1 Cloud Security Company85 Executive Guide Implementing secure cloud services An executive guide to assessing your cloud maturity Understand the major security implications of moving to the cloud Get practical advice on how to implement cloud services securely Assess your cloud maturity posture with our instant test 1
2 Company85 Executive Guide Cloud Security CONTENTS About this guide 3 Introduction 4 What s driving cloud security concerns? 5 Tackling security in the cloud 8 Instant test: 20 questions 12 Scores on the doors: your cloud maturity posture 14 Next steps 14 Glossary 15 References 15 An independent perspective This document has been prepared by the security and privacy practice of Company85. As a technology-agnostic consultancy of over 20 years standing, Company85 has no product sales agenda. We provide an independent perspective and impartial advice for those moving to cloud computing. We are familiar with using cloud services ourselves, as well as advising FTSE100 corporations, and local/national government clients, so we are well-placed to discuss the strategic and practical considerations of cloud security and governance. 2
3 Cloud Security Company85 Executive Guide Only 32% of companies believe the cost savings associated with cloud computing outweigh security considerations for their organisation ncircle 2011 Cloud Computing Trends Survey About this guide What this guide will do for you Security is often cited as a major obstacle to adoption of cloud computing, but it doesn t have to be that way. This brief executive guide will help you: Understand the major security implications of moving to the cloud Get practical advice on how to implement cloud services securely Assess your cloud maturity posture with our instant cloud security test How to use this guide For organisations moving to cloud, this guide highlights the major governance and legal considerations that should be taken into account alongside security controls when planning any migration. For organisations already using cloud services, the assessment questions on page 12 provide a handy checklist to ensure that current governance and best practice is up to scratch. The guide assumes a general awareness of some common terminology, but a brief glossary is included on page 15. Who should read this guide This guide is appropriate for business and IT executives who wish to gain an overview of issues affecting security in the cloud. For more detailed information on any of the subjects discussed, the author welcomes comments and enquiries. Executive summary In 2012, 80 per cent of new commercial enterprise apps will be deployed on cloud platforms, while four out of five businesses are planning to move services to the cloud. Clearly, the momentum behind cloud is now unstoppable. It has been suggested by than 50 per cent of Global 1000 companies will have stored customer-sensitive data in the public cloud by the end of 2016, although this assumption is based on the expectation that cloud security technologies, governance and insurance will evolve at a sufficiently rapid pace. Cloud security is about addressing the same identity management, encryption, detection and forensics issues IT departments have always faced, along with them taking responsibility for governing how and where data is stored and accessed in the cloud. This document examines the current state of play regarding cloud security and outlines practical steps that you can take to plan your cloud security needs. We look at the typical security challenges facing organisations today such as: Ensuring cloud service providers (CSPs) are in compliance with your security policies, especially once you expand to use multiple CSPs Protecting your critical information in multi-tenanted cloud environments. Addressing the legal and contractual issues posed by the globally distributed infrastructures used by many CSPs We then look at some of the possible solutions to these challenges: Updating governance, risk and compliance (GRC) frameworks to address the management of CSPs Auditing of CSPs by you and third parties Consideration of the legal and contractual implications of placing each application s data within a CSP Perhaps most importantly, having an exit plan in place for when the arrangement with the CSP ends We also look at some of the recent developments affecting CSP security issues: Independent, third-party certification of CSPs Availability of specialist insurance 3
4 Company85 Executive Guide Cloud Security At year-end 2016, more than 50 percent of Global 1000 companies will have stored customer-sensitive data in the public cloud Gartner Group Introduction With good reason, security is consistently raised as a major concern when organisations are considering cloud-based services. With cyber attacks increasingly focused on commercial gain, and with incidents of data leakage constantly in the headlines, organisations must ensure their data assets are well protected when they put them into the hands of a third-party. Organisations react in different ways to the challenge of the security in the cloud some believe the benefits outweigh the concerns and push forward with adoption, while others see the issue as a showstopper. At Company85, our experience is that although the security aspects need careful consideration they can be effectively managed, allowing firms to realise the benefits of cloud without putting their sensitive data at excessive risk. In this guide we give an overview of the major issues impacting cloud security and provide some practical guidance on what you can do about them. cloud insurance will become commonplace, providing businesses with the assurance that they ll be compensated in the case of data loss or security breach. So where does that leave things now? Many organisations have already carried out migrations of low-risk services, such as analytics, or to brands which have achieved industry wide acceptance such as Salesforce. Often this is done to test the concept before considering migration of more critical applications. At Company85, we are seeing more and more enquiries from clients looking to migrate service layers into the cloud. Having an appropriate security and governance model in place is the most important prerequisite for these clients. At the moment the projected assurances predicted by Gartner may not be fully in place, but we believe that as with so many other aspects of cloud computing a substantial part of security is about addressing the same issues (identity management, detection and forensics, and encryption) that IT departments have always faced. Cloud trends Cloud is already well-established. IDC claims that in 2012, 80 per cent of new commercial enterprise apps will be deployed on cloud platformsi, while KPMG s 2011 Cloud Survey of over 900 global companies found four out of five businesses were moving or plan to move some of their computing needs to cloud servicesii. Despite the early rumours of hype, cloud is now seen as a game changer by many in the industry, with the potential of delivering competitive advantage through scalability, flexibility or cost reduction. For many organisations the question has moved on from should we move to cloud? to how do we move to cloud?. However, achieving security for cloud environments is a top concern for organisations. The Symantec 2011 Global State of the Cloud survey, for example, identified that per cent of respondents have concerns about potential risks, including malware, hacker-based theft, data leakage or breach, denial-of-service (DoS) attacks, adverse compliance audit findings and inability of recovering data for a court caseiii. Those concerns are real, but there s no denying where the endgame lies. At year-end 2016, more than 50 per cent of Global 1000 companies will have stored customer-sensitive data in the public cloud, claims Gartneriv. As cloud computing security improves and becomes subject to insurance policies and independent certifications, organisations will feel more comfortable about putting sensitive data in the cloud. In due course, commentators assure us, independent 4 Primary threats and vulnerabilities in a cloud environment
5 Cloud Security Company85 Executive Guide In the jungle of multi-tenant data, you need to trust the cloud provider that your information will not be exposed Datamonitor What s driving cloud security concerns? The multi-tenancy conundrum Governance A cloud infrastructure is generally multi-tenancy, with a decoupling of specific hardware resources and applications. Within this jungle of multi-tenant data, you need to trust the cloud provider that your information will not be exposed. In a multi-tenant cloud environment ensuring separation of data is also a major concern, especially where infrastructure is shared. Where, exactly, does the data reside? If cloud continues to grow as expected, it is likely organisations will have to expand their existing governance structures to support multiple cloud suppliers and multiple services models: software-as-aservice (SaaS), platform-as-a-service (PaaS), and infrastructure-as-aservice (IaaS). The impact of governance in the cloud on each of these models, compared with traditional on-premise and hosted enviroments, is depicted below. Organisations need to be vigilant around issues such as how customer boundaries are enforced and how passwords are assigned, protected and changed. Cloud service providers (CSPs) typically work with numbers of third parties, and we would advise organisations to gain information about those companies which could potentially access their data. Being a CSP does not necessarily mean that you provide physical hosting. An important consideration for cloud service customers, especially those responsible for highly sensitive data, is to find out about the hosting company used by the provider and if possible seek an independent audit of their security status. Data privacy Traditionally organisations have derived some confidence knowing their data sits on assets they own, often in buildings they own, which are secured and managed by staff they employ. The most extreme contrast to this would be a public cloud, where your data can sit in multiple buildings, often across multiple countries and be accessed by a potentially large number of unknown CSP staff. For most organisations the reality will sit somewhere between these examples, but the problem of ensuring private data is protected is a real one. If personal data is leaked or commercially sensitive information is lost it is unlikely the resulting reputational or financial damage will be covered within your contract with the CSP. Access control Many large organisations today are still grappling with the problem of controlling access to a diverse portfolio of systems and applications. Ensuring that access for leavers is removed in a timely manner across every application, that access is reviewed as staff change roles, and that personal mobile device access is controlled are ongoing problems that are only made worse by cloud. Who has control in a cloud environment? As shown, control increases in favour of the CSP the deeper you move into the cloud, but this does not absolve you from your responsibility for security. Governance, risk and compliance (GRC) remains with your organisation. It is paramount that organisations have robust audit and monitoring frameworks in place to ensure that risk is managed across a potentially diverse supply chain, and that service levels and contractual obligations are met. Cloud creates further islands of access control which require new processes and tooling. While tools are available to help with some aspects, this is an area that is still maturing so it may not be easy to find a single solution that meets all your requirements. 5
6 Company85 Executive Guide Cloud Security Microsoft has told Office365 users that they cannot guarantee that EU-stored data, held in EU based data centres, will not leave the European Economic Area under any circumstances as they are a US Company governed by the Patriot Act Regulatory and compliance issues Cloud s special status, in which so many parties can be involved, can muddy the waters concerning legal and regulatory issues and responsibilities. You are still responsible for complying with regulations and monitoring compliance even if the service is provided by a third party, but ensuring compliance across an abstract cloud solution is a very different to a traditional in-house solution. Passing down liability to your cloud service provider within the legal contract may be prohibitively expensive. Gartner has claimed that by 2016, 40 percent of enterprises will make proof of independent security testing a precondition for using any type of cloud service. It seems likely that in due course there will be third party certification processes. Some commentators suggest that there will be a strong tie to cloud computing insurance, as the safer a cloud is, the lower companies insurance premiums will be when using that cloud. CSPs may embrace this as an opportunity to prove just how secure they are v. Although cloud computing is generally perceived as a technology issue, from a security perspective it is good governance, demonstrable compliance and robust agreements that are paramount. While technological security solutions are still maturing, the only real challenge there is making sure everything works as it should. What cloud has introduced is a situation where you no longer have direct control over where data sits. What is the policy for archiving and deleting data? How do you retrieve data if it s needed to demonstrate compliance, or to support a court case? What data can be be lawfully accessed by another country s judiciary without your permission? If an organisation has not prepared thoroughly in these areas, there s really little point in starting to think about the technology implications and solutions in the cloud. Multi-country infrastructures Many cloud providers have put in place multi-country infrastructures to provide better economies of scale. This means your data could easily end up in any country around the world, potentially as a result of an automated process requiring no review or approval. This could conflict with local privacy legislation or put your data at risk if that country s privacy laws are less stringent than those of the EU, and according to a paper presented at the 2009 IEEE International Conference on Services Computing, jurisdiction and legal status form a large question looming like a dark cloud on the horizon... is stuff in the cloud on the same legal footing as stuff in your data centre? vi US Patriot Act Many cloud providers are US companies governed by the US Patriot Act. This could well put non-us organisations in conflict with local privacy legislation or commitments to their clients, as US CSPs are legally required to surrender information to the US government on request, regardless of which country the data is stored in. For companies planning on using US CSPs, this poses a significant obstacle to cloud adoption. Alistair Maughan, partner at law firm Morrison & Foerster, revealed in 2010 that the Patriot Act has already impacted the UK government, saying he d worked on a case where the UK government was unknowingly sharing data with US authorities, which was allowed because of the Patriot Act. Maughan added that for now this was very good news for UK-based cloud service providers, as this will work to their advantage when clients are choosing between vendors. vii Proposed European regulation In January 2012 the European Commission released its proposal for a new data protection framework. It will be the most significant global legislative development affecting the collection, use and protection of personal information for 15 years. The proposed laws will require all businesses collecting personal data in the EU to make changes to the way they collect and process that data, with an emphasis on explicit consent, data portability and the right to be forgotten through deletion. The laws will also apply to personal data handled abroad by companies that are active in the EU and that offer services to EU citizens. The proposed changes are intended to give individuals more control over, and easier access to, their personal data and to improve the quality of information about what happens to that data once individuals decide to share it. Although only at a consultative stage, 6
7 Cloud Security Company85 Executive Guide Traditional insurance products are unlikely to provide the scope of coverage required by the proposed regulation covering data breach and cyber liability Lawrence Graham LLP key issues arising from this proposal are expected to tighten up both regulatory compliance and cloud security compliance. The law firm Lawrence Graham LLP identifies the following practical implications viii : Deploying the right privacy policies and consent forms will become increasingly important Organisations must examine what data needs to be encrypted to mitigate the effect of a data breach Encouragement will be given to associations to develop codes of conduct as well as certification mechanisms, data protection seals and the like in order to allow individuals to quickly assess the level of data protection and data security offered by particular organisations (providing evidence of compliance will be critical) Traditional insurance products are unlikely to provide the scope of coverage required by the proposed regulation covering data breach and cyber liability Data controllers will need to review their contracts with CSPs to ensure that responsibilities are clearly set out (Lawrence Graham points out that CSPs may treat the new laws as an opportunity to demonstrate higher levels of security than their peers) This last point is underlined by another European Union initiative, announced in September 2011, proposing that CSPs will become legally liable for data breaches. The Binding Safe Processor Rules (BSPR) will require CSPs to agree liability should any data offences occur at their data centres. Advocates argue that this will effectively act as an accreditation scheme for CSPs. Eduardo Ustaran, partner at law firm Field Fisher Waterhouse, suggests CSPs would sign up because it would give them a selling point ix. If they refused, they would be seen as unsafe to use. Current exposure to security and privacy breaches Aside from legal and regulatory issues, there are questions to be answered around security technology and how it is employed in a cloud environment. Variance in cloud service provider security As the trend toward tighter regulation underlines, standards of security continue to vary, both between individual CSPs and between countries. In a survey by Ponemon Institute in 2010 x, CSPs were asked How confident are you that cloud applications and resources supplied by your organisation are secure? Their responses were revealing. Only 43 per cent were confident with private cloud and even fewer 39 per cent were confident with public cloud. This reinforces the need for any organisation contracting a cloud service to take its own steps to protect against security and privacy risks. The same survey highlighted differences in attitudes to cloud security between US and European CSPs. For example, in Europe the help desk supervisor is twice as likely to be responsible for cloud security as in the US. Perhaps reflecting the more litigious nature of business in the US, the legal function is nearly twice as likely to be responsible for cloud security as its European counterpart. Denial-of-service exposure While denial-of-service (DoS) and distributed denial-of-service attacks (DDoS) are nothing new, it s not just the corporate website that s the target now put any services into the public cloud with open access across the internet and they become a DoS target. Even large, technology-savvy firms such as Google and Amazon have been hit by highly publicised attacks. As recently as October 2011, researchers demonstrated an account hijacking attack on Amazon Web Services that they believe could affect other cloud computing services as well xi. Ustaran points out that to gain accreditation, CSPs would have to prove their security models were adequate: Cloud service providers would be given an accreditation from their data protection authority. 7
8 Company85 Executive Guide Cloud Security Is stuff in the cloud on the same legal footing as stuff in your data centre? International Institute of Information Technology Tackling security in the cloud GRC and legal considerations Understand your requirements and establish a GRC framework Before you sign a contract with a CSP it is important work to out your governance, risk and compliance (GRC) requirements based around recognised standards such as ISO/IEC27002:5, Information Security Forum, NIST, COBIT, ITIL and Cloud Security Alliance. The Cloud Security Alliance provides useful frameworks for building your cloud security response. Therefore, you need to establish what you need across multiple security zones, balancing costs, security and privacy considerations. These in turn can be used to prescribe meaningful SLAs for quantitative and qualitative assessment and risk management. Service level agreements As with any service provider contract, you should negotiate clear service level agreements (SLAs) for your CSP. These should include, but not be limited to, clear metrics around performance (both networking and computing), provisioning, change management, patching, disaster recovery, data backup/restoration, and vulnerability remediation. Must haves. In the cloud, GRC goes hand in hand with enhanced security 8 To ensure your data is safe in the cloud at all times, make sure you think about the following: Who has access to your data? Where is your data held? What is the CSP doing with it? How is the CSP protecting it? How is the CSP deleting it to ensure that there is no residual data remnant? In fact, there is a clear need to ensure that contractual arrangements with any outsourced data provider are put in place to govern the circumstances in which data is deleted. In July 2011, as the News International phone-hacking investigation gathered pace, Parliament approached its outsourced data provider to ask for clarity on data it might have deletedxii. This underlines that there are legal requirements for certain information to be retrievable, and with more and more services and applications being outsourced to the cloud, ability to demonstrate compliance may well be one of the main reasons companies will choose to outsource in future.
9 Cloud Security Company85 Executive Guide Cloud security had not yet distinguished itself as a field separate from information assurance. Its security metrics are currently synonymous with what a security professional would refer to as a third-party or vendor security audit J Bayuk, Stevens Institute of Technology Audit As with any other environment, regular auditing of your CSPs to ensure compliance with your agreed policies is critical. CSPs may be reluctant to allow you access to audit, so this needs to be agreed up front prior to signing any contract. Some CSPs have a queue of clients looking to undertake audits, so it may be that a regular audit by a recognised third party to an applicable standard meets much of the requirement. Indeed, there are moves under way to establish independent certification of CSPs. Security metrics Security metrics are quantitative measurements to assess security operations. They help the organisation to make decisions about various aspects of security, which include security architectures and controls over the effectiveness and efficiency of security operations. Security metrics are valuable at IT managerial level and to stakeholders who are questioning the security impacts on business process and activities. Security operations frequently demand high expenditures, and security metrics provide comprehensible rationale for these costs. The US National Institute for Standards and Technology (NIST) Security Metric Identification Framework characterises security metrics into three types as follows: Implementation metrics intended to demonstrate progress in implementing information security programmes, security controls, and related policies and procedures Third party relationships You are only as strong as your weakest link. In corporate environments, your weakest link could be integration with your partners. In the case of CSPs, this is even more likely due to the necessary integration of various third parties and applications into the cloud environment. You need to ascertain how your CSP enforces security processes for integration with any third parties that they use, whether there is a certification process to make sure that third party applications are secure, and that hackers cannot get into the CSP environment through one of these partners. CSP termination/exit There will come a time when any outsourcing arrangement reaches a termination date. It s possible this will arise because services and applications are being brought back in house, but in a cloud situation the driver may well be a commercial imperative to move to a new supplier, or to take account of merger and acquisition activity. The point is that a clear exit plan should be included in the contract from the outset, to ensure that data is retrievable securely and in as pain-free way as possible, and that all residual data is destroyed. With the possibility that data may have been replicated across multiple storage environments, sites and countries, it follows that a clear audit trail must be maintained throughout the life of the relationship. Effectiveness/efficiency metrics intended to monitor the programme-level processes and that system level security controls are implemented correctly, operating as intended as well as meeting the desired outcomes Impact metrics intended to articulate the impact of information security on an organisation s business objectives 9
10 Company85 Executive Guide Cloud Security 94% of organisations are planning to allow staff to bring their own devices to work by 2013 Survey commissioned by Citrix, 2011 Security controls Security controls underpin good governance in the cloud, but have the potential to offer low-hanging fruit and quick wins. One approach is to build an internal or private cloud using your own security solutions. Private cloud allows you to work out the features and service levels you need from a cloud service to support your application before committing to a contract. Like any transformation, identify low-risk applications to try out the new technology. In the context of security that could mean targeting applications that are non-critical, and that do not contain personal or business sensitive data. Physical security It s important to assess the physical security barriers that your CSP (and its contracted hosting providers, if separate) has/have in place. Physical security should be even tighter than at your own premises, because you have no control over the actions of CSP/contractor employees. Infrastructure security In the recent months, aggressive marketing by various cloud providers has made it easier for hackers to get accounts and plant botnets. Cloud is also susceptible to many more denial-of-service (DoS) attacks than other computing models. CSPs need to ensure that their perimeter is secure and barrier to attacks is robust. You need to find out what measures your CSP deploys to keep the bad guys out: Do they have strong network firewalls? How are they kept updated? Do they have good intrusion detection systems/intrusion protection systems (IDS/IPS) in place? How do they monitor the events? Do they have security event and incident management (SEIM) or log management software in place? Client security Don t overlook your own client side. Browsers, browser plug-ins and thin clients used by your staff are a key point of vulnerability so make sure they are as secure as possible. Encryption Even if a third-party gains access to your data, if it s encrypted and they don t have the key it can stay protected. You need to consider at-rest, in-transit and in-use data to be fully covered. Management of the keys with encryption is crucial. If a CSP installs the key, understanding who will have access and how you can control and audit access is very important. In some cases you may require that keys are only handled by your own staff. Virtualisation security Almost all cloud providers use virtualisation to provide economies of scale and optimal distributed architecture. Virtualisation has its own set of security issues and you need to understand what security process your CSP has for its virtualisation environment, and how it identifies, tests and fixes vulnerabilities. Access controls CSPs need to consider major issues around access control, such as authentication, non-repudiation, user management and much more. It is imperative to understand the standards and mechanisms in place for: User provisioning Management of the credential authentication process Visibility and control Dedicated virtual private networks (VPNs) Federated identity process and how it is managed Registration and authentication processes and controls It is not enough to rely simply on the CSP s contract, as most organisations have specific policies in place governing access to different levels of data by different employees. As Subashini and Kavitha point out, the SaaS model must be flexible enough to incorporate the specific policies put forward by the organisation. xiv Once you begin to use multiple CSPs, managing access becomes even more complex. It is advisable to look for solutions that offer a level of automation/synchronisation with your existing ID management solutions and that do not rely on manual processes. As researchers have pointed out, the browser is still very limited in its capacities as an authentication centre for cloud computing. xiii 10
11 Cloud Security Company85 Executive Guide Not every commercial Web application software developer or business that creates custom applications will fix its code in a timely manner Information Week, September 2011 Consumerisation One of the key benefits of cloud is that applications become accessible remotely via mobile devices. Organisations that are early adopters of cloud tend to be early adopters of these technologies too. Consumerisation of user devices (also referred to as bring-your-own-device, or BYOD) whereby individuals connect to the corporate network or direct to cloud using personal PDAs, iphones, tablets and so on (that have not been issued by the business) pose a new risk. result of personal technologies being used in the workplace. Businesses need to consider context-aware security capabilities that adapt access policies to device, user and location. Application security With over 80 per cent of attacks happening through web applications, application security has become a critical element in the overall cloud decision making process. Although the exposure is similar to what you would have in your own private environment, with cloud it is likely to be on a massive scale and you may not have any control over it. Therefore, you need to consider: Does security ownership transfer to the infrastructure provider? How does the migration to cloud impact your software development lifecycle? What measures are in place to protect against common vulnerabilities such as cross-site scripting, SQL injection and so forth? API security and management Do you allow employees to use personal devices for work? Source: Aberdeen Group, 2011 Encryption key management Vulnerability assessment, identification and remediation Personal devices are more likely to be used in a cloud environment than within a traditional corporate network because the whole cloud model is driven by subscription-based services. This, in turn, is setting user expectations such that the cloud/personal device combination is becoming a default standard for work and leisure. In a global survey published in January 2012, 88 per cent of executives reported that employees were already using their personal computing technologies for business purposes. xv This trend toward consumerisation has been corroborated by many CIOs with whom Company85 comes into contact, and its effect is to multiply the headaches associated with granting and withdrawing access privileges. Whereas corporate laptops were typically refreshed over a three-year cycle, consumers may upgrade personal devices as often as once a year. The use of insecure personal devices is surprisingly commonplace, and represents a severe threat whether used within or outside a cloud environment. The same survey cited above suggested that 55 per cent of companies had already experienced a security breach as a 11
12 Company85 Executive Guide Cloud Security Instant test: 20 questions to assess your cloud maturity posture Here are 20 critical areas that need to be addressed in a secure cloud environment. Score 0 if you are not happy that you have each area fully covered, and score 1 if you are happy. 1. Risk assessment Have you carried out a comprehensive risk assessment exercise for migration to cloud services, identified mitigating controls to address the risks identified, and do you have an on-going risk management programme? 2. Physical security Have you specified and agreed physical security policies with your CSP and are there provisions to audit compliance? 3. People Have you specified and agreed pre-screening and background checks of the CSP staff and/or any CSP third party that will manage your cloud services? 4. Data loss prevention (DLP) Have you specified your DLP requirements, whereby data is protected at rest, in transit and in use across the network and at the endpoints, as well as logging of security incidents? 5. Infrastructure security Have you specified network security requirements to your CSP such as infrastructure virtualisation, firewalls, platform hardening standards, patching, intrusion detection/ intrusion protection systems (IDS/IPS), security operating centre (SOC), event monitoring and log management to monitor the events? 6. Access control Are you satisfied that the CSP is providing adequate standards for provisioning of users, including credential management; the level of control you have; dedicated VPN; federated identity process and how it is managed; whether OpenIDs be used for registration and authentication? 7. Application security Have you specified appropriate security countermeasures and controls to your CSP for the following: Cross-site scripting and cross-site request forgery (CSRF)? SQL database server injection? Session management? Software development life cycle (SDLC)? Application program interfaces (APIs)? Encryption keys and key management? Vulnerability management / penetration testing? 8. Licensing model Have you defined a software and hardware licensing model with your CSP, e.g: per user (user is granted a licence to use an application); per device (an application is granted a licence on a per-device or per-processor basis); enterprise (licensing model covers all devices and users)? 9. Virtualisation security Do you leverage encryption to protect data and virtual machine images during transport across and between networks and hypervisor instances? Are utilities that can significantly manage virtualised partitions (ex. shutdown, clone, etc.) appropriately restricted and monitored? Does the virtual machine management infrastructure include a tamper audit or software integrity function to detect changes to the build/configuration of the virtual machine? 10. Data backup Are you satisfied with where your CSP will be keeping your data backups and is the data at rest encrypted? 11. Access to data and eforensic capability Have you confirmed, agreed and put into the SLA with the CSP rights of access to data in general, as well as access for local governments and e-discovery provisions for law enforcement bodies to collect evidential electronic data? 12
13 Cloud Security Company85 Executive Guide 12. Escrow arrangements Have you made escrow arrangements for your source and object code with the CSP or sought an independent third party to ensure access to your code if you are changing CSP? 13. Service performance metrics and monitoring Have you defined acceptable service performance KPI/ KRI metrics and how they will be monitored? 14. Incident management Have you defined incident handling and escalation processes with the CSP? Are the following satisfactory: detecting, identifying, analysing and responding to incidents; incident handling processes (both during the incident and post analysis); real time security monitoring (RTSM) service; severity levels and escalation process; eforensics data and forensic image of virtual servers; metrics reporting? 15. Legal compliance Have you fully explored the legal issues associated with: Physical location of your data and legal jurisdiction? Requirements of Data Protection Act and requirements for personal data and data processed outside of the European Economic Area (EEA)? Liability of the CSP in the event of a data breach? Intellectual property rights, trade secrets or privileged information? Third party access to your stored data? 16. Business continuity and disaster recovery Does your CSP have a business continuity and disaster recovery plan in place that is regularly tested and have you ensured that: The backup can restore recovery time objective (RTO) type performance and recovery point objective (RPO) and that they are clearly set out in the SLA? 17. CSP independent certification Does your CSP have independent audit assurance and attestation against: Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organisation (formerly SAS70) type II reporting and ISO27002 certification? 18. CSP third parties Have you confirmed with your CSP that they rigorously enforce and audit third party CSPs that they use in providing the overall service to you against agreed SLAs and security provisions? 19. Regulatory compliance Have you specified any regulatory and compliance requirements in your SLA with the CSP for Data Protection Act, 1998 for any personal information processed, data breach notification for the CSP and any third parties they use, PCI data if you are processing credit card information, FSA compliance, Sarbanes Oxley Act, US Patriot Act, Safe Harbour Pact? 20. CSP termination and exit Have you an agreed upon process in the SLA with the CSP that will ensure smooth transition to another provider inclusive of all: Application/source code? Data portability? Intellectual property? Data backups? backups? Escrow arrangements for your source and object code with the CSP or sought an independent third party to ensure access to your code if you are changing CSP? Total score: See over for analysis. CSP and the layers of service providers (managed service providers for backup, network service providers for WAN, etc.), are all willing to live up to the service level agreement (SLA) and meet your DR requirements? 13
14 Company85 Executive Guide Cloud Security Scores on the doors: your cloud maturity posture The higher your score, the more mature your cloud maturity posture is. By carrying out the exercise you should have been able to identify any areas requiring remediation. The following categorisation may also be of help. 0: None No cloud approach currently taken 1-4: Initial Awareness of cloud security understanding established, and some groups beginning to implement elements of cloud in terms of low risk applications and data. 5-8: Repeatable Cloud security risk assessments and approach have been decided upon and applied. The approach has not been widely accepted and redundant or overlapping approaches exist; it may be informally defined. 9-12: Defined The approach has been reviewed and accepted by affected parties. There has been buy-in to the documented approach and the approach is always (or nearly always) followed : Managed Cloud security is likely to have been effectively defined, managed, and audited via a formal governance structure. Appropriate metrics may be being gathered, reported and acted upon : Optimising Metrics are probably being consistently gathered and are being used to incrementally improve the capability. Assets are proactively maintained to ensure relevancy and correctness. The potential for market mechanisms to be used to leverage inter-cloud operations has been established. Next steps It is critical that, in order to protect your business, you independently assess any existing or potential CSP providing you with public or private cloud services. From an internal perspective, cloud will always be cheaper and easier to implement if you get it right first before outsourcing to a third party. The cloud maturity posture self-assessment questionnaire scratches the surface of cloud security, but illustrates the deep-level, comprehensive approach taken by Company85 consultants. We work with business and technology stakeholders, providing bespoke and packaged services and actionable recommendations to identify lowhanging fruit and build confidence in your solution. If you re planning a cloud migration, need to kickstart or accelerate an existing project, or need an independent assessment of your current cloud maturity posture, we can help. We can review your plans and help devise a roadmap that will deliver quick wins while enhancing and extending cloud security. About Company85 Company85 are independent experts in enterprise-class information protection and data centre transformation. We provide agnostic advisory and project services to private and public sector organisations, from blue-chip FTSE100 corporations to local authorities and regional police forces. Headquartered in London, Company85 delivers projects in the UK and internationally in Europe, Africa and the Middle East. Our unique blend of expertise in security, optimisation, consolidation and managed services is backed up with a strong heritage, the exceptional pedigree of our people, and the referenceability and quality of our client and partner relationships. Company85 was a medallist in the organisational excellence category of the UK IT Awards 2011, was shortlisted as Channel Service Provider of the Year 2011, and was shortlisted as Specialist Business Continuity Company of the Year Company85 is a Technology/Professional Services Group Member of BCS, the chartered institute for IT. 14
15 Cloud Security Company85 Executive Guide Glossary API Application programming interface BC / Business continuity Keeping all aspects of a business functioning during disruptive events BSPR Binding Safe Processor Rules: proposed European legislation that will require CSPs to agree liability should any data offences occur at their data centres BYOD Bring your own device (personal phones, tablet etc) Cloud (computing) A model for enabling convenient, on-demand network access to a shared pool of resources (e.g. networks, servers, applications, storage and services) that can rapidly provisioned and released with minimal management effort or service provider interaction - NIST COBIT A framework for IT management governance CSP Cloud service provider CSRF / cross-site request forgery An attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated CSS / cross-site scripting Injection of malicious scripts into an otherwise benign and trusted web site Data loss prevention (DLP) Detection and and prevention of unauthorised use and transmission of confidential information DDoS / distrbuted denial-of-service attack DoS attack involving multiple systems attacking a single target DoS / denial-of-service attack Attempt to make a computer or network resource unavailable DR / Disaster recovery Process, policies and procedures related to recovery or replication of systems GRC Governance, risk and compliance IaaS Infrastructure-as-a-service IDS Intrusion detection system IPS intrusion protection system ITIL IT Infrastructure Library service management standard KPI Key performance indicator KRI Key risk indicator NIST National Institute of Standards and Technology: US federal technology agency PaaS Platform-as-a-service Patriot Act A law enacted in the US, primarily aimed at terrorism prevention RPO Recovery point objective RTO Recovery time objective RTSM Real time security monitoring SaaS Software-as-a-service SEIM Security event and incident management SOC Security operating/operations centre SQL injection n attack in which malicious code is run on the SQL database VPN Virtual private network Virtualisation Hiding the physical characteristics of a computing platform from users References i ii iii linkedin_2011sep_worldwide_stateofcloudsurvey iv v vi pdf vii viii ix x Security of Cloud Computing Providers Study, Ponemon Institute 31 December 2010 xi xii xiii xiv xv 15
16 Company85 Executive Guide Cloud Security 16 Company85 Limited Warnford Court 29 Throgmorton Street London EC2N 2AT t: +44 (0) f: +44 (0) Company85, the Company85 logo and 'accomplish more' are trademarks or registered trademarks of Company85 Limited in the United Kingdom and in other territories. Other company, product and service names are the property of their respective owners. This publication is issued for general guidance only. Copyright Company85 Limited All Rights Reserved.