OPINION PIECE. It s up to the customer to ensure security of the Cloud

Transcription

1 OPINION PIECE It up to the cutomer to enure ecurity of the Cloud

2 Content Don t outource what you don t undertand 2 The check lit 2 Step toward control 4 Due Diligence 4 Contract 4 E-dicovery 4 Standard 4 Privacy 4 Buine continuity 5 Application development 5 Identity 5 Virtualiation 5 Practice firt 5

3 Ye, Cloud computing i likely to create ignificant aving for organiation that chooe to buy oftware, infratructure, or a platform from external vendor on a pay a you go bai. By tapping into the Cloud they can gain fat acce to bet-of-breed buine application or dratically boot their infratructure reource, at negligible cot. So, the Cloud i well worth exploiting. And, indeed, many organiation are. According to an IDG urvey of 100 ecurity executive around the world, upward of 30% of large buinee have ome enterprie application in the Cloud. More than a third of buinee have increaed their ue of Cloud computing in the pat two year. Interetingly, however, two-third of the urveyed organiation do not have a ecurity trategy for Cloud computing. Therein lie the major problem with Cloud computing, becaue ecurity of the Cloud i actually more complex and there are more area of rik than i the cae with traditional IT et-up. Of the rik area, the bigget i that, in the Cloud, the cutomer organiation i not in control of where it data reide, how it i proceed, how it i detroyed, or who ha acce to it. There are way to mitigate that rik, of coure the primary one being to work with a ytem integrator who can manage all the third party ytem and provider on an organiation behalf. However, there an additional twit. Even though the cutomer organiation i not in control of either the technology in the Cloud or the management of that technology, the onu for mitigation of rik till fall on the cutomer organiation. 1

4 Don t outource what you don t undertand Why? Well, for one thing, Cloud provider are not likely to change their ecurity environment on requet. So the cutomer organiation need to undertand it own ecurity requirement up front in order to elect the provider whoe environment bet uit it need. The implication of that i, of coure, that the cutomer organiation need to do an aement of it inherent rik, paint a cenario baed on the required organiational change a well a it appetite for managing additional rik for the ake of buine benefit - and then ue the reult to make ure that it own, internal, ecurity i up to cratch. At the ame time, the aement will how what ecurity the vendor will need to have in place in order to keep the cutomer data afe. Then it a quetion of mapping the organiation ecurity need to vendor capabilitie. But the reponibility for ecurity doen t top there. There are no pecific Cloud computing tandard. IBM, Cico, SAP, EMC and everal other leading technology companie announced in March 2009 that they had created an Open Cloud Manifeto, calling for more conitent ecurity and monitoring of Cloud ervice. But the fact that Amazon.com, Google, and Saleforce.com have not agreed to take part ugget that broad indutry conenu may be ome way off. Microoft alo abtained, charging that IBM wa forcing it agenda. By contrat, the Cloud Security Alliance, whoe aim i to promote the ue of bet practice for providing ecurity aurance within Cloud computing, and provide education on the ue of Cloud computing to help ecure all other form of computing, ha made ome tride in documenting the iue and ome olution. However, the lack of generally accepted tandard mean that cutomer organiation cannot rely on their provider to achieve a baic minimum of ecurity or on an indutry body to regulate Cloud ecurity. That mean that organiation will have to do their own policing of their vendor ecurity. According to an IDG urvey of 100 ecurity executive around the world, upward of 30% of large buinee have ome enterprie application in the Cloud. More than a third of buinee have increaed their ue of Cloud computing in the pat two year. The checklit It a little tougher than one might think, becaue there are, we believe, no fewer than fifteen dicipline, in three overarching group, that have to be covered. The firt grouping cover governance, rik, and compliance and include legal and e-dicovery, compliance and audit, buine continuity and diater recovery, and incident repone, notification, and remediation. The econd grouping addree architecture and operation and incorporate ecurity architecture, information lifecycle management, portability and interoperability, datacentre operation, torage, and virtualiation. Group three addree identity and acce management through key management and encryption, and application ecurity. 2 Mot organiation truggle to acquire and then keep in-houe the broad kill to deal with thee inide their own organiation, let alone at an external provider location.

5 In addition, each of the area i influenced by the characteritic that differentiate Cloud computing from traditional computing model. Thee include abtraction of infratructure, reource democratiation, ervice oriented architecture, elaticity / dynamim of reource, and a utility model of conumption and allocation. The ituation i complicated till further by the fact that the Cloud offer three different ervice delivery model: Infratructure a a Service (IaaS), Platform a a Service (PaaS), and Software a a Service (SaaS) a well a four type of deployment and conumption: Private, public, managed, and hybrid. It i critical to be aware of the tradeoff between extenibility (openne) and ecurity reponibility within the three ervice delivery model. SaaS (Software a a Service) provide leat extenibility and greatet ecurity reponibility taken on by the Cloud provider, with the cutomer ecurity department loing control of: Phyical and logical network barrier Endpoint retriction and management Non-paword authentication Fine grained credential quality control Paword reet procee Real time anomaly detection Event logging By contrat, IaaS (Infratructure a a Service) offer the greatet extenibility with leat amount of ecurity reponibility taken on by the Cloud provider. PaaS (Platform a a Service) lie omewhere in the middle, with extenibility and ecurity feature which mut be leveraged by the cutomer. SaaS and PaaS provider all trumpet the robutne of their ytem, often claiming that ecurity in the Cloud i tighter than in mot enterprie. But the imple fact i that every ecurity ytem that ha ever been breached wa once thought infallible. For example, Google Gmail ervice collaped in Europe in February In 2007, a Saleforce.com taff member wa duped by a phihing attack into revealing paword. And, recently, Amazon EC2 ervice ha been the target of a zombie attack. 3

6 Step toward control The place to tart i with the baic. Getting into technical detail too early will imply obfucate the real iue. In it June 2009 report, Aeing the ecurity rik of Cloud computing, Gartner ay that mart cutomer will ak tough quetion and conider getting a ecurity aement from a neutral third party before committing to a Cloud vendor. Due diligence Abolutely. Perform an extenive, in-depth due diligence on the Cloud provider you would like to have. Contract A i frequently the cae with diruptive technologie, the law lag behind the technology development for Cloud computing. Alo, there the quetion of juridiction. Data may be ecure in one country but not in another. In many cae, uer of Cloud ervice don t know where their information i held. So, organiation need to remember that contract are their key legal enforcement mechanim and mut, therefore, be negotiable to reflect the organiation unique need a well a the dynamic nature of Cloud computing. Plan in the contract negotiation for both an expected and an unexpected termination of the relationhip and for an orderly return or ecure dipoal of aet. In it June 2009 report, Aeing the ecurity rik of Cloud computing, Gartner ay that mart cutomer will ak tough quetion and conider getting a ecurity aement from a neutral third party before committing to a Cloud vendor. E-dicovery Then there the irony of the fact that while Cloud provider are cutodian of primary data aet, their cutomer, who own the data aet, are legally reponible for preerving the data and making it available in legal proceeding (e-dicovery). It i eential, therefore, that cutomer and Cloud provider have a clear mutual undertanding of each other role and reponibilitie related to e-dicovery, including uch activitie a litigation hold, dicovery earche, and the proviion of expert tetimony. Standard In the abence of ecurity tandard pecific to the Cloud, organiation hould enure that their provider comply with, at leat, the SAS70 auditing tandard and ISO27001, which i deigned to provide the foundation for third party audit and implement OECD principle governing ecurity of information and network ytem. In particular, cutomer hould claify data and ytem to undertand compliance requirement. They alo need to undertand data location - pecifically, the copie of data that are made and how they are controlled. And, they mut maintain a right to audit on demand, a regulatory mandate and buine need can change extremely rapidly. Privacy It crucial that the cutomer organiation undertand the privacy retriction inherent in data entruted to it. There i the poibility that the Cloud provider may not be permitted to hold the data without very pecific partner deignation. 4 And, when it come to privacy, it may be eaier for the Cloud provider to demontrate data retention but not data detruction.

7 Buine continuity In term of buine continuity and diater recovery, the technology architecture infratructure of Cloud provider will naturally differ. But they mut all be able to demontrate comprehenive compartmentaliation of ytem, network, management, proviioning, and peronnel. And, of coure, the cutomer own buine continuity plan hould addre the impact and limitation of Cloud computing. Application development For application ecurity, remember that IaaS, PaaS, and SaaS create differing trut boundarie for the oftware development lifecycle and they mut be accounted for during the development, teting, and production deployment of application. Identity Key to managing identitie at Cloud provider i having a robut federated identity management architecture and trategy internal to the organiation. Init that the vendor operate according to federation-enabling tandard uch a SAML, WS-Federation, and Liberty ID-FF. Conider implementing Single Sign-on (SSO) for internal application and then leveraging thi architecture for Cloud application. In addition, Cloud-baed Identity a a Service provider may be a ueful tool for outourcing ome identity management capabilitie and facilitating federated identity management with Cloud provider. Virtualiation Finally, although organiation hould augment virtualied operating ytem with third party ecurity technology to provide layered ecurity control and reduce dependency on the platform provider alone, virtualiation doe offer many ecurity advantage - uch a creating iolated environment and better defined memory pace - which can minimie application intability and implify recovery. Practice firt Perhap the mot baic Cloud ecurity of all i to opt for a private Cloud firt virtualiing the organiation internal operation and uing internal and therefore already authoried peronnel in order to etablih a working Cloud methodology that can then be extrapolated to a public Cloud if and when that hould become neceary. 5

8 Regional Head Office Contact Detail America One Penn Plaza Suite 1600 New York, NY Tel Fax Aia* 6 Temaek Boulevard, #26-01/ 05 Suntec Tower Four Singapore Tel Fax Autralia Harrington Street The Rock, NSW 2000 Autralia Tel +61 (0) Fax +61 (0) Europe Dimenion Data Houe Building 2, Waterfront Buine Park Fleet Road, Fleet Hamphire GU51 3QT United Kingdom Tel +44(0) Fax +44(0) Middle Eat & Africa The Campu 57 Sloane Street Bryanton Sandton, 2191 South Africa Tel +27 (0) Fax +27 (0) *trading a Datacraft Aia Ltd 6