33 percent of good advice is based on having the best templates. A colleague recently asked about templates for SLAs for a customer’s future cloud service provider. “It’s about security SLAs, not just 99.999 percent availability!” I was just about to start a deep learning-powered search in the knowledge management system (aka Google), which is always perfectly maintained, when an e-mail from a very experienced colleague got ahead of me : “If it’s cloud, then you don’t care about these details anymore – unless you are the cloud service provider yourself.”
He has a weakness for risks and writing about cyber: In his main job as a security researcher at HiSolutions AG, David Fuhr rages and lets off steam in this column about current incidents and universal truths of information security. In addition to new articles, articles that have already been printed in iX also appear here – always with a tongue-in-cheek update on the current security situation.
As a customer, I’m only interested in x.x percent availability, maximum downtime in a row (e.g. 15 minutes once a day), RTO (service and data recovery) 15 minutes from failure, full liability (also for loss of sales), penalties, that is Penalties of x euros per minute. That’s why it’s “cloud” and not “metal rental + managed OS + managed Tomcat + managed NetWeaver + managed webshop-on-NetWeaver + monitoring + remote hands + …”
That’s not a cloud!
On the one hand, he’s right! Already at the beginning of the big cloud hype in 2008, James Governor formulated in “15 Ways to Tell It’s Not Cloud Computing” exclusion rules with an eternity character, which can (not) be considered cloud: “If you need to send a 40 page requirements document to the vendor then … it’s not a cloud”.
On the other hand: it would be nice! The problem is not so much the mere establishment of the actual technical and organizational requirements. Eight years ago, in the study “Protection Level Agreements (PLA). Tools for agreeing security requirements in customer-service provider relationships” analyzed the topic of security SLAs in breadth and depth. However, the word “cloud” does not appear once in the entire study, because in 2010 the term had not yet arrived in the federal (official) German discourse. The core questions already raised here are now even more pressing:
- How do I communicate my security requirements to my service provider?
- How can I ensure compliance in an ever-deeper chain of subcontractors?
The catch is above all the penalties and liability. If the former can be negotiated up to significant amounts at all, the cloud provider simply adds the risk to the usage fee. As a rule, one will look in vain for the assumption of liability, at least in the general terms and conditions of large cloud providers, and here too, a possible individually negotiated model would ultimately take the form of an insurance policy, the premium for which (plus x) is paid by the customer.
This may still work quite well for outages, where the costs for availability disruptions can be reasonably calculated. Whether there is already enough data on the probability of occurrence is another question: the really big cloud failures seem to be imminent.
Difficult to deal with disruptions
It becomes really difficult with “disruptions” to confidentiality or even integrity, i.e. large data leaks or particularly malicious manipulations. Here, the customer can no longer necessarily rely on the cloud provider handling the data of its end customers or employees correctly (in the event of data protection violations). Just as little as with his trade secrets escaping or with repairing his manipulated processes. Rather, he has to do it himself and needs – immediately! – certain preliminary work of the service provider, which is not necessarily put to the test in normal operation.
In the PLA study, the BSI had already proposed extensive agreements that could theoretically also help in the cloud environment in such cases: starting with processes such as audit authorizations, alarms and incident handling through to concrete guarantees of measures in terms of patch management, secure deletion, encryption or logging.
In practice, it looks more like Amazon, Google or Microsoft will say thank you: The big cloud providers have – at least for field and forest customers from field and forest states, to which we are committed At least from the point of view of the previous US President, they were allowed to count – neither the time nor the desire, i.e. financial motivation, to understand every IT service of their customers in detail. As a result, the idea of PLAs fails right from the start: the customer cannot negotiate a level of protection at eye level. He can certainly choose from various operating models such as standard, premium, dedicated, bronze, silver, gold, etc. and hope that enough of his checkboxes have been ticked before his budget is exhausted. But this alone does not replace an organization that, in the worst case, will drop everything to revive its own business – especially when hundreds of thousands of other customers around the world are crying at the same time during a super meltdown.
The truth: everything as a self-service
In principle, the common “as a service” promise is a euphemism. Because *aaS suggests the good old service provider relationship – always to serve, serve, servant, sacrifice, Cheerio, Miss Sophie! In my opinion, the term would be more appropriate, because it is more honest and more realistic “AASS” – as a self-service, because that’s what cloud computing is all about (as it was originally called more appropriately): a big computer, a white box (or cloud) into which I put data that is used to do certain things but also many things that I have no insight into. And just like other small and large boxes that I put valuables in, it is up to me to ensure their protection.
Incidentally, a further 33 percent of a good consultant consists of knowledge of human nature, and the last 33 percent of passion for his topic – in this case IT. You don’t necessarily have to be able to count ;-).
PS: James Governor also knew as early as 2008: “If there is a consultant in the room … it’s not a cloud.” We’ll then be discreetly in the next room if you should need us!
This column appeared in iX 09/2018 and has been updated for the online edition.
(ur)