About Secure Cloud Computing
The cloud is a nickname for the Internet, an extensive network of servers, storage devices and other equipment used for communications, computing and collaboration. The reference originated from the cloud symbol used in flow charts and diagrams to symbolize the Internet.
Cloud computing refers to using the Internet as a network to power computing needs, e.g. data storage, software and servers. The term is generally used to describe ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.
The National Institute for Standards and Technology (NIST) describes these five essential characteristics of cloud computing:
On-demand self-service. A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service provider.
Broad network access. Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, tablets, laptops, and workstations).
Resource pooling. The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resources include storage, processing, memory, and network bandwidth.
Rapid elasticity. Capabilities can be elastically provisioned and released, in some cases automatically, to scale rapidly outward and inward commensurate with demand. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be appropriated in any quantity at any time.
Measured service. Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer of the utilized service.
To simplify, cloud computing offers access to a variety of services and resources that would otherwise have to be provisioned individually. It delivers those services on demand when you need it for as long as you need it.
To make things simple, cloud computing is delivered in two ways:
Software as a service (SaaS). In this case, you license and use software from an Internet provider. SalesForce is a contact management program delivered as a service. You can configure some aspects of the software but have no control over the servers and other equipment used to deliver the software. The SaaS provider is typically responsible for all aspects of security other than login credentials.
Platform as a Service (PaaS). In this case you license computing and storage resources that can be used in a fashion to suit your needs. You start by loading your own software and data onto the system, Most cloud providers also offer a variety of software services that can be used in conjunction with your software.
In essence you use the compute power and storage from the cloud provider as if they were your own. The cloud provider manages physical security and provides certain features such as encryption on its storage devices. Otherwise, you are responsible for the security of your system.
NIST makes a distinction between Platform as a Service and what it calls Infrastructure as a Service. For our purposes, both are essentially the same. Consumers licenses compute and storage capacity and uses it to meet their needs.
These two approaches are often used together to deliver computing services. The user licenses a SaaS application from a software publisher or services company. In turn, the company uses PaaS from a cloud provider to deliver that software.
People talk about both public and private clouds. Here is a description of each (taken from NIST):
Private Cloud refers to the use of a colocation (data center) facility to house your computers, storage and networking equipment. A colocation facility offers locked cabinets or cages to hold hardware, along with power, physical security, cooling, fire suppression and Internet connectivity. People often use colocation providers in lieu of building their own data center or keeping servers at the office.
Public Cloud refers to providers like Amazon Web Services that provide storage and computing power that you can use in lieu of purchasing your own hardware and placing it in a colocation facility. Cloud providers typically have massive interconnected facilities located around the world. They offer storage, software applications, servers and computing power in a variety of configurations. Users access these services on demand, consuming as little or as much as needed. When the work is done, they can typically shut off the services (and the charges).
Some are moving to a Hybrid Cloud approach. This simply refers to a strategy of combining private and public cloud capabilities. A company might, for example, run a private cloud system but use the public cloud for overflow needs.
Leading cloud providers provide facilities with virtually unlimited compute and storage capacity. Users can use the computing power and storage they need for as long as they need it.
The largest, AWS, maintains 69 data center zones in 23 geographic regions around the world with announced plans for three more regions in Cape Town, Jakarta and Milan. These centers, networked together, hold millions of servers with virtually unlimited processing and storage capacity. Google reportedly has close to a million servers in its cloud centers. Reports on Microsoft place the server count at three million.
The point here is the the public cloud provides massive amounts of compute and storage capacity that can be used by any organization with a credit card.
Hundreds of thousands of organizations use the public cloud for a wide variety of services. Netflix, for example, uses the Amazon cloud to store and stream its movies. Spotify uses the Google cloud. Office 365 is hosted in Azure. Google applications like Gmail and Youtube also run on the Google cloud.
Here are some of the other organizations using the cloud:
According to Gartner, almost half of government organizations use public and private cloud services, Amazon, for example, is certified as compliant with the demanding FedRamp security certification, which is required for organizations like the Justice Department to store data in the cloud.
In the early days, many organizations and, in particular, law firms were concerned about whether Internet computing was secure and even whether messages transmitted over the Internet would waive attorney/client privilege because they were not secure. These discussions reminded some of a similar debate when telephones and then cell phones first went into use. Quickly enough, people realized that the Internet, properly used, could be secure and most ethics tribunals concluded there was a reasonable expectation of privacy by Internet mail users.
When law firms and other organizations moved servers to colocation providers, a similar question arose. Does placing data in a server housed by a third party waive the privilege? That answer came soon enough. So long as one takes reasonable steps to secure data stored by a third party, there is no waiver of privilege. Today, most legal departments and law firms store servers at a co-location facility.
The Internet itself is as secure as the applications used and the choices one makes about security. If the application has security holes, data is at risk, whether stored at a colocation facility or in a closet. If the consumer does not take reasonable precautions to preserve security, e.g. weak passwords, data will be at risk.
Using encryption to transmit and store data is one measure that can enhance security regardless of where the servers are located.
The bottom line is this: Data stored in the cloud is just as secure as data stored on a home server so long as proper security measures are taken. And vice versa.
Today, most law firms and legal department data is stored in colocation facilities. Managing that data securely is a key IT responsibility. However, because the public cloud is a newer phenomenon, many legal professionals question whether it can be used securely for client or firm data.
The answer is yes, so long as reasonable security measures are employed. The inquiry is the same one would use to determine whether a colocation facility is secure.
Physical security: For starters, public cloud services like AWS, Azure and Google Cloud provide physical security over their data centers that meets or exceeds that provided by colocation facilities. Their facilities are locked down to employees with a need to access and generally not open to non-employees (unlike colocation facilities). Indeed, cloud providers are loathe to even disclose particulars about their data centers, numbers or location.
Storage devices: Once physical security is established, the next question is whether the storage devices being used are secure. Cloud providers typically offer encryption at rest for data storage, with encryption keys only in the hands of the user. Thus, data stored in a first tier public cloud is secure even if an intruder gained access.
Application security: If the center is secure and data storage is secure, what is left? The answer is application (program) security. If the computer program loaded onto a public cloud server is not secure, then nothing is secure. But this is true whether the software is hosted at home, at a colocation facility (private cloud) or in the public cloud.
Transmission of data: As a last point, it has become a standard to transmit data from server to user in an encrypted format. The standard is the SSL protocol, demonstrated by an Https: address. This is a standard practice across modern computing and not often discussed. Most important, the issue exists regardless of how data is stored and delivered.
Security is a key issue for legal applications and should be a first consideration when determining a computing platform and methodology. The point here is that security can be maintained at an equal level regardless of your chosen delivery platform.