Believe it or not – and like it or not – the Cloud is coming to a plant near you. It may not hold critical services, but the cloud could hold a majority of other services working in a manufacturing plant.
Over the years, the Cloud garnered a reputation of being a bit of a security problem. Technology and techniques have changed but one this is for sure, the cloud is coming and it could help ease the burden off of plant’s systems.
In general, the cloud is the concept of remotely hosted IT services, termed cloud apps, provided by a supplier. These suppliers are cloud providers. Typical cloud apps offered by cloud providers include email, calendar, documents, online storage, sales, customer service, among others. Some of today’s many cloud providers are well-known names in industry and include companies such as Amazon, Google, 37signals, Intuit, Microsoft, and Box. A selection of the top cloud apps in the market today include Cloud Drive, Google Apps for Business, Skype, SalesForce, Basecamp, Quickbase, and Box Business.
Using business apps in the cloud has widely recognized advantages: You can save money by paying for only the IT computing resources you need, you can ramp up (or ramp down) computing resources quickly without capital investment, and you can increase your reach to employees and users anywhere on the planet.
US-CERT put together some ideas on how those in the manufacturing automation sector could and should look at common risks of using business apps in the cloud.
When you purchase IT services from a cloud provider, you don’t have complete control over the computing resources your business needs to operate. What happens if the cloud provider goes out of business or changes its services or prices? What if it has an outage? In December 2012, Netflix and its customers experienced a total outage for two days—Christmas Eve and Christmas Day—because their cloud provider, Amazon, had a service outage to the Eastern United States.
In the Bloomberg Businessweek article, The Cloud Carries Risk, Verne Kopytoff writes, “A recent study by the International Working Group on Cloud Computing Resiliency, made up of academic and technology industry representatives, tried to quantify the cost of outages. It estimated the combined downtime at 13 major cloud service providers to be 568 hours since 2007—with an economic impact on customers of at least $71.7 million.”
Cloud provider platforms are different with different hardware, software, configurations, and settings. Therefore, abruptly changing from one supplier to another can be difficult, even if you use the same app. You might get stuck with one supplier, just as you might with internally deployed apps. Email is a great example. The migration of email from one vendor to another is likely to encounter problems with the conversion of mail formats and customizations, whether on the cloud or in house.
An app, especially a customized one, may not behave the same or even work properly on another cloud. If you begin to have problems with a cloud provider, it can be a long process to disengage and begin a new relationship with another provider. Until there is more standardization across the cloud-provider industry, switching from one provider to another will be a complex endeavor.
A Matter of Protection
When using a cloud provider, your data typically ends up housed and protected by the cloud provider. Although the provider may be more able to purchase the latest security software and support, it doesn’t have the same motivation to protect your data as you do.
The risks to data expand beyond destroying data. Trade secrets can be lost or data may end up frozen because of a subpoena or other government action. Trade secrets can end up stolen when a malicious actor takes the encryption keys needed to access your data. What if the cloud provider advertises it provides encryption and encrypted backup services to protect your cloud data. On the surface, that seems fine, but these services may not be sufficient for every business. Many providers use common encryption keys they control for storage and backup of customer data, which means the malicious actor must only infiltrate the cloud provider to gain access to the data.
An example of frozen data due to government action is the case of Megaupload, a cloud file storage and viewing service. Charges against individuals at Megaupload resulted in law enforcement seizing over $50 million of Megaupload’s assets. This seizure meant its customers, who had data on Megaupload’s servers, could not access the data even though they had done nothing wrong.
To complicate matters, your cloud provider is likely to be located far from your business physically. It is probably located across state lines or even in other (and multiple) countries. The locations of these data centers have legal implications. If your data is involved in a criminal case, the laws of the country and state where the data center is dictate what the government can control. Your business data could end up frozen even though you are not at fault. Further, other countries have stricter laws than the U.S. when it comes to encryption. A country may not allow data to enter or exit the country if it is encrypted using certain encryption techniques.
Cloud providers are by design very large consolidators and aggregators of information in comparison to a typical corporate data center. In general, cloud providers have platforms that are more secure than your own or at least as good as yours because they have more resources than most (especially small) organizations to devote to security.
However, since cloud providers house multiple customers’ data on the same servers and they manage a much higher volume of data than even large organizations, they have the potential of being more desirable targets for cyber criminals. Even if there have not been large attacks in the cloud much today, historically there have been large companies with large security resources attacked.
Be sure you know what staff members in your organization are doing. Are they taking action without asking permission? For example, a project team may assume that it can use a cloud provider to quickly work on a proof of concept for a new tool. Or maybe the marketing department decides to purchase CRM services from a cloud provider instead of waiting months for a homegrown service. Staff can purchase these services easily by using a credit card or getting a free trial, unaware of the risks they are taking.
Select suppliers who are willing to enter into agreements that enable you to operate your business effectively. In particular, make sure the cloud provider’s security controls tune into your business needs sufficiently. You may have an opportunity to negotiate a service level agreement (SLA) with a cloud provider, but more likely you will need to compare the SLAs of different providers and find the one that best defines the terms you need.
Almost all cloud-provider SLAs have indemnification clauses that try to eliminate or isolate the cloud provider from responsibility or risk from loss to a business due to a service outage. Even if the terms limit risk and responsibility, it is in your best interest to negotiate those terms. If you do not have a contracts attorney on staff, a good time to find one is before signing with a cloud provider. You may not gain significant ground, but it is essential that you understand the terms and risks with each cloud provider to make an informed decision.
If you can, negotiate contract terms that define your requirements for the computing resources, including security, data handling, and disaster recovery. Pay attention to your rights and obligations related to notification of breaches in security, data transfers, creation of derivative works, change of control, and access to data by law enforcement. Also make sure you understand the location of your physical data and the laws that pertain to those locations, including who really owns the data.
Build trust with cloud providers slowly. Start by using the cloud provider for noncritical services and evaluate how well they meet your needs and avoid problems. Slowly build trust over time by extending what you use on the cloud little by little. Using this incremental approach buys time and opportunity to learn and make adjustments to the business relationship.
Find a way to ensure the terms of the SLA end up honored. Keep abreast of the security controls used by the cloud provider and its ability to keep up with trends in cyber crime. Demand the information you need to monitor your business on the cloud. You should have access to the same information you would if the service was in your organization. Include terms in the SLA that ensure you have the right to receive the information you need without resistance. Be as specific as possible to protect your access to critical information.
All cloud providers have outages. Amazon, Salesforce, and Microsoft are only three of the cloud providers that had outages in the last year. Ask the cloud provider about its disaster recovery plans and have a disaster recovery plan of your own that includes cloud apps.
You can use cloud apps for your business; just be sure to fully understand the risks and how they might affect your particular business and industry. Be aware of how your staff may already be using the cloud, be a smart consumer of cloud services, involve people with the right skills in making cloud decisions, use an incremental approach to build trust slowly, monitor your cloud provider’s activities, and plan for cloud outages. These activities will help you benefit from cloud service flexibility and cost savings while protecting your business.