There’s no day going on when we don’t talk about security in the clouds. Is the cloud safe? How to trust cloud providers and their services, employees, etc.
The answer to these questions is simply: Cloud is safe. It remains to prove it now, to build an argument to this far too simple answer! This is what I will try to do in this article and in others that will follow on the same subject, namely cloud security.
Let’s start by setting security. In my own words, I would say that, in order for it to be secure, a technology service (information system) such as GMAIL, Outlook, Microsoft Azure, Amazon AWS, Spotify, your payroll system, a patient’s health record or your income tax return (and the list is endless) must meet at least 3 criteria: availability, integrity and confidentiality (DIC in french) . Know that there are others, but for the purposes of this post, let’s go with them. This way of representing security is called the DIC rating. Here is more information on these 3 criteria:
Availability(D) . The most useful system in the world would be useless if it is not available at the right time, so when it is important to use it. A WEB site that only provides information about my business does not require the same level of availability as a CLSC medical records service in your neighbourhood. Another example is that my company’s timesheet may be unusable for a few hours without having a significant impact on my business. On the other hand, in the same manufacturing company, the technologies used to operate the production line must be operational during shifts.
Integrity (I). Data that feed into an information system or that is produced by a system must be accurate at all times. For example, if the action of an industrial machine is based on a temperature data, this temperature must be the correct one. A medical laboratory result must be the right one in order to properly treat the patient. But the statistics on the number of visits to my blog does not need such accuracy. Integrity also covers the notion of time. The value of data backed up today must remain the same over time. My 2017 tax return must be fixed in time if I have one day to refer to it in the event of a dispute.
Privacy (C) . This criterion is quite simple to grasp. Access to data or to an information system must be controlled. Only eyes that have the right to see data should be allowed to do so. There is a huge difference between having access to your date of birth and having access to your medical record. A company’s WEB site is accessible to anyone, and that is the purpose of the website; on the other hand, the company’s intellectual property must remain confidential and therefore be accessible to only a few people.
So you understand that, for each of these criteria, there are different levels of impact. In Quebec, the DIC rating includes 4 levels of impact per criterion. For example, a technology department with a DIC rating of 322 has high availability, but the integrity and confidentiality of its information is considered to have a medium impact. Here is a table from the Treasury Board of Quebec Secretariat that summarizes the whole.
Another example is that an information system that has been rated DIC 444, therefore all criteria are at the maximum impact level, must be accessible at all times, the information it contains must be the right information and only authorized persons must be able to access it, as a breach of one of these criteria would result in the death of a person or the closure of the company. By the way, I haven’t met any service needing a 444 yet.
What does the cloud do in all of this? Cloud computing brings the right measures, that is, the right technology (and so on) to meet all DIC security scenarios. And that’s where it all happens. Indeed, the vast amount of security services offered by cloud vendors and the standards that their equipment, server rooms, procedures and employees must meet prove to me that what I am entrusting them is in good hands.
I hear you think… Having this kind of discussion thousands of times, I guess your thoughts: “Yes, but there have been data theft at… and at…“, “Again, yesterday, the cloud of… broke down”, “Who tells me they meet these security standards?”. You’ll guess I have the answers!
Data theft comes from poorly protected systems, regardless of whether these systems end up in an enterprise basement or in the cloud of a cloud provider. We are talking about poorly constructed systems, lack of safeguards and other information security deficiencies. In this example of data theft, the multitude of cloud-based security services give IT people rarely possible options outside the cloud of cloud vendors to protect what they are entrusted with. It is up to them to put it all in place.
Yes, there have been some cloud-based outages and there will be more. We are informed of this because these breakdowns make the headlines. In return, a computer failure of company X that stopped production for 4 hours, eh! Good! we are not aware of this off-cloud failure, but it exists just as well. Be aware that it’s easier to build fault-tolerant information systems in the cloud of a cloud provider than in an on-premises server room. The reason is very simple: the availability of services is more important. And if this system is ALWAYS to be accessible, the advice I always give to my customers is: build your system with as many availability options as possible at one cloud provider and place your disaster recovery environment with another cloud provider.
“Who tells me they meet these safety standards?” Answer: Certification Authorities. They are the ones that inform us of a cloud provider’s compliance with one or more standards they are committed to. Compliance investigations are carried out by companies specializing in compliance with standards. Here are some examples of safety standards.
Yes, cloud computing is a safe place for our data and information systems. This first article is just the beginning of a series of articles aimed at explaining my views on the subject. You have a different opinion, you have questions, let me know so that you can discuss them with you.
Translation made by the Amazon Translate service