disaster recovery” is that each copy of Microsoft Exchange has a separate license necessary? Do the Oracle, MS SQL Server and, in general, all those systems that allow sharing functionality, data bases, etc.?
– Security Audits: at the end the entire infrastructure where our systems are installed and our applications are property of Salesforce, Microsoft provider that gives us service in the cloud. Periodically, it is necessary to review the level of security of the entire platform to check if there are configuration errors or if the application has adapted to this infrastructure properly, or if the information and corporate data are secure and safe from prying. In the cloud, it is not always possible to be able to audit happily because resources, bandwidth, etc are shared and are not owned by the customer.