Are cloud companies becoming too big to fail?
Are cloud companies becoming the too big to fail? We all know what happened when banks became too big to fail. I would argue we are becoming even more dependent on cloud services than we ever did on the failing banks and look at the mess we are in. It has been nearly a decade and the impact is still being felt. Certainly, the banks had limited geographical reach and therefore customers outside their jurisdictions were protected from their failures. This is not the the case with cloud services. Cloud services are not bound by physical or national boundaries. They can be accessed globally.
Our cloud dependence is growing and so are the impacts
More and more organisations are becoming highly dependent on cloud companies for their IT. The services they offer are also expanding at breakneck speed. From the traditional utility IT to organisations and creeping expansion into our homes with IoT etc, they are becoming ubiquitous at an alarming rate. Soon we will be connecting our CCTV, burglar alarm, smart meters, fridge freezers, washing machines, heating and cooling systems, cars, and robots (to make us all redundant). Imagine what impact a failure of the cloud service provider that glues all this together will have on consumers. Unwittingly we may be putting all our eggs into one basket. And all of us are using the same basket.
The Cloud is the Internet
Twenty five years a go John Gage of Sun Microsystem coined the phrase “the network is the computer“. Twenty five years later “the cloud is the Internet” is becoming a reality. Our dependency on the cloud is ever-growing. What started as an IT cost differentiater, an alternative option for CIOs and took years to overcome the security hurdle has quickly become the option. As the ingenuity of service providers increase our reliance on it is increasing too. We are trusting the cloud even with the very systems that are to keep our secrets that protect us and our information. Even the password systems that hold personal and corporate passwords are cloud based.
Our utility, medical, emergency, and government services providers are already dependent on cloud based services and well become even more so with the UK government’s cloud first strategy. I suspect this will be duplicated the world over. Cloud services has provided a silver lining for many cash strapped CIOs and has been good for our planet in terms of environmental impact and energy saving but are we becoming over reliant on it, without proper forethought. The could is no longer just virtualised hardware anymore, we have IaaS, PaaS, SaaS and even hybrid delivery models and all the while we are piling more and more innovative services on to the cloud.
Who has the clout for the cloud?
Once we are fully connected, failure of cloud services will be devastating, yet there is no visible government oversight of what services are being connected and what the impact and risks of failures are. Individual service contracts and terms and conditions with large service providers are one sided and not usually negotiable unless you the client are of substantial size or have enforceable clout.
We are rushing towards the cloud without thinking of the implications. Where only 5 years ago organisations were raising questions about confidentiality, integrity and availability, these appear to be less of an issue. With relatively no major issues with cloud services, the confidence in cloud services has been at an all time high, until last week that is, when a large chunk of AWS, Amazon’s cloud service went offline. This has renewed interests and questions about availability of cloud based services.
The recent AWS outage, although regional shows we need more control and even bigger oversight of cloud services. This is especially concerning given the near monopoly and our dependency building up around very few big players in the market. Now, don’t get me wrong. I’m not pointing fingers at Amazon. Amazon, is a brilliant company and I’m an avid fan of their extensible model and service. This could have happened to any other cloud company. However, their recent mishap and fall-out from it should be a wake-up call for more oversight into the use of cloud on which we will be more and more reliant.What it clearly demonstrates is that cloud suffers from the same frailty as traditional IT. That human and technological errors and weaknesses still exists and confidentiality, integrity and availability is still an issue.
Cloud is not yet nearly as extensive as it will be in 5 years time, yet the relatively minor outage had noticeable impact. Imagine if this had happened few years down the line.
Cloud as the attack vector
Aside from accidental availability issues, the more services we move on to the cloud the more we will become deliberate targets of easy to mount denial of service attacks and cyber warfare. Shared services will mean shared vulnerabilities and threats. Imagine if gas, electricity, water, phone and emergency service providers are all connected to the same cloud service in the same region? Can you imagine the chaos? It is not unimaginable either. It is reported that Amazon itself had its own fault reporting dashboard running on the affected system and therefore could not access it.
There needs to be breakdown and separation of services cloud service providers can offer to protect against single points of failures in consumer services. This needs to happen at the cloud service level and all they way down to shared Internet components. Another level of separation at the infrastructure level such as utilities and telecoms the cloud service providers use to prevent multiple cloud services providers being affected by shared infrastructure outages.
Protecting critical services in the cloud
To protect from critical infrastructure level impact, critical service providers such as gas, electricity, transport, medical and emergency services should also separate their reliance on single providers. For example, should gas and electricity providers, (which could be the same company) be using the same cloud service provider as say other gas and service providers? This may be a poor example but hopefully illustrates the point. This was not so much of a problem in the past where critical national infrastructure providers had their own separate data centres from which they provided these services. However, going forward this is or may not be the case and therefore careful due diligence is required of cloud services and critical services.
This and other articles can be found at www.cybercounsel.co.uk
Author : Moyn Uddin GDPR-P, CISSP, CISA, CISM, CRISC, ISO27001 LA, TOGAF – is a certified GDPR and Cybersecurity practitioner. He as a security practitioner has written, tested, embedded many incident management plans and process and dealt with many incidents and data breaches. He is also the co-author of RESILIA – Cyber Resilience Best Practices from AXLEOS, published in 2014 and the author of the accompanying Pocketbook. He is also the lead author of the Cyber Resilience Best Practices training course for ITpreneuers
If you need any assistance with any aspects of GDPR implementation or cyber security please contact us.
If you are interested in our One day GDPR How-to Master Classes please register here at Cyber Counsel.
Copyright Cyber Counsel