Files In the Cloud

“Cloud Computing”: networked and distributed services

Should you keep your files in the cloud? For example, should you use Google Docs or Microsoft Office Live instead of Microsoft Office? Perhaps some of the apps at Google Apps (such as Manymoon for workgroup productivity)?

“In the cloud” advantages “In the cloud” disadvantages
Files are available wherever the Internet is available. Files are left behind wherever Internet cache files exist; that is, cached copies are left on local machines. Relying upon a company’s VPN or a third party file storage provider may lead you to neglect this leakage risk. You can mitigate this risk by clearing the cache; however, the disk space the files used to occupy should also be overwritten. You can mitigate this risk through thin clients and resetting thin clients after use.
Files don’t need to be copied to local drives. No need to make copies on portable media and risk losing said media. Since you don’t need portable media, you don’t need to secure and encrypt local media. If you do not maintain copies of the files, you don’t need to synchronize updates among copies. Files are in fact copied to local drives as part of “in the cloud” usage. This is the locally cached files issue, mentioned above.While files do not need to be copied to local media, files can still be copied to local drives. That is, there is still the need to manage, to detect or prevent local file copies.
You should review audit logs. How can access be audited?
You should design role-based access rules.How can role-based access be implemented? Follow Google OAuth & Federated Login Research. If you have an Active Directory architecture, you can leverage it with Microsoft Business Productivity Online. If you can’t implement role-based access, how scalable is this solution?
Backup is part of the service. Where is the backup kept? What measures control access to the backup? Can the usefulness of this backup feature be tested?
How do you review files stored on the cloud for possible information disclosure? For example, if you need to confirm that personally identifiable information (PII) or protected health information (PHI) does not appear in any stored documents, how would you do it? What tool could search multiple information stores?
What happens on the Internet stays on the Internet. Forever. An information leakage through an unexpected vulnerability is an information exposure that is not undone. Containment is not practical. What is your incident response procedure?
Cloud services are economical. A single, large provider can provide security services (access control, backup, log review) with little incremental cost.
The Internet was not designed to be secure. Information in transit is subject to implementation constraints. Cloud services do not accommodate user-specified additional security layers; for example, you cannot implement a web application firewall.
There are additional changes which occur when subscribing to Software as a Service (SaaS). Are you sharing this remotely hosted software with other organizations? That is, is this a multi-tenant implementation? Was the software designed with multiple tenants in mind? If not, then what measures have been taken to prevent tenants from interfering with each other? This interface could be unauthorized access to files, or it could be excessive resource consumption. How are you assured that actions of other tenants do not interfere with your use of services?
Was the software designed with multiple tenants in mind? If not, then what software features will not be supported? A software package’s organization-wide settings will now be the settings used by multiple organizations. Configuration preferences are not supported.
Is the remotely hosted software designed to support the number of users of the service? A multi-tenant implementation can easily exceed developer assumptions regarding organization size; timing issues can arise. Can the software remain stable with an unexpectedly large number of users?
What personnel controls are in place? What capabilities are given to support staff, what information can they access, what damage can they cause?

Products to follow:

  • Panda Cloud Internet Protection
  • Windows Intune, from Microsoft
  • Keynote for independent monitoring of service availability
  • CloudLock for discovering PCI data on Google Drive

See also:

Advertisements

Comments are closed.