Buyer beware: Hidden costs of cloud computing

Loss of control and legal protections are of concern

LAS VEGAS — Cloud computing promises cost savings, increased flexibility and improved remote access to resources, but these advantages come at a cost, a researcher warned at the Black Hat Briefings security conference.

Data and application owners can lose control over their resources, the perimeter protecting them, and the access controls that allow their use, said Alex Stamos of iSEC Partners. Owners also can lose important legal protection by turning data over to a third-party host, he added.

Cloud computing is one of the big new things in computing. But the technology, the rules governing it and even the language describing it are not mature, Stamos said.

“The term 'cloud computing' is useless at this point,” he said. It does not mean virtualization or remote back-up. “Most stuff called cloud computing isn’t. It is more of a marketing term now.”

He defined cloud computing as distributed, general-purpose hosts holding applications and distributed data storage, with software tying it together to enable it all to move smoothly and reliably from one system to another.

Stamos predicted a cloud bubble burst as users discover that it does not necessarily provide all of the ease of use and returns being promised.

Although perimeter security is now recognized as inadequate IT protection by itself, its loss is a threat, Stamos said. “Making something a little harder” for hackers “has value.”

Focusing on software as a service, one element of cloud computing, he said most providers do not have the audit logs needed to recover from a serious breach. Access controls can be reclaimed to a degree by using a single sign-on scheme that returns control of policies and enforcement to the user, but this also eliminates some of the advantages of cloud computing.

One area often not considered in cloud computing is the possible exposure to legal liability. Most agreements with service providers relieve the host of any liability, but they also prohibit malicious traffic, which can prevent a data owner from conducting penetration testing of the systems holding the data.

Under current federal policy, there also is little protection to the data owner from law enforcement or regulatory search and seizure. Data can be seized without warrant and without notice to the owner if it is hosted by a third party, Stamos said.

“You have massively less protection if you are cloud computing than if you own your own machines,” he said.

About the Author

William Jackson is a Maryland-based freelance writer.

Reader Comments

Wed, Aug 12, 2009 Charles

Alex Stamos makes some good points to keep in mind but there are also some bad assumptions and some interesting generalizations. (disclaimer, I work for a seller of cloud services, although we don't precisely match his definition). Assumption 1 - Your companies current security and audit logs are better than those of your cloud vendors. I've spoken with a number of customers who very candidly admit experiencing data loss due to their inability to properly manage their environment with the resources they have. Assumption 2 - Cloud vendors prohibit penetration testing. Responsible cloud vendors have outside specialists perform penetration testing on a regular basis. Again this is something that many of my customers admit to not doing themselves. Assumption 3 - Using a cloud vendor puts your data at legal risk of search and seizure. The fact is that responsible cloud vendors provide data encryption and allow you to decide who holds the key. Conclusion - Alex Stamos presents some great points that you should use when evaluating whether or not to use a cloud vendor. Equally important is being honest about the state of your own IT environment.

Tue, Aug 4, 2009 Washington, DC

From today's Washington Technology article regarding Cloud Computing survey: Perhaps more significant for the future of cloud, “90 percent of agencies and organizations that have implemented cloud computing say their implementation has been successful,” the survey said. S

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above.


WT Daily

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.