1 WHITE PAPER JULY 2014 Securely Outsourcing to the Cloud: Five Key Questions to Ask Russell Miller Tyson Whitten CA Technologies, Security Management
2 2 WHITE PAPER: SECURELY OUTSOURCING TO THE CLOUD: FIVE KEY QUESTIONS TO ASK ca.com Table of Contents Section 1: 3 Challenge Section 2: 3 Opportunity Section 3: 11 Conclusions Section 4: 11 About the authors
3 3 WHITE PAPER: SECURELY OUTSOURCING TO THE CLOUD: FIVE KEY QUESTIONS TO ASK ca.com Section 1: Challenge Don t ignore security when moving to the cloud Though many organizations already rely on cloud services for sensitive data storage and other businesscritical functions, some resist the lure out of concern for security. Both types of organizations are discovering that cloud security is still in its infancy, lacking established standards and even informal norms. Managing and monitoring privileged identities and data internally have become a requirement for many organizations. This reduces the risk of insider breaches, helps ensure accountability for administrators, facilitates compliance, and can even expedite adoption of new technologies. However, the same organizations that meticulously control their internal identities and data frequently outsource their IT services to what is essentially a black box, relinquishing direct control and relying on cloud service hosting companies to secure their data. While security is governed by agreements regarding security policies and procedures, the actions of individual administrators are frequently hidden. The implication is that individual privileges and administrator actions are viewed as somehow less risky if provided by an external entity. This is unfortunately not the case. Similarly, data is not inherently more or less secure from unauthorized access whether stored on a company s internal network or in a hosting company s datacenter. When choosing to outsource, organizations have a significant amount of flexibility. They may choose to keep a significant amount of control by choosing a self-managed private cloud environment, or they may use an external party to manage and host their cloud infrastructure, platform, or services. Each type of cloud and service has unique security challenges; however, for all cloud types, identity and data security can increase transparency and reduce risks. Section 2: Opportunity Privileged identity management and information protection can help you outsource more securely! The key to understanding security in a cloud environment is to realize that the fundamentals of protecting the confidentiality, integrity and availability of information have not changed. When using a cloud environment, organizations must understand the risks to their systems and data. The way to do this is to follow best practices for Identity and Access Management (IAM) both internally and by requiring that hosting companies do the same. Moving to a hosted cloud environment requires giving up a level of control; however, this does not need to come at the cost of security. Today s Identity and Access Management tools allow an organization to determine the level of security and transparency they require from their hosting company.
4 4 WHITE PAPER: SECURELY OUTSOURCING TO THE CLOUD: FIVE KEY QUESTIONS TO ASK ca.com The level of IAM transparency depends on the type of cloud services being considered: Private Cloud (Internal and external) Infrastructure-as-a- Service (IaaS) Platform-as-a-Service (PaaS) Software-as-a-Service (SaaS) Each type of cloud service has its own security challenges and the way organizations should approach each should be tailored to both the type of cloud service and organizational security requirements. What defines a private cloud environment is not the hosting location, but the lack of shared resources, or multi-tenancy. This may be done both inside an organization, using company-owned hardware or using systems and devices owned by the hosting company. However, the risk is significantly greater when hosted off-site, as infrastructure separation must be verified. For all cloud types, in addition to standard best-practices for hardening, network architecture, policies and procedures, Identity and Access Management tools are critical to enabling only the right individuals to have access to the right systems and data. This involves understanding identities and access, system and data security, and user activity reporting/logging. Top 5 Questions to Ask Your Outsourcer Questions Follow-Ups 1. Where is my data located? Where will my sensitive data be located? Can I dictate locations where it cannot be stored? Will you provide real-time visibility? 2. Who has access to my servers and data? What are their roles? Are they solely responsible for my account? How is access to my data granted or denied? 3. How are my systems and data secured? How are hypervisor administrative rights managed? How is my data controlled? How can you prove that your controls are compliant with the regulations that are relevant to me? 4. What activity data is captured and logged? What level of granularity is recorded? How is accountability ensured for shared accounts (e.g., root )? How are temporary administrators managed? What is the process for granting emergency account access? 5. How will you enable compliance? What reporting will you provide? Will reports be automated and easily generated for auditors?
5 5 WHITE PAPER: SECURELY OUTSOURCING TO THE CLOUD: FIVE KEY QUESTIONS TO ASK ca.com Where is my data located? The implication of releasing control of sensitive organizational data assets to third-party outsources remains a significant inhibitor to businesses transitioning to cloud based services. Businesses need to be assured that the risk of data compromise and regulatory non-compliance either stays the same or is reduced when outsourcing. There are multiple steps businesses should follow as data is transitioned outside of the organization and during its ongoing management. 1. Understand what you have: The first step is performing an inventory of data in relation to what s being outsourced. If business applications are being outsourced to a managed hosting provider, understand the type of data that s stored and communicated in relation to those applications. It addition, understand the sensitivity of information in relation to corporate and regulatory policies. Automated classification technologies are a good place to start to perform this inventory of sensitive information. Understanding if personally identifiable information (PII), intellectual property (IP) or payment card industry (PCI) data elements will be moved over to a third party is important. 2. Determine what s acceptable to transition: The next step is determining what can be moved. The business needs to make a risk-based decision on what s acceptable to be managed by a third party. Regardless of controls, some information may just be too sensitive to outsource. It s important to understand that upfront before moving down the outsourcing path. 3. Require visibility: Once you understand what s acceptable to be outsourced, you must determine how you can be assured data will be stored in a certain location. Regulatory requirements for storing and securing certain data elements vary on a global and regional basis. If you re required by law that specific data types are stored in a certain region you need to be assured that will be the case over the life of the contract. However, negotiating contractual terms upfront that data will be stored in a certain region is no longer acceptable as complete assurance. Businesses are starting to require real-time visibility into the location of sensitive information they ve outsourced. And vendors are responding by delivering real-time visibility into data location as a service differentiator. The ability to understand where your information is located during the course of outsourcing will allow you to continue to make informed risk- based data decisions even when data is outside of your control while making compliance efforts significantly easier when it s time for your annual audit. Who has access to my servers and data? After working out how the provider will provide visibility into the location of sensitive data, the next step is determining how they will manage access to the systems where sensitive information will reside. To achieve this, it s critical to understand a hosting company s use of identities and their security model. A hosting company should be able to demonstrate an understanding and implementation of basic identity management security principles: Least privilege: All identities, and particularly administrators, should only have the minimum access rights needed to do their job.
6 6 WHITE PAPER: SECURELY OUTSOURCING TO THE CLOUD: FIVE KEY QUESTIONS TO ASK ca.com Segregation of duties: The concept of segregation of duties requires that more than one person is necessary to complete a task (e.g., one person cannot initiate AND approve a transaction). A hosting company should be able to describe their administrative roles and how they are managed. For example, security management of critical systems and applications (such as databases) should be kept separate from system management. No single administrator should be responsible for both the daily operations and security of a system or application. Ideally, hosting company administrators that require significant access to a company s most sensitive data should be dedicated to that client and not have access to data from competitors. Organizations should also gather information from their hosting company about the individuals who will have access to their systems and data. In addition to background checks, the country in which an employee is located could have significant consequences, including laws that may restrict how a company may monitor their actions. How are my systems and data secured? Hosting companies should also have a documented process for handling access rights, including employees entering or leaving the company, or changing roles. These processes should require that access privileges are revoked immediately when they are no longer needed. Regular audits should be performed to confirm that all privileges match current roles and needs. Once access security is understood, it is important to determine how systems housing your most sensitive information will be secured and the data itself controlled. Virtualization is what truly enables all cloud environments. It makes possible the creation of workloads that are mobile, and can function in a dynamic environment. Therefore, to secure a cloud environment, virtualization security is critical. Organizations must also implement Privileged Identity Management at the hypervisor layer. However, controlling access to the container is only half of the answer. Providers must take a data-centric security approach to protect the data no matter how application and system access is controlled. And then once access is granted to the data, its use must also be controlled. Securing virtual environments Access control tools can be configured to restrict access to individual virtual machines based on the privileges of each hypervisor administrator identity. This helps ensure that even in a shared environment, only the appropriate administrators have access to an organization s virtual machines. Automated security controls at the hypervisor layer are necessary to protect individual virtual machines. The flexible and dynamic nature of a virtual environment allows machines to be moved, deleted, copied, or have important settings modified, nearly effortlessly. Hypervisor security controls are therefore necessary to prevent individual virtual machines from being managed in a way that violates their required security. For example, virtual machines containing PCI data should be tagged so that administrators cannot move them into a non-compliant network environment. In order to change key security settings for a virtual machine, tags or tag rules should be modified. This added step reduces the chances of administrative errors in managing virtual machines.
7 7 WHITE PAPER: SECURELY OUTSOURCING TO THE CLOUD: FIVE KEY QUESTIONS TO ASK ca.com Securing multi-tenant environments Public cloud services have their own security challenges and the way organizations should approach these challenges should be tailored to both the type of cloud service and the organization s security requirements. However, in all cases, an organization should take steps to keep their data secure from third-parties that may share the same services: Figure A. Visual representation of a multi-tenant environment. Shared Environment Shared Model among multiple customers and/or departments Tenant A Tenant B Tenant C Production Zone Dev/Test Zone DMZ Zone
8 8 WHITE PAPER: SECURELY OUTSOURCING TO THE CLOUD: FIVE KEY QUESTIONS TO ASK ca.com In a multi-tenant cloud environment, security requirements are shaped by the cloud type: Questions Infrastructure-as-a-Service (IaaS) Follow-Ups Infrastructure resources are shared, including physical servers, network devices, and databases (e.g., Amazon EC2, RackSpace Cloud) Each tenant is generally segregated at the virtual machine layer. A hosting company may use a single hypervisor to manage virtual machines belonging to multiple different organizations. To help ensure the security of their virtual machines, an organization must implement Identity and Access Management at the hypervisor layer. As with a private cloud, IAM tools can be configured to restrict access to individual virtual machines based on the security settings associated with each hypervisor identity so that, even in a shared environment, only the appropriate administrators have access to an organization s virtual machines. Platform-as-a-Service (PaaS) Software-as-a-Service (SaaS) Platform-level services are shared (e.g. Google App Engine, Microsoft Windows AzureTM, Force.com) Shared application services (e.g., Salesforce.com) Each tenant shares resources at a software platform layer. In addition to virtualization security, organizations should ensure that their hosting company follows best-practice privileged identity management techniques for users that administer the platform software. While transparency is often limited in a SaaS environment, an organization looking to outsource to a SaaS provider should look beyond the application service layer to understand how Identity and Access Management tools are employed at each layer of the infrastructure, from physical hardware, to virtual machines, to platforms, and code security. In all cloud types, hosting providers now have the ability to provide user activity data to their customers as a service, for download into the customers in-house security tools. This helps outsourcing organizations understand who is accessing their data, while maintaining user activity logs to satisfy audit requirements. Securing the data While controlling identities and access to sensitive information is critical it s not enough. Data sensitivity lives within the data itself regardless of location. So while controlling data at the container level provides a level of security it s not sufficient if the data leaves the confines of the enterprise or data center. What needs to be demanded from your provider is a security approach that incorporates data-centric security in order to effectively protect your sensitive corporate assets that are being outsourced. This helps reduce the risk of outsourcing and allows data to be mobile while keeping control with the organization. The components of a comprehensive data-centric security solution includes classification, data loss prevention, encryption and information rights management (IRM).
9 9 WHITE PAPER: SECURELY OUTSOURCING TO THE CLOUD: FIVE KEY QUESTIONS TO ASK ca.com You should also understand how data-centric security is applied to data while at-rest, at-access, in-use and in-motion. Examples are as follows: At-Rest: Once data is transitioned and stored within the provider s network and repositories, it should be encrypted when at all possible. Some information such as PCI-related data is required to be encrypted while other information should be encrypted based on sensitivity to the business. At-Access: When administrators or employees attempt to access sensitive information, the sensitivity of the data should be taken into account. Understanding the sensitivity of the information prior to granting access allows for more fine-grained access control decisions. In addition, information that is encrypted protects the organization from inappropriate access due to ineffective container policy control. In-Use: Once a user gains access to the data, it should be controlled at the endpoint. Administrators that access sensitive customer information should not be able to copy to a removable drive or print it without authorization. In-Motion: The handling of information over the network should also be controlled. Roles that have access to data should be selectively controlled based on role and data sensitivity. The ability to warn, block or encrypt information sent over the network should help effectively control information handling. What activity data is captured and logged? As with much of security, determining the right level of activity information to demand from your hosting company requires carefully balancing trade-offs Granularity: transparency vs. cost Identities at a hosting company may be managed and tracked to the same standard as internal employees in a private cloud environment; however, there are both benefits and costs to each level of granularity: Level of Granularity Description Transparency Administrative Groups (e.g., Linux Administration Group ) Individual Roles (e.g., Linux Admin #1 ) All privileges and audit logs can be monitored by the outsourcing organization at the group level. Individuals may be added or removed to these groups by the hosting company without the knowledge of their client organizations. The user associated with that identity can change as the outsourcer moves around resources. The hosting company must track who is in what role at any given time. Least Granular More Granular Individual Identities (e.g., Third_Party_ ID15624 or Third_Party_ JohnSmith ) Each individual user is associated with a single identity. Privileged and activity records are transmitted by the hosting company to the outsourcing organization. Most Granular
10 10 WHITE PAPER: SECURELY OUTSOURCING TO THE CLOUD: FIVE KEY QUESTIONS TO ASK ca.com The level of transparency should be chosen to address the needs of both the cloud service provider and consumer. The more information provided by the cloud service provider enables greater transparency and auditability, but also requires greater effort and cost. When organizations choose to accept transparency at the group level, they should ensure that the hosting company internally tracks individual users, so there is accountability in the event of a breach. How will you enable compliance? The last question, and sometimes the most important based on the business and industry, is compliance. Organizations are demanding that their outsourcers provide tools and reporting that will enable them to meet their compliance objectives. In addition to reports that are available and require individual processing, key compliance reports should be provided immediately, using real-time data. The cloud provider must allow you to meet your regulatory requirements, and therefore must provide equivalent capabilities that you have implemented in your own compliance controls. If your controls are mature and operating effectively, it becomes easier to specify the requirements to your cloud provider. If your controls are not mature and create issues during your own compliance audits, then the cloud provider may have less guidance into the requirements that they must meet. Even though activity data is logged and data is effectively controlled, reporting needs to be made available in a form that allows you to meet your goals. These reports need to cover highly-summarized information to executive audiences, as well as detailed information to satisfy a technical auditor. While individual requirements will vary, a hosting company should be able to provide reports on: Where data is stored (country, city, etc.) When data is accessed and by whom (always tracking accesses to individual identities, not just shared administrative accounts) What data was accessed (including type: credit card information, private health information, etc.) What was done to the accessed data (was it exported from the system or processed by an application?) Hosting companies are increasingly providing reports that directly address specific requirements. This can reduce, if not eliminate the need for the outsourcing organization to hunt for data in reports and make a disorganized case for compliance. By having reports specifically tailored to individual requirements that have been vetted by auditors, an organization can remove a level of interpretation that is left open to individual assessors, thereby reducing compliance risk.
11 11 WHITE PAPER: SECURELY OUTSOURCING TO THE CLOUD: FIVE KEY QUESTIONS TO ASK ca.com Section 3: Conclusions The demand for transparency into hosted cloud environments is quickly becoming a market requirement. Organizations looking to outsource to a cloud environment should now demand an unprecedented level of transparency into their cloud services and no longer need to rely solely on contracts, and certifications from their service provider for security. In essence, trust but verify. When visibility into a hosting company s environment is limited, an understanding of their IAM infrastructure does not need to be. When choosing a cloud service provider, organizations should no longer accept assurances of security practices and should instead insist on a full understanding of the hosting company s use of identities to enable proper segregation of duties and access restrictions at each layer of their infrastructure. Risk-averse organizations can ensure that their hosting companies use today s Identity and Access Management tools to help enable cloud computing in a way consistent with their security requirements. Section 4: About the authors Russell Miller has spent over eight years in network security in various roles from ethical hacking to product marketing. He is currently a Director of Product Marketing at CA Technologies, focused on privileged identity management and data protection. Russell has a B.A. in Computer Science from Middlebury College and an M.B.A. from the MIT Sloan School of Management. Tyson Whitten is a CISSP with 15+ years of IT and security experience managing application, network and risk based products and services. In his current role he has responsibility for API Management and Mobile Security solutions at CA Technologies. Prior to CA Tyson held positions at SecureWorks, VeriSign, Guardent and Genuity. Tyson has a BS in Finance and Information Systems and a MBA in Product Management from Boston College.
12 12 WHITE PAPER: SECURELY OUTSOURCING TO THE CLOUD: FIVE KEY QUESTIONS TO ASK ca.com Connect with CA Technologies at ca.com CA Technologies (NASDAQ: CA) creates software that fuels transformation for companies and enables them to seize the opportunities of the application economy. Software is at the heart of every business, in every industry. From planning to development to management and security, CA is working with companies worldwide to change the way we live, transact and communicate across mobile, private and public cloud, distributed and mainframe environments. Learn more at ca.com. Copyright 2014 CA. All rights reserved. Microsoft and Microsoft Windows Azure are registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for your informational purposes only. CA assumes no responsibility for the accuracy or completeness of the information. To the extent permitted by applicable law, CA provides this document as is without warranty of any kind, including, without limitation, any implied warranties of merchantability, fitness for a particular purpose, or noninfringement. In no event will CA be liable for any loss or damage, direct or indirect, from the use of this document, including, without limitation, lost profits, business interruption, goodwill or lost data, even if CA is expressly advised in advance of the possibility of such damages. CS200_94851_0914