When we talk about transforming to the cloud, we often talk about hybrid cloud and what it will take to transition to it, leaving discussions about 100% cloud usage purely to the new startup (greenfield) organizations. What is needed to move 100% off-premises to a public cloud? What is sufficient, what is necessary, and what is the required last mile of this effort? I recently spoke to @AndiMann about concepts of what is necessary and sufficient.  Andi brought up some great points I would like to share over a series of articles.

First, some groundwork for this conversation. We keep hearing about the need to move to the cloud. Okay, I can see some needs, but I really do not see many drivers. The knockdown of Safe Harbor by the EU, the potential for all parts of the Patriot Act to come to life once more, and other security and privacy issues driven by fear have made me wonder if there will ever be 100% cloud use.
This in turn has made me wonder what is sufficient from a security perspective to go to the cloud, which has led me to consider what is necessary and sufficient to move to the cloud from a business perspective. The technology to do everything in a cloud is available today, even for some of the more esoteric items such as HPC, mainframes, high transaction processing, and antiquated hardware. Yet, the items necessary may not be in any clouds today. At the same time, I begin to wonder if that is really the case. So, technology aside, what is necessary and sufficient to use the cloud?
The answer to this question is not necessarily one of technology, but of a many-legged creature that includes SLAs, processes, procedures, knowledge, technology, politics, legal, cyber-insurance, etc. around a body of privacy.
However, perhaps we need to start smaller and answer a few other questions first:

  • Is there a legal definition of sufficiency?
  • From whom are we trying to protect our organizations?
  • Are there mappings of requirements to architectures anywhere?
  • Is it just a cost issue?
  • Is it an SLA issue?
  • Is sufficiency defined by knowledge?
  • What are the process and procedures required?

Finally, the big question, given today’s political (ownership, silos, legal, breaches), economic (technology, insurance), and educational (SLAs, technology, architecture) climates:

  • Is cloud practical at all?

There are quite a few new questions to ask, but there is still a definition of sufficient and necessary with respect to the cloud. I want to tackle just one of these questions at the moment, as I believe the technology exists today to do what we require within any cloud. This is not necessarily a technological problem, but lack of knowledge about technology could be part of the problem.

From Whom Are We Trying to Protect Our Organizations?

This is the question that seems to be dominating the communication I see around the web today. Breaches abound, which means seemingly private data is exposed. At the same time, we are witnessing increasing numbers of warrants and national security letters demanding data presumed private once more. Yet, private to whom?

  • The Consumer: Most consumers do not read the shrink-wrap or click-wrap licenses when using services. Some clouds actually say their data is now owned by the company and not the individuals. Other clouds claim there are no inherent protections. Even more clouds claim to help out law enforcement as much as possible. So it behooves the consumer to read and get involved in the process, or at least check things out before signing up. Yet, that gets in the way, so the consumer has an expectation of privacy and expects their data to be protected, regardless of what the click-wrap says.
  • The Organization: The organization is trying to protect itself against loss of intellectual property and other bits of data important to the success of the business. Is a consumer’s private data important to the success of the business? I do not know.
  • The Government: The government is trying to protect its citizens from destruction by malfeasance and terrorism.

Yet, is the consumer or the organization trying to protect their data from the government? It seems that this is the communication that is going on now. Apple certainly makes no bones about the fact that it cannot read a consumer’s data. However, Internet service providers are responding to national security letters to give up browsing histories and other seemingly private data.
Why do I say “seemingly”? Because unencrypted data may not be private, due to technological considerations. Is data private if transmitted over public airwaves or public wires? That is still an ongoing legal debate. If its encryption is weak, is data considered private? Or is it considered private data due to the expectation of privacy, which is more of a legal discussion?
If you want your data to be private, you must encrypt that data using strong encryption and control access, both of which are within every cloud. The question now becomes one of auditing and transparency regarding direct or indirect access to the data. This is once more not really a technological problem but one of process and procedure, worked out with your cloud service provider or by adopting its methods.
However, the first thing we need to know is the type of data to be placed within the cloud service.

Not-So-Last Thoughts

These are not-so-last thoughts, as this is the first in a series looking at how to determine what is necessary and sufficient for 100% cloud use. In this case, we look at how data is protected. We find that technologically, we have possible protections, but we need more transparency from the cloud provider and new processes and procedures within the tenant to ensure data is properly encrypted as needed. This all starts with the act of classifying your data in some fashion. Then you will know from whom you need to protect your data and whether data falls under regulatory compliance or not. Not all data needs to be encrypted, but we need to know where all data is at any given time today.
If we know what the data is, its classification, and its geographic location, we can determine the technology, process, procedures, and methodologies required to protect that data from any group as well as allow for proper privacy rules for consumers. This is the start of determining what is necessary and sufficient for your data within any public cloud. Does this imply that there is a legal definition for necessary and sufficient? We will investigate that next.