Lately I have been looking a lot into the risks and security aspects of cloud service. And to be honest, from a security perspective, cloud is not that new. Most of the risks associated with cloud services are actually exactly the same as those related to outsourcing, a subject I’m obviously quite familiar with. In that respect, the Free Software Foundation Europe is quite right.
Yet, saying that Cloud is just the same as outsourcing would not do justice to what is currently going on. There are really a few differences that set aside modern day cloud computing from classic outsourcing.
While it may sound kind of Trumpian, this statement is rather significant. Many software companies are moving to a Cloud First (or Cloud Only) strategy. Meaning that they release new features to the cloud first and later incorporate them into their classical software distribution channels. From a vendor perspective, this makes perfect sense. They often have a smooth process in place to release changes to their cloud platform, providing new functionality to their users and with the same ease correct flaws quickly. With released software, this is a lot harder, because the software has to be distributed and then updated by (the IT organisation of) the user. This process is lengthier, making it harder to fix bugs. And as a result, it forces the software vendor into a tighter quality control regime.
It is also one of the aspects where cloud differs from outsourcing. In outsourcing the service provider and the software vendor are usually not the same party. This means that the flow of functionality from the software vendor to the service provider needs special attention
Clouds are driven by APIs. This means that software can control software in an automated fashion. This means that whoever can control the API can control the service and the information in it.
Outsourcing is generally speaking a more bespoke process, that is not fully automated and thus often doesn’t have an API.
Anyone who wants to use a cloud service has to agree to a service agreement. This is similar to the old shrink-wrap packaging that was used around software CDs and DVDs, where opening the wrapper implied acceptance of the license agreement.
EULA on statement printer a CC-NC-SA
The contractual agreement is probably one of the most important differences between Cloud and Outsourcing. Most outsourcing agreements are carefully negotiated contracts, detailing all deliverables and properties of the services. Usually, they have gone by the legal department of both parties at least once.
Cloud agreements are, understandably, less bespoke. The ease with which an end-user can accept and agreement is deceitful. I’m willing to bet that the biggest risk of cloud services is not posed by their use as shadow IT, but by users who have not fully understood the properties of the service and/or have not (properly) read the EULA.
What this can lead to in practice, is illustrated wel; in the story ‘Doxed by Microsoft’s Docs.com’ published by Ars Technica on the 27th of March. Researcher Kevin Beaumont discovered hundreds of confidential documents on Docs.com, Microsoft’s document sharing website, including legal documents, medical documents, passwords, etc…