Andrew Leslie, European editor, StrategicRISK

Cloud computing

In July, a report that the Russian Federal Guard Service had ordered 20 portable electric typewriters prompted much media speculation that they were doing so in response to Edward Snowden’s revelations about the extent of US surveillance of electronic communications. After all, a typed document in a locked safe is still about as secure as you can get.

Although it turned out that the Guard Service had always used typewriters “… as a regular practice to provide information security”, it was ironic that a story about reversion to old technology on security grounds should appear at a time when many businesses are pondering moving the bulk of their processes into the cloud. Although cloud computing had barely crossed the horizon for many organisations three years ago, it is increasingly being promoted as the inevitable next step in information technology. A 2012 survey by market intelligence firm IDC showed that 45% of European businesses were already using one or more of the available cloud services. The 30% that were using the cloud only in a limited fashion, or not at all, cited peer pressure as a driver to start planning.

There are enough risks in cloud computing to make extreme caution necessary’

The vision held out by the big names – Google, Amazon and Microsoft among them – is a tempting one. It is of a world where all the expensive IT hardware and constant demands for more resources are replaced by simple dumb terminals and an internet connection. Gone are the risks of fallible humans losing laptops, leaving data sticks in taxis, or having to get to grips with software upgrades. Instead, a world of infinite flexibility and scalability, available on a pay-as-you-go basis, is presented as the solution to all your problems.

This may eventually be the case, but meanwhile there are enough risks to make extreme caution necessary. Chief among them (cited by 30% of respondents in the IDC survey) are security and data protection, followed by trustworthiness. The Snowden revelations have not helped: an August article in the Guardian suggested that US cloud service businesses could lose between 10% and 20% of their overseas custom because of them.

A further headache for risk managers involves the actual location of an organisation’s data, which may be spread around multiple server farms. Questions of jurisdiction, compliance with data protection rules, even of ownership of the data, crop up regularly. Not

surprisingly, the ‘hybrid cloud’ solution, whereby the most vital processes are retained in-house, is proving popular, but in one sense it is an unhappy compromise, retaining most of the risks of the old way of doing things, while exposing other parts of the business to the new risks of the cloud. Nevertheless, the hybrid solution allows some reassurance for those who remain wary of the cloud.

Writing on Aon’s ‘Impact’ blog, Scott Wilson outlined the most important points for risk managers to consider when choosing between cloud services providers. Ensuring that service level agreements had real teeth if the vendor failed to meet its guarantees was one. Ownership of the data, and who had rights to access or mine it was another. Finally, it was vital to ensure protection against security breaches and look carefully at encryption levels. Yet even this may not be enough.

Parmy Olson’s 2013 book, We Are Anonymous, contains the revelation that the core group of the shadowy hackers’ organisation that succeeded in taking down the websites of Paypal, Mastercard and Visa in 2010, and in publishing hundreds of confidential emails online, contained a mere six mildly dysfunctional post-adolescents. Anonymous exposed multiple delusions about data security, especially the laughable belief that “if our own IT team can’t penetrate it, it must be safe”. Yet, Olson’s account already feels curiously old-fashioned: cyber warfare has moved on, there are worse threats than teenagers in online chat-rooms, and the cloud is a fat and tempting target.

For its work on the Snowden files, the Guardian has explained how its journalists have had to take numerous flights to face-to-face meetings because online communications have become too vulnerable. It’s a lesson worth bearing in mind. Better order in some typewriters.