The Cloud for SMBs: 7 tips for safer cloud computing

Here are some thoughts on the safe use of cloud computing for smaller businesses, along with a podcast (see the link at end of the post). The Cloud concept, a flexible Virtual Machine (VM) based system that allows rapid expansion and dedicated functionality without hiring new staff, has taken the business world by storm. The reasons are many, from the small business perspective, including things like the ability to outsource specific business processes that may not reside at the core of your expertise, or the ability to just “hit a button” and have a ready-to-go server at your disposal, without the accompanying in-house expert and hassle.

While this new packaging of a technology that’s now almost 10 years old (in its current iteration, others are much older) has made some things much easier for small business, could it undermine the security of you and your business (and your data)? The answer depends on several variables, including your business need.

In this post we cover a few of the things you should check into before trusting your data to the Cloud. We’ve compiled 7 tips, items that should be on your checklist before you make the leap, and a few things to watch out for along the way.

1. Know your Cloud provider

In the deluge of recent-comers to the Cloud market, it’s important to check the credentials of your chosen provider to know what you’re getting, and not getting. For instance, does the firm have a long history of solid security, or is it still a bit of a wildcard? If a firm has a commitment to security and a history of executing security on their more traditional servers, it stands to reason that they’ll merge that commitment with their Cloud-based offerings as well. The old adage that you get what you pay for applies here, and for good reason. It takes work to get security right, and work translates into experts and quality hardware, neither of which are free.

2. Define your business need

Getting by on a friendly recommendation combined with believing the buzz isn’t enough. Make sure you can clearly articulate a good business fit for a Cloud setup. If you want very fast low-latency communication between your office and the Cloud, you may be in for an unpleasant surprise. While storing files might work well for the Cloud, database queries from your in-house staff to the Cloud can seem like adding light years to your business process response times. If you have a critical business intelligence real-time app, it might be worth a second opinion to see whether the Cloud is right for you. At least be prepared to bring some optimization expertise to the table when shifting processing to the cloud. (And consider whether or not you would be better served by a local server dishing up virtual machines.)

3. Encrypt your bits and bytes

Both at rest an in transit, encrypt as much of your Cloud data and traffic as you can get away with. It adds a layer of complexity and a little processing overhead, but not much (after you get it established), and the peace-of-mind will be worth it in the end. Not sure how to do this? Talk to your provider about the best ways, and ask around, you’re likely to find someone with experience to help you, even if you’re a small business on a tight budget. And, of course, test the setup before you go putting the “crown jewels” out there in the ether.

4. Manage your Cloud access

Because putting your data and/or processing in the Cloud means it is one step removed from your physical control, and because Cloud content can often add up to a lot of valuable intellectual property and sensitive information, you need to make sure you control who can access it. Your Cloud provider may promise to look after your data, but that does not relieve you of responsibility for policing the access you authorize. It’s a good idea to limit access to specific individuals that need access, not just leave the connection open for everyone to use. Consider two-factor authentication instead of merely relying on passwords.

5. Backup your Cloud data

Depending on your use case, you may be backing up data to the Cloud, or using it for any number of other processes. But here’s the kicker: have you checked and tried to restore your data from the backups, or is it “out of sight, out of mind?” If you haven’t, sadly, you’re in the majority. I know it seems simple, but occasionally try to get access to a critical file and restore it (locally or across the network) to your machine. Did it work? Many find out after their local hard drive grinds to a screeching halt that their backups also did some time ago. This is usually followed by a series of frantic steps. If you take a few minutes and see that your data is duplicated, whether data you access daily that’s stored in the Cloud, or Cloud-based backups, and you can still retrieve it, you’ll be miles ahead in confidence and know that if something bad really did happen, you’d be protected.

6. Check the fine print for your Cloud

As my colleague, Stephen Cobb, pointed out a few months ago, the terms and conditions of your Cloud agreement should be read very carefully. Consider two sections of the Amazon Cloud Drive Terms of Use, which are not that unusual in the Cloud business:

5.2 Our Right to Access Your Files. You give us the right to access, retain, use and disclose your account information and Your Files: to provide you with technical support and address technical issues; to investigate compliance with the terms of this Agreement, enforce the terms of this Agreement and protect the Service and its users from fraud or security threats; or as we determine is necessary to provide the Service or comply with applicable law.

5.3 Security. We do not guarantee that Your Files will not be subject to misappropriation, loss or damage and we will not be liable if they are. You’re responsible for maintaining appropriate security, protection and backup of Your Files.

Will that work for you? Will that violate promises about privacy that you have made to the folks whose data you plan to place in the Cloud? Can you get your Cloud vendor to change their standard terms-and-conditions to get your business? These are important questions you need to ponder on your path to the Cloud.

7. Remember, viruses can live in Clouds

Recent news that the malware known as Crisis has been infecting VMware virtual machines reminds us that the Cloud does not possess special immunity from malware (ESET antivirus products identify Crisis as OSX/Morcut.A and have been defending against it since last month). We should point out that Crisis affects Type Two hypervisor deployments, not the Type One more typically used in large cloud deployments, but the fact remains that moving to the Cloud does not end the need for antivirus protection; and you still need strong endpoint security on those devices that are permitted access to your Cloud (going without would be a risky strategy that could prove costly).

Cloudy Conclusions?

Of course, in the end it’s a case-by-case decision as to how much and what type of information your business or organization will put in the Cloud. But if you keep in mind these 7 points for securing your slice of the Cloud, we think you’ll have a much more pleasant, and secure, experience. For further thoughts on the subject here’s a recent podcast that I recorded about cloud computing (.mp3). You can also find links to this and many more podcasts on this page.

Cameron Camp
Security Researcher


One thought on “The Cloud for SMBs: 7 tips for safer cloud computing

  1. IMHO, anybody who puts their data, especially sensitive business data, out on ANY server or other computer they themselves do not own and control is just plain crazy.

    You cite sections 5.2 qand 5.3 of Amazon Cloud’s terms of use. Did you check out sections 3.2, 6.2, 6.4, and 6.5?

    “3.2 Usage Restrictions. The Service is offered in the United States. We may restrict access from other locations. There may be limits on the types of content you can store using the Service, such as file types we dont support, and on the number or type of devices you can use to access the Service. If you exceed your Service Plans storage limit, including by downgrading or not renewing your Service Plan, you may no longer be able to access Your Files. We may impose other restrictions on use of the Service.

    “6.2 Amendment. We may amend the Agreement at our sole discretion by posting the revised terms in the Service or on Amazon.com, but any increase in fees will not affect the cost of your Service Plan during its term. Your continued use of the Service or the Software after any amendment evidences your agreement to be bound by it.

    “6.4 Disputes/Binding Arbitration. Any dispute or claim arising from or relating to the Agreement or the Service is subject to the binding arbitration, governing law, disclaimer of warranties and limitation of liability and all other terms in the Amazon.com Conditions of Use at http://amazon.com/conditionsofuse. You agree to those terms by entering into the Agreement or using the Service.

    “6.5 Limitations of Liability. Without limiting the disclaimer of warranties and limitation of liability in the Amazon.com Conditions of Use: (a) in no event will our or our software licensors’ total liability to you for all damages (other than as may be required by applicable law in cases involving personal injury) arising out of or related to your use or inability to use the Software exceed the amount of fifty dollars ($50.00); (b) in no event will our total liability to you for all damages arising from your use of the Service or information, materials or products included on or otherwise made available to you through the Service (excluding the Software), exceed the amount you paid for the Service related to your claim for damages; and (c) we have no liability for any loss, damage or misappropriation of Your Files under any circumstances or for any consequences related to changes, restrictions, suspensions or termination of the Service or the Agreement. These limitations will apply to you even if the remedies fail of their essential purpose.”

    If you go read the Conditions of use page, you find this:

    “Any dispute or claim relating in any way to your use of any Amazon Service, or to any products or services sold or distributed by Amazon or through Amazon.com will be resolved by binding arbitration, rather than in court, except that you may assert claims in small claims court if your claims qualify. The Federal Arbitration Act and federal arbitration law apply to this agreement.

    “There is no judge or jury in arbitration, and court review of an arbitration award is limited. However, an arbitrator can award on an individual basis the same damages and relief as a court (including injunctive and declaratory relief or statutory damages), and must follow the terms of these Conditions of Use as a court would.”

    Bottomline? Remember Twitter? It changed its own terms and conditions in such a way as to endow it with the right to sell the tweets of its users and keep the profits. In effect, Twitter were claiming ownership of (and thereby entitlement to copyright rights etc to) their users’ data.

    Then there was the Megaupload shutdown. Any non-criminal who was storing files on that service suddenly had all access to that service discontinued abruptly and without notice, and with no guarantee they would ever get their access (let alone their files) back, much less be compensated for their loss.

    Oh, and do users actually save a copy of these terms and conditions (on their own computers!)–just so they CAN prove what those were back when saved their data if ever a dispute arises as to what term and rights apply, or should apply?

    The bottomline is that users do not have legally enforceable rights. Not ones which cannot be taken away at any time and without notice by the Cloud service owner. In that context, Amazon’s section 6.5(c) is especially significant. That one’s basically saying “we can expropriate your data at any time we feel like it and not pay you a single cent”.

    Is that really the sort of service anyone would care to trust your sensitive or valuable or irreplaceable possessions to?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s