Cloud Security Concerns And What Can I Do About It?

Transcription

1 FishNet Security White Paper Cloud Security Concerns And What Can I Do About It? By Jason Hicks, Senior Consultant Governance, Risk & Compliance CISSP, HISP, CICP Cloud computing promises to provide many advantages over the traditional application delivery model currently in use at most organizations. Cloud computing can offer service elasticity or the ability to rapidly expand and contract available processing capacity. Cloud computing can also make it possible to reduce your yearly outlay for IT hardware and data center-related expenses. Cloud computing provides rapid application deployment and a streamlined development process. To use an analogy, sunshine in most parts of the country is often followed by rain. While cloud computing promises many advantages, it also comes with its own unique challenges. Your data can be located in a variety of places and geographies. Providers may be reluctant to provide you with sufficient data on their security posture to properly assess the risk of utilizing their services. It s possible to find yourself in a situation where an incident has occurred and your staff doesn t have access to the infrastructure necessary to conduct an investigation. You could find your data comingled with the data of others on shared hardware. Rest assured it s not all doom and gloom ahead. I m going to focus on some of the security challenges and opportunities posed by the adoption of cloud-based services and applications. learn more About our Industry Expertise at:

2 2 The Challenges There are significant choices in how an organization deploys cloud-based services. There are multiple architecture choices for example: Internal Private Cloud, Hosted Private Cloud, Public Cloud and, of course, there s a Hybrid option. How does one choose the appropriate deployment model? What about the cost? And what impact will the model we choose have on my organization s security posture? Another challenge is resources. Most information security organizations are stretched thin as it is, and that s without the added work of assessing the security risks associated with Cloud Security. Some feel as if outsourcing certain business operations is a way to outsource risk. This is a dangerous approach, and could not be further from the truth. Sharing sensitive information with third parties does not exclude your organization from the standard obligations associated with data protection. In fact, the sharing of sensitive information with outside organizations increases your risk profile and obligations. Claiming a lack of resources will not provide a defensible position in the face of a data breach or other information security- related incident. Your organization has probably spent a significant amount of time debating what applications and services can move to the Cloud and what provider you re thinking of using. You may already be using cloud-based services or application such as salesforce.com. As the resident security expert, or as we like to say in healthcare the jailable entity you re probably concerned about how all this shared computing infrastructure is going to affect your security posture. If you re like me, you have probably rained on the parade of quite a few excited application development managers thinking they could save a fortune by moving something filled with sensitive data to the ubiquitous Cloud. I can t count on both hands the number of times I ve told folks they can have all the Cloud they want as long as it s in one of our data centers. And yes that means some applications will not be deemed cloud-approved, at least outside of your Internal Private Cloud. Alas times are changing, and the Cloud does pose significant advantages for the right candidate applications. By employing a wellthought out Cloud Architecture and Cloud Governance model, your organization can take advantage of what cloud computing has to offer while maintaining an acceptable level of security. What to do This is a multifaceted challenge that must be addressed systematically and holistically. Step 1: Assess your current applications to determine what could benefit from a cloud-based delivery model An assessment of your current applications should be conducted to determine their criticality to business operations and the sensitivity level of the data they store and process. I recommend breaking them into three groups: By employing a wellthought out Cloud Architecture and Cloud Governance model, your organization can take advantage of what cloud computing has to offer while maintaining an acceptable level of security.

3 3 1. Applications that process low security data 2. Applications that process medium security data 3. Applications that process high security data Once you have an idea of the data sensitivity level of each of your applications, you should also pay attention to identifying applications that need to be rolled out rapidly or that face extremes in processing load. Step 2: Ensure there is a corporate Cloud Strategy and Governance Model in place before rolling out your cloud applications Before your organization makes the leap into cloud-provided applications, it s important to lay the proper groundwork. Just as Rome wasn t built in a day, a well-designed and managed Cloud computing infrastructure requires preparation and planning. Two important documents should be created before your organization starts to deploy cloud-based applications: Cloud Strategy This document will lay out your organizations official approach to cloud-based applications. This should lay out specific criteria to determine what applications or infrastructure will be provided from the Cloud. It s important that this document is approved at a sufficient level of management to ensure that it will be adhered to. This should also include the proposed architecture your organization will be utilizing. This could include building your own Internal Private Cloud, utilizing existing Public/Private Cloud providers or a hybrid approach. Laying the ground rules ahead of time will spare you a significant number of headaches during the qualification and deployment phases. Cloud Governance Model This document lays out the specific security requirements that are necessary in the various stages of your cloud application rollout. It is important to determine the criteria for selecting the classification level of data sensitivity that triggers an application assigned to the Private Cloud or Internal Private Cloud or no cloud, if such a designation is made. Equally important is codifying the security due diligence requirements for selecting a cloud service provider. This should include an initial assessment and ongoing assessment activities. This document should also establish any service-level agreement requirements or security/ performance metrics that will be monitored. Finally, this document should lay out the contractual clauses and legal review process that would be expected before a cloud service provider can be utilized. Enforcing consistent security standards is essential to protecting your sensitive data, corporate reputation and intellectual property. Step 3: Assess the security posture of your proposed cloud service providers At this point you re ready to apply the security due diligence standards you established in your Cloud Governance Framework to your proposed or existing cloud service providers. Ideally, this would involve Just as Rome wasn t built in a day, a welldesigned and managed Cloud computing infrastructure requires preparation and planning.

4 4 reviewing the last assessment if they are ISO certified. I recommend developing your own questionnaire that a cloud service provider would be required to fill out before being approved for use and then again at some predetermined interval such as annually. The Cloud Security Alliance Framework would be a good place to pull your controls from. Another would be Shared Assessments SIG. This gives you a consistent way of measuring the security posture of your cloud service providers. If your contractual agreement allows for more invasive testing, a penetration test of their infrastructure would be another ideal due diligence measure. Often you may find yourself contractually prohibited from performing any in-depth testing. I highly recommend you attempt to get contractual language included that allows for invasive testing. You have your best chance of getting this language inserted before any contracts have been signed. It would also be extremely beneficial if your contract allowed for application penetration testing of your deployed applications. It s equally important to consider the physical security posture of your proposed or existing cloud service providers. Your questionnaire should also probe their physical security posture. This should focus on security of their facilities, their disaster recovery and business continuity capabilities and their methods of media disposal/reuse. If you have special concerns, i.e., you are a healthcare provider or another highly regulated entity, you should include those specific controls in your questionnaire and assessment activities. Step 4: Establish your contractual relationships and service level agreements Once you ve narrowed your list of cloud service providers based on your security assessment activities, it s time to get down to the fine print. While most people s eyes glaze over during the contract negotiation phase, it s a good time to put on your junior lawyer hat. The choices made during this phase can have a profound impact on your organization s satisfaction with cloud delivered applications. In addition to all of the standard things your attorneys are to be looking for, you want to pay special attention to the following items: Nondisclosure of your sensitive information Destruction of your information upon contract termination Ability to conduct an onsite assessment The ability to terminate your contract in the event the provider suffers a breach Either the ability for your incident response/forensic investigation resources to be granted access to the cloud service provider s equipment in the event of an incident or investigation, or the cloud service provider needs to have qualified personnel on hand and agree to make them available to conduct incident response activities, forensic investigations and legal holds. This includes access to the logs created by its network devices, servers and While most people s eyes glaze over during the contract negotiation phase, it s a good time to put on your junior lawyer hat. The choices made during this phase can have a profound impact on your organization s satisfaction with cloud delivered applications.

5 5 other associated equipment. The amount of access to the provider s infrastructure and staff you will receive for security assurance activities. This includes whether they will fill out questionnaires, if they will share sensitive information like diagrams, policies and procedures. This should also entail the amount of testing you will be permitted to undertake. From a testing standpoint, the ideal language would give you the ability to conduct infrastructure and application penetration testing. In practice this will likely be a point of contention between your organization and the cloud security provider. You should insist at the bare minimum that the cloud security provider deliver the results of their own penetration testing activities. You should expect these activities to be undertaken at least annually if not more frequently. A provider that refuses to conduct or share the results of its own penetration testing along with prohibiting you from conducting penetration testing should be excluded from selection. How your data will be stored, backed-up and disposed is another important aspect of your contract negotiations. At a minimum you re going to want to ensure that any data you consider sensitive is not be co-mingled with any other customers data. You should also insist that any backup copies of your data are encrypted. This will ensure that if they are transferred off-site for storage they won t be intercepted ͳͳ ͳͳ by any third parties. How devices that contain your data are disposed of or reused is also important. You want to ensure that any media that contain your data in an unencrypted format is destroyed or degaussed at the provider site before being discarded or returned as a warranty replacement. You should also insist that storage devices containing your data are either securely wiped, assuming it was stored in an unencrypted format, or if your data was stored in encrypted format they should erase the encryption key and reinitialize the storage. If you require any special agreements to be executed as part of the deal. For example, if you re a healthcare provider and your planning on storing patient data in a location provided by your cloud service provider, the provider will need to sign a HIPAA business associate agreement as a condition of getting your business. Finally, it s important to capture any service-level agreements you desire to have in place. This is also the time to be capturing any metrics you would like to be provided with in order to quantify the performance of your cloud provided services. Step 5: Deploy your shiny new cloud-based applications/services Now that you ve established your Cloud Architecture and Cloud Governance models, assessed the

6 6 security posture of your service provider and braved the contract negotiation process, you re ready for the fun part - rolling out your applications. Depending on the delivery model you ve selected this can involve a lot of interconnected steps and people, which is beyond the scope of this white paper. By laying the groundwork above, you should be spared from any major security surprises during this phase. This will allow your IT applications staff to stay focused on the application deployment and not on last-minute security issues. Step 6: Perform in-depth infrastructure and application security testing Now that you have deployed your shiny new applications, you want to make sure your new delivery method has not introduced any security vulnerabilities. The activities in this phase will depend on the provider you selected and the contract provisions you were able to negotiate. You should aim to complete as many of the following as possible: Conducting comprehensive application quality assurance testing to ensure expected functionality is delivered Load testing to determine if your new delivery platform can scale to meet your projected demand Infrastructure and application penetration testing to determine whether any vulnerabilities exist in your newly deployed application or service Ideally you would be able to test the disaster recovery procedure for this application or service. This is not always feasible, and if you re unable to complete this at the time, it should be included in your annual disaster recovery testing Attempt to obtain whatever metrics you have negotiated and ensure the cloud service provider is able to deliver those metrics in the method you agreed Step 7: review your metrics and optimize your application delivery At this point you re ready to kick back and relax and watch your new system perform. Now it s time to ensure that your policies and procedures are updated to reflect your new cloud service delivery method. This is also the time to start reviewing your metrics as specified in your Cloud Governance model. By reviewing your metrics and other application performance data, you will be wellpositioned to continue enhancing your newly deployed application to ensure optimal performance. It s also important to continue your reoccurring security due diligence activities, whether annually as I recommended or at another interval you feel is sufficient. Conclusion Cloud-based services can be a transformative business enabler. Cloud-based services can also be an information security nightmare if not managed correctly. While I can t possibly cover every facet of this growing area in this paper, I hope I have provided you with enough information to get the wheels in your head turning. Cloud-based services are By reviewing your metrics and other application performance data, you will be wellpositioned to continue enhancing your newly deployed application to ensure optimal performance.

7 7 the future and they re inevitable for a decent subset of your applications and services. It s important for the security team members to continue to be seen as business enablers and not as roadblocks. Equally important, take a risk-based approach to your adoption of cloud computing and ensure that your sensitive information is properly protected. By taking a well thought out and balanced approach to cloud computing, you should be able to strike a comfortable posture for your organization. With this paper, we hope to provide you and your organization with enough information to get you thinking about your cloud security posture and what you can do about it. By following the steps outlined above, you ll be well on your way to rolling out cloud-based services and still sleeping at night. For More Information For more information about FishNet Security products and services, call or visit the website at: /company/fishnet-security /fishnetsecurity /fishnetsecurity About FishNet Security FishNet Security, the No. 1 provider of information security solutions that combine technology, services, support and training, enables clients to manage risk, meet compliance requirements and reduce costs while maximizing security effectiveness and operational efficiency. FishNet Security is committed to information security excellence and has a track record of delivering quality solutions to more than 5,000 clients nationwide. learn more About our Industry Expertise at: Security. Last All Modified rights reserved