Information Disclosure Reference Guide for Cloud Service Providers

Transcription

1 Information Disclosure Reference Guide for Cloud Service Providers In Conjunction with "Guide to Safe Use of Cloud Services for Small-to-Mid-Sized Enterprises" April 2011 Information-technology Promotion Agency, Japan (IPA)

2 Information Disclosure Reference Guide for Cloud Service Providers In Conjunction with "Guide to Safe Use of Cloud Services for Small-to-Mid-Sized Enterprises" Introduction IPA has published the "Guide to Safe Use of Cloud Services for Small-to-Mid-Sized Enterprises" (hereinafter referred to as the Safe Use Guide) to facilitate the use of cloud services by small-to-mid-sized enterprises (SMEs). The Safe Use Guide contains descriptions of cloud services, advantages and points to consider when using them, and shows utilization examples along with the expected effects. It also describes items to prepare and check before using such services. Majority of the Items relates to information to be disclosed by cloud service providers. For safe use of cloud services by SMEs, it is desirable for necessary information to be provided by cloud service providers appropriately and timely. This guide covers information disclosure by cloud service providers and shows the ideal model about what and how to disclose from the perspective of safe use of closed services by SMEs. To achieve one of the strengths of cloud services, "self service on demand", active information disclosure from cloud service providers is desirable. Information to be Disclosed by Cloud Service Providers In the Safe Use Guide, the following categories are presented as the information to be disclosed by cloud service providers: Reliability of Service Provider Reliability of Service Security Measures User Support Securing data at the Term of Use Check Contract Terms 2

3 For each of the above categories, the desired items of information for disclosure are given, along with suggestions on the methods of disclosure. It does not mean that all items listed here must be made public. These items are meant as the information to be referenced when users are to make decisions by themselves regarding use of a cloud service. Alternatively they can be provided on demand with a limited scope of items and manner (for example, only provided to existing customer society members) if it is necessary. The ideal situation is that the information necessary for users is provided without extra workload on the cloud service provider, and as a result, use of cloud services by SMEs is promoted. 3

4 1. Items and Methods for Information Disclosure Regarding "Reliability of Service Provider" Description of Items in Safe Use Guide (9) Is the cloud service provider reliable? Check that the management of the cloud service provider is stable, and the service is likely to be provided for the long term. What does "reliability of service provider" mean? For cloud service users, stability and continuity of the service is a major concern. Information regarding continuity and stability from the financial and operational points of view is desired. In particular, the following points are considered to meet such needs. Items regarding reliability of service provider Information about the existence of the business, such as the company name, company address, and contact information (phone, fax and/or ) Information about continuity of service, such as the time of foundation, the time the cloud service was first introduced, and the actual use record of the service Reference information about purchasing or employing the service, such as resellers and business partners Corporate information that is disclosed based on regulations (public offerings of stock, internal control reports, information security reports, information security audit reports, disclosure based on the MIC s information disclosure guidelines for safety and reliability of ASPs and SaaS, etc.) In the Safe Use Guide, the following are listed saying the following information may give some reference to support your judgment; 1 (a) Is the provider public on stock market? The public enterprises are subject to inspection to its corporate management and are obligated to disclose relevant information periodically. (b) How long has the provider been doing business? Running 1 In the Safe Use Guide, the following is given as a note: "These items are only meant for reference. It is not a requirement that these conditions be met, and meeting these conditions does not necessarily mean that the provider is reliable. On the other hand, new cloud service providers or new services may enter into market with high and appreciable value. Having a perspective to make effective and safe use of these services is as important as depending on establishments. " 4

5 business for a long period of time constitutes indication of stability and continuity. (c) Does the service have many users? Being used by many users generally mean higher reliability. It further helps if you can specifically know who are using the service. (If you have a chance to talk to actual users of the cloud service, confirm whether they have a negative valuation on the service in terms of ease of use, effect on investment, occurrence of failures and measures taken in case of failure.) (d) Do you frequently hear news about failures? Is the provider taking appropriate measures in case of failure? (e) In some cases the service is distributed by a reliable system integrator or IT distributor. If a reliable and proven enterprise recommends and resells the service, it can be assumed to be reliable to some extent. (f) Some cloud services are provided on a platform provided by a large cloud service provider. (Computer manufacturers and communication carriers also provide cloud services.) In this case, the security and reliability of the platform cloud service, such as availability and tolerance against attacks, are generally high. About the method of disclosure It is recommended that information regarding provider reliability be described on a website or in a service catalog. Users tend to check out the cloud service provider references at the same time they study service details. Therefore, it is desirable for this information to be directly accessible from the website or in the catalog that introduces the service. 2. Items and Methods for Information Disclosure Regarding "Reliability of Service" Description of Items in Safe Use Guide (10) Are the service levels indicated in such way of uptime rate of services, frequency of failures and target time to recover in case of failures? Cloud services are sometimes suspended due to maintenance or failures, with or without a prior announcement. Policies for, and measures against such service suspensions are often described in a document such as the Service Level Agreement (SLA). 5

6 What does "Reliability of Service" mean? In addition to reliability of cloud service provider, the users want to be able to check the reliability of the service itself. Information about service reliability can include uptime rate of the service, information regarding how to notify and how much time to recover from a planned or incidental suspension, and information on support and other services available during such suspension. By disclosing operational information, users will feel comfortable about using the service. Items regarding service reliability Information about service operation State of the service and the system during normal operation Where (such as a dashboard) to obtain the information to check operation state and how to use it Information about service uptime rate Expected or guaranteed rate of service uptime (including denomination of the measurement) Compensation when the guaranteed rate of uptime is not achieved Information about planned suspension Lead time for prior notice Maximum downtime Information about recovery from failure Method and time of notice in case of failure Method of information provisioning during recovery, such as the expected time required to recover from failure Support provisioning during suspension In the Safe Use Guide, the following items are listed for checking: (a) For service suspension with prior notice, make sure that sufficient lead time of notice is ensured, that manner of notice is sufficient to ensure the notice is given in advance, and that there is no possibility of inconvenience. (b) Though it may be difficult to give prior notice or forecast of sudden failures, check with the cloud service provider regarding how the provider will contact you when a trouble occurs in the cloud services. It is important as well that immediate notice upon a trouble is implemented. (c) Regarding unexpected failures, some cloud service providers provide information such as the frequency of faults estimated logically or statistically, and the target time to recover. Such information is often aggregated and shown as "uptime rate guarantee". 6

7 If an uptime rate guarantee is provided, check the basis of the rate (typically, it is provided on a monthly basis). If an annual denomination is used, even 0.1% downtime can logically mean 8 hours and 45 minutes of continued service suspension. Note that the uptime rate guarantee is sometimes simply referred to as an SLA. (d) In addition, uptime rate guarantee is generally provided in a manner of commitment to compensate some damage in case the duration of service suspension exceeds the guarantee. It is to be noted that there is no guarantee of service availability as indicated as uptime rate guarantee. To protect against unexpectedly prolonged service suspension, preparation by implementing a local backup or archiving, as described in item (8) above, is recommended. (e) Some cloud service providers provide a screen, often called a dashboard, to provide information about current operation and trouble status of the cloud in real time. It can be expected that such cloud service provider has high level of management to ensure service operation. It is also helpful and comfortable for you to be able to observe operating conditions from time to time. About the method of disclosure It is recommended that information regarding service reliability be described on a website or in a service catalog. Users tend to check out service reliability references at the same time they study service details. Therefore, it is desirable for this information to be directly accessible from the website or in the catalog that introduces the service. In addition, regarding service reliability, information about past cases is often requested, such as the provider s response in case of failure. In many cases, publicizing history and case studies of failure response results in feeling of reliability and comfort by users. It is desirable for such information to be disclosed to the extent that does not adversely affect the business. 7

8 3. Items and Methods for Information Disclosure Regarding "Security Measures" Description of Items in Safe Use Guide (11) Are detailed security measures for the cloud service disclosed? In most cases cloud service providers make explanations on their security measures available on their web sites. They may also publish annual reports (which often takes the form of Information Security Reports or CSR Reports) or security white papers (reports). What does "Security Measures" mean? One of the major concerns regarding use of cloud services is security measures. Since SMEs generally do not have sufficient knowledge about the mechanisms by which cloud services are provided or the elements required to ensure the safety of services, they are not capable of checking security-oriented safety measures by themselves. For this reason, they are assumed to often have vague anxiety about using a service provided by a third party or entrusting data outside their enterprise. Disclosing security measures applied to systems and data will lead to user comfort. Items regarding security measures (a) Security Controls on the Systems Timely application of updates, security patches and service packs on operating systems and application programs Measures to ensure system availability and reliability (such as multiplexing or redundancy of servers, storage, and networks, and automated backups) (b) Security Controls on the Data Management Automated encryption or provisioning of encryption features Automatic backup by the cloud service provider (including intervals, generations, recovery steps, term of preservation, etc.) (c) Security Controls on the Networks and Communications Measures to protect against viruses and malware, countermeasures against unauthorized access, and remedies for network troubles Measures for monitoring, detection, analysis, and protection against failures or cyber attacks (d) Security Features of Data Centers Safeguard equipment, entrance and exit controls, emergency 8

9 response, monitoring systems, etc. Duplication of power supply and cooling equipment, auxiliary power supply, etc. (e) Security Management of the Data Center Operations Employee screening of operators, monitoring of their daily services and operations Management of access controls to systems and administration privileges, monitoring operation logs, etc. About the method of disclosure Security measures tend to be difficult to evaluate, including if the control level is sufficient. Therefore, it is recommended to simply disclose whether or not these measures are implemented. Disclosing details of security measures could provide information to someone intending to attack the system, so you might decide to limit disclosure to a range free from such risks. Common methods of information disclosure are posting on the website or creating and distributing documents. If the information is solely for current users, the disclosure could be in a dedicated way or done upon request. However, please note that this information might be utilized by users in conjunction with in-house security management, so it should be useful if the information is provided in a document. In addition, regarding information security measures, making periodical reports is a better and preferable manner to raise user confidence. Providing reports and white papers on information security management is also useful as they serve as the information sources to be used for self security audits of the users. The Safe Use Guide provides following descriptions. When a cloud service provider discloses information according to these references, it can be effective to complement the above disclosures of security measures. Government and public entities provide variety of information disclosure references and services guidelines. In addition, there are many standards, including from private sectors, about information security and data protection and management. If the cloud service provider performs operation management and information disclosure, and obtains certification and accreditation, based on and under these standards, it is likely you can be confident about the provider's reliability and security management. Examples of these guidelines and standards include the following: Ministry of Economy, Trade, and Industry (METI): SLA Guideline for SaaS 9

10 METI: Information Security Report Model METI: Information Security Management Guidelines for the Use of Cloud Services Ministry of Internal Affairs and Communications (MIC): Information Security Management Guidelines for ASPs and SaaS MIC: Information Disclosure Guidelines for the Safety and Reliability of Data Centers Information Security Management System (ISMS) Conformity Assessment Scheme IT Service Management System (ITSMS) Conformity Assessment Scheme Japan Institute for Promotion of Digital Economy and Community (JIPDEC): Privacy Mark System Foundation for Multimedia Communications (FMMC): Information Disclosure Certification System for the Safety and Reliability of ASPs and SaaS PCI DSS: Payment Card Industry Data Security Standards (Data Security Standards defined by the credit card industry) Audit reports regarding internal control, based on SAS 70 Type II Audit defined by AICPA (American Institute of Certified Public Accountants) (in Japan, equivalent to the "Clause 18 Audit" defined by the Japanese Institute of Certified Public Accountants) 4. Items and Methods for Information Disclosure Regarding "User Support" Description of Items in Safe Use Guide (12) Is assistance (help desk support and FAQs) provided when users cannot see how to use the service? Facilitations for user assistance include FAQs (frequently asked questions) available on the cloud provider's website, manuals in the form of video and other media, and help desk (customer assistance) that accepts questions on usage of services. What does "User Support" mean? One of the requirements of good service for SMEs is sufficient support. It should lead to user comfort providing sources of information or resources to consult for the cases where ways of use are unknown or troubles occur. If a user community is provided in addition to an in-house support 10

11 framework, information exchange between users may also be helpful. Items regarding support framework and its contents Offering operating instructions and reference material such as online help and user manuals. Frequently asked questions (FAQ): It is recommended that FAQs can be easily navigated from the top page, and that they are equipped with a sufficient keyword search system. Support contact information: Contact addresses (phone, fax, , etc.), form of response, business hours, fees and fee diagrams, etc. Information about user communities: Support bulletin boards, introduction of user groups, etc. About the method of disclosure It is recommended that support point of contact be provided on the cloud service provider's home page and the respective website for each service, and also within service terms and contract forms. If support must be paid or preregistration is required, it is important that the user is informed and the agreement is obtained in advance. 5. Items and Methods for Information Disclosure Regarding "Data Handling Conditions when Service Use Has Ended" Description of Items in Safe Use Guide (13) Check the conditions how the data will be disposed after termination of cloud service use. When for some reason the use of a cloud service ends, the data stored in the cloud must be restored to the in-house system or moved to another service provider. What does "Handling Data When Service Use Has Ended" mean? Users often request that the data created and stored on the cloud should be returned when for some reason they end use of the cloud service. By providing information on how to restore the data processed in cloud to local site for use by the user, users will feel comfortable and will be able to make informed decision about the use of the service. In addition, how data is erased from the cloud at the end of use is also a matter of concern, not only for personal and sensitive information, but for 11

12 all information handled by the enterprise. It is important to guarantee and explain that the data stored on the cloud will be deleted, and will never be recovered, reused, or leaked. Items regarding handling data at the end of use Method for copying and saving data to the local environment at the end of use Supported data formats Guarantee about erasing user data from the cloud after end of use In the Safe Use Guide, the following are listed as points that need to be checked: Whether the data is returned at the necessary time (or, as an alternative, whether local copying is possible as needed, and transfer speed is commensurate with data volume) Whether the formats of returned data are compatible with other systems When use has ended and data is returned, whether remaining data on the cloud system is certainly erased and protected against reuse or abuse by third parties About the method of disclosure It is recommended that information required for handling data at end of use be provided on the website in advance. Another recommendation is to provide tools to users to safely download data. 6. Items and Methods for Information Disclosure Regarding "Checking the Contract Terms" Description of Items in Safe Use Guide (14) Check general terms of the contract. When using a cloud service, the contract terms are generally structured as to take effect when the user clicks a button marked "I agree." This has the same effect as a written and signed contract, so check the contract terms before clicking the "I agree" button. What does "checking the contract terms" mean? Use of cloud services is a general business transaction, and the contract terms should be mutually confirmed and signed. However, cloud services in general have a set of terms and conditions on the website for users to read 12

13 and the contract takes effect when the user clicks the "I agree" button. Therefore, some users begin using the service without carefully comprehending the contents of the contract. Since some of the terms could cause discrepancy in some rare occasion, it is recommended that the users duly understand these terms before they enter into a contract. Also, it is recommended that these contract terms be made always available so that users can easily refer to them at any time during the service use. Items regarding confirmation of contract terms The Safe Use Guide shows the following by saying generally, in addition to those that constitute the actual contents of the transaction, the following terms should be carefully considered as well: Pricing system and applicable conditions Sentences constituting price changes (when to notice, how to notice, how to deal with disagreement, etc.) Sentences constituting change of service (what to change, how to change, when to notice, how to notice, how to deal with disagreement, etc.) Non-disclosure obligations (check vendor side, user side and reciprocal obligations; confirm the non-disclosure obligations of the vendor regarding user information, as well as obligations on the user side) Damage compensation rules (whether damage compensation are stipulated for the case of loss of data due to causes attributable to vendors or the consequential damage due to service interruptions, as well as whether or not these rules are sufficient) Rules governing expiration and renewal of contract (what is the initial and renewed term, whether there is an automatic renewal provision, and when and how to notice for renewal or expiration of the contract) Rules governing termination of the contract (check for stipulations that give the vendor the option to terminate the contract at its sole discretion and whether a penalty is imposed when the contract is terminated by the user) Sentences defining procedures associated with expiration or termination of the contract (whether vendor obligations and user rights are defined for the case the contract is terminated, and whether they are appropriate; also, whether it is clearly specified that user data shall be returned upon termination and remaining user data on the cloud shall be completely erased after the data is returned) 13

14 About the method of disclosure Contract terms and conditions for using the service must be shown in a clear and easy-to-understand manner so that users can sufficiently understand the contents before agreeing. In addition, it is recommended that the exact contents are reserved as the user agreed on, so that they can be kept referable by both the user and provider in future. Provide the contract terms on the website so it can be referred to any time while the contract is in effect. Also, when changing the terms and conditions during contract, make sure that the agreement to the change from users are secured and recorded. End of document <URLs for guidelines standardized by public organizations regarding information disclosure policies and services> Ministry of Economy, Trade, and Industry (METI): SLA Guideline for SaaS METI: Information Security Report Model METI: Announcement of Information Security Management Guidelines for the Use of Cloud Services Ministry of Internal Affairs and Communications (MIC): Information Security Management Guidelines for ASPs and SaaS MIC: Information Disclosure Guidelines for the Safety and Reliability of ASP and SaaS MIC: Information Disclosure Guidelines for the Safety and Reliability of Data Centers Information Security Management System (ISMS) Conformity Assessment Scheme IT Service Management System (ITSMS) Conformity Assessment Scheme Japan Institute for Promotion of Digital Economy and Community 14

15 (JIPDEC): Privacy Mark System Foundation for Multimedia Communications (FMMC): Information Disclosure Certification System for the Safety and Reliability of ASPs and SaaS PCI DSS: Payment Card Industry Data Security Standards (Data Security Standards defined by the credit card industry) Audit reports regarding internal control, based on SAS 70 Type II Audit defined by AICPA (American Institute of Certified Public Accountants) (in Japan, equivalent to the "Clause 18 Audit" defined by the Japanese Institute of Certified Public Accountants)