There are threats to storage, just like there are threats to anything else we do. Some of them are listed on the screen in front of you. Administrations for the cloud provider can technically access any or all of our data. They do have rights, in other words, behinds the scenes to be able to interact with the infrastructure, the platform, the software, the different levels of control that they may have, may differ from our expectation about what we want other people outside or external actors to be able to have in terms of our data. But the problem is when we use a cloud model, we're effectively giving a level of control to the cloud provider. We're saying in exchange for money, we want to have them provide some sort of service to us. Because for whatever reason, either because we don't own the infrastructure, we don't have the ability to manage it. We don't have the room to manage it, we don't have the time to manage it. Whatever those legitimating business concerns are, we're going to turn to a trusted third party and trust it, in air quotes, right? Trust it is a relative term, but we're going to turn to a third party. And we're going to say to them in effect, contractually, I'm going to pay you a certain amount of money. And in return you're going to give me a certain level of service. We're going to use a hosting agreement and a service level agreement to be able to effectively control and shape that environment with our expectations and the commitment from the service provider all clearly documented. And we've obviously spoken about the value of expectation management and understanding what our mission is and how to accomplish it clearly, and making sure we can measure success. We've spoken a lot about that over our time together in all the different knowledge areas that we've been going through in the class. The concept here is that if those administrators, the people that work for the cloud provider, are given complete access and they have to be to do their job. How do we as customers trust them? This is a big issue for us because I don't know them, they're not in my direct employ. They're not vetted by me, they're not subject to my controls and my policies and my procedures. I'm subject to their control, and their policies, and their procedures. I'm at their mercy, in other words, as the customer. I may or may not be able to trust them. I really just don't know. And the cloud provider is supposed to go through and vet these people, do background checks, validate that they are legitimate actors, validate that they will follow the cloud provider's policies, and validate that they're implementing them correctly through auditing and through random sampling of data and random sampling of logs, all the things that we've talked about doing. But it's all it's all going to happen out beyond my control. As the customer, in other words, I sit back and my expectation is, it happens. And I have accountability with the provider in the sense that I can try to hold them accountable, say hey did this go on? What's happening here? Why is this going on this way? But there's a cutout. There's a level of trust that I have to bridge in order to ensure that the cloud provider does their job correctly. And that may or may not be acceptable to me. So the administrators can access technically anything we put in the system. I'm not suggesting they always will, just pointing out that they have the rights to. And if they choose to act badly and in bad faith go and do something, we may or may not have an understanding of that right away, we may or may not have a record, or some sort of knowledge of that, because of the nature of cloud and the cloud technology. We may not have visibility into the backend where the logging takes place, where the configuration or the management takes place. We may not be able to see those areas. Because of that they may be able to hide the fact that they're doing this, and we may not realize that somebody is copying our data. Somebody is manipulating and violating the integrity breaching confidentiality. That can be a concern. Private volume storage can easily be made public. In other words, with literally just one click of the mouse or perhaps inadvertently a move of data or change in permissions, either on purpose or by accident, our data can be exposed. And, again, outside of our direct control. Its not us, its not our responsibility. It's our accountability. We do have to make sure it's being done the right way. But we are asking someone else to be responsible to do this. And they may or may not follow the rules. They may or may not do it the right way. All these things are going to become problematic. The fact that we may not have direct access to certain configuration and control elements for troubleshooting, maybe a problem. So you may not be able to fix certain problems. You may have to rely on others to do that on our behalf. We may not be able to and may not have the rights to exclusively manage our own area, our own hardware and software interface between those because we may be sharing it with other people. Multi-tenancy can become an issue because there's usually more than one customer in that system. And if that customer has issues or concerns, let's say, we're the primary customer but there's five other customers sharing that set of servers with me. They're all paying their fee monthly and the vendor, the internet cloud service provider, has put all of us together effectively in one big pool. We're all sharing resources. Well, that's potentially an issue because I don't have exclusive use of them. And one of the other customers does something or interacts in some way, or somehow modifies what they do in the system in a way that causes instability, it may affect all of us. So there's lots of different concerns and issues here. As SSEPs, as security practitioners, it's our job, it's our responsibility to point these risks, to point out these threats, to point to these vulnerabilities and say, you know business, right, pay attention. Let's be on the same page here. There may be an issue, there may be a concern. Our requirements for availability, our requirements for confidentiality, our requirements for integrity may not be satisfied with the current model. We may need to look at different alternatives. But we also have to be fair and even handed and say, there's a lot of good, there's a lot of value here. Look at all the things this does provide for us, provides high level access to technology and capabilities to scale, to be able to use the technology on demand to meet the needs of our customers as we grow the business. It provides us maximum flexibility, provides us the ability to use technology and have it maintain the monitor 24 by 7 for us based on our agreement with the vendor. So there's lots of good things. And the thing that we often struggle with as security professionals is being able to tell both sides of the story, being able to represent that story in our minds, and in the minds of the stakeholders we deal with, in an equitable and realistic way. It's easy to focus on risk in other words, right? And it's easy to tell the scary story about the monster under the bed, and how we have to go and take care of that. It's harder to be even-handed and tell both sides of the story, and put the monster under the bed, the threat, the vulnerability, the risk, in context. And say you know this is bad, but let's be realistic. It's bad for these reasons, but here's all the stuff we do that's good. And this is why although it's bad, it's not really super bad, right? We can manage it, we just have to be aware of it, we just have to take our time, we just have to make sure that we're diligent, and that we exercise the proper level of oversight and focus to do the things that we need to do. That's a much tougher decision to make as a business, it's a much tougher story to tell. We have to really understand our environment, in other words, in order to be able to figure out how to do the things we need to do, and focus on the issues and concerns that are most relevant to the business. And something like threats to storage in the cloud is a great example. Because although a lot of things can be threatening, majority of them are probably able to be mitigated if we just sit down and really think through what's the logic of this situation? What's the context? What am I doing? What are my options? What are my tools? What are my capabilities? And then what are my requirements? And then I add those into the requirements, capabilities, and options that the vendor can provide. And by matching those up And doing an assessment of where we are and where we want to be. We often find there's a lot of common ground, and we often find there is a decision path and a way forward that makes sense for both of us. But we have to talk it through, we have to negotiate. We have to figure out. How to agree that this will happen. How do we mitigate the fact that administrators on the provider’s side can technically access our storage in volumes? Well, we put agreements in place that help us to understand that that will occur if necessary but that there should be reporting And that there should be accountability, there should be logging, and we should have a trail or record of what goes on so we can audit that and we can understand that there's continuity and that there's integrity in what those administrators do. So we can come up with a solution that allows us to effectively overcome and deal with this risk. The challenge is we have to identify the risk, we have to know what it is. Once we've identified it Once we've accepted that it's there, we can then begin to talk about how we're going to deal with it. Remember, there's four ways. Ultimately to identify and do what's risks. And we've spoken about them in earlier conversations. There's the ability to be able to accept risk, to mitigate, minimize risk in someway. To avoid risk which is not engage in that behavior And or to transfer risk. Effectively give the opportunity to manage the risk of somebody else in exchange for something, usually money. So usually we'll pay something to do that for us or something of that nature will occur. So if we're able to understand and identify what risk are, we now really can begin to frame the conversation. And taken in a direction that will help us to be as possible or as focused as possible most successful which regards to dealing with risk.
