Van Halen on Cloud Security
What in the name of rock-and-roll does Van Halen have to do with the cloud? Join us on a magical journey filled with wonderment and perplexity as we seek to understand this parable.
Van Halen introduced a new kind of rock music which was bold, extreme and uncompromising, so naturally the band would adopt a persona of bravado and attitude to match their music. The 1983 Rolling Stone Record Guide called Roth “the most obnoxious singer in human history, an achievement notable in the face of long tradition and heavy competition.” While many rock artists would demand perks in their contracts to match their egos, Van Halen took such demands to a new level.
Van Halen added a rider into their contract insisting that a bowl of M&M’s be provided backstage with all the the brown M&M’s removed. According to lead singer David Lee Roth’s autobiography (as recalled by Snopes), Article 126 in the contract rider stated:
“There will be no brown M&M’s in the middle of the backstage area, upon pain and forfeiture of the show, with full compensation”
So with “full compensation” for the performance at risk, hundreds of thousands of dollars depended on whether or not every single brown M&M was removed from the backstage candy dish. Another example of out of control rock star behavior, right? Perhaps not…
First, Roth explained that the tour was technically demanding:
We’d pull up with nine eighteen-wheeler trucks full of gear, where the standard was three trucks max. And there were many, many technical errors – whether it was the girders couldn’t support the weight, of the flooring would sink in, or the doors weren’t big enough to move the gear through….The contract rider read like a version of the Chinese Yellow Pages because there was so much equipment….it would say “Article 148: There will be fifteen amperage voltage sockets and twenty-foot spaces, evenly providing nineteen amperes…’ This kind of thing.
So when you’re in a new city most every night, how can you be certain that all the technical details in your contract are being followed by third parties? There wasn’t enough time or resources to check every detail in the contract, so the infamous M&M clause was born. Roth explains:
So, when I would walk backstage, if I saw a brown M&M in that bowl….well, line check the entire production. Guaranteed you’re going to arrive at a technical error. They didn’t read the contract. Guaranteed that you’d run into a problem. Somethings it would threaten to just destroy the whole show.
The M&M’s served as an early-warning system — a predictor of how likely it might be that fine details of the contract were not being followed. And if the contract was not followed in detail it could threaten the show and even the band’s brand.
Now, what does this have to do with cloud computing again?
SECURITY AND CLOUD COMPUTING
Contracts often have SLAs which can be often verified by performance and availability metrics. But security isn’t a simple binary function – it can be very complex to contractually enforce – not unlike Van Halen’s touring requirements. First lets take a look at the cloud security problem itself.
It’s challenging enough to be able to account for data access controls and security governance, when the data is on your private network. Most companies fall under multiple regulatory requirements, such as PCI, HIPPA, E-Discovery and many more which require strict governance about managing data confidentiality, integrity and availability.
In cloud scenarios you now have either public networks, third-party companies or both now carrying your data. Are your security controls still effective? Can you prove it?
To provide just a few examples of concern:
- Can data accidentally “bleed” over into other networks and systems due to misconfiguration or other factors?
- Can the data be protected from other entities who may have processes running on the same hardware?
- If you are connecting internal databases to SaaS applications in the cloud, how can you be assured transactions to your internal databases and directories are secure?
- Does the hosting and/or SaaS provider adhere to a level of security audits and controls that are comparable to what your organization has adopted internally?
There are many opportunities for the confidentiality and integrity of your data to be compromised – the opportunity can arise out of either negligence or malice; the catalyst can be an individual from a 3rd party under contract or even another cloud customer.
“We’re from the government, and we’re here to help”
For cloud applications which are hosted within the United States, security may be about to get even more complicated. The Obama Administration is reportedly crafting legislation which would call on communication firms to be able to decrypt secure communications for the FBI. With a new back door to encrypted communications, cloud security and governance could become a much greater challenge than it already is. Securosis, a leading security research and advisory firm, describes the proposal as follows:
To allow a communications service to decrypt messages, they will need an alternative decryption key (master key). This means that anyone with access to that key has access to the communications. No matter how well the system is architected, this provides a single point of security failure within organizations and companies that don’t have the best security track record to begin with. That’s not FUD — it’s hard technical reality.
ARE ALL CLOUDS CREATED EQUAL?
Some might be tempted to say “I’m just building a private cloud so this doesn’t really concern me”. While it’s true there can be different scenarios depending on private, public and hybrid cloud models, as Edward Haletky points out in a recent post, in the long run the security issues are all the same:
There is a difference between public and private cloud security, but it is very easy for a private cloud to in essence become a public cloud with all the Secure Multi-Tenancy issues that entails. This means that all clouds are alike and the security of any cloud could be handled by a single set of controls and security policies.
WHAT SHOULD BE CONSIDERED IN CLOUD CONTRACTS?
Sarabjeet Chugh – a senior manager at VMware — recently posted some questions to ask infrastructure service providers such as:
How transparent are their security standards and compliance audits?
Or in other words is the third party diligently adhering to the terms of the contract and security standards they claim to follow, or should we expect to find brown m&m’s backstage, along with security issues?
InformIT has an informative series on cloud security which encourages organizations to look for several things in a cloud services contract including:
- Is the cloud provider contractually obligated to protect the customer’s data at the same level as the customer’s own internal policies?
- Do the provider’s security policies comply with all applicable regulatory rules?
- Is the provider willing to undergo on-demand or periodic audits and security certifications?
- What are the provider’s policies on data handling/management and access control? Do adequate controls exist to prevent impermissible copying or removal of customer data by the provider, or by unauthorized employees of the company?
And before you sign that contract, consider your exit strategy. The cloud computing model may be agile, but this can be threatened if you can not safely, securely and promptly remove your data from the premises of a third party.
ABOUT THOSE BROWN M&M’s
There’s much advice available on cloud security, but be creative when crafting cloud security agreements. The contract may demand certain security protocols and safeguards but how can you be certain that they are being followed effectively? There are third-party tools like RSA’s Solution for Cloud Security and Compliance which can help here, but also consider opportunities to insert “brown M&M clauses” into the contract as an alarm system to help determine if your services provider is indeed following the security requirements of the contract.
So the next time you sign a cloud services contract, ask yourself if you’re smarter than this guy:
AND NOW SOMETHING COMPLETELY DIFFERENT
This post started out on the fun side and ended up a bit serious, so lets end this on a lighter note. Van Halen music fans should be excited as indications are that the band is currently in the studio with David Lee Roth (for the first time since “1984”) and apparently is planning to launch an album and tour next spring.
Now here’s some music trivia. What song by David Lee Roth was based on a song from 1915, that Louis Prima converted into a medley in 1945, and sports a video featuring “cameos” of Michael Jackson, Cindi Lauper, Willie Nelson, Boy George, Richard Simmons and more? Enjoy the video!