White Paper: Cloud Security Cloud Security
Introduction Due to the increase in available bandwidth and technological advances in the area of virtualisation, and the desire of IT managers to provide dynamically changing levels of service in the most cost effective way, the idea of cloud computing is something that is (has) become popular again. The concept is not a completely new one, in fact the historians will tell you that IBM were offering cloud based services (processing power for hire) back in the 1950s. However, as outlined above, and coupled with the unprecedented level of inter connectivity between organisations and people and their data, the advantages of cloud based computing have come to the fore. It is not without risk however. The idea of putting your key business data out in the cloud is something that puts a chill down many a c-level executive or business owner s back. Questions that come to mind immediately are very basic but also important to get answers to How secure is this data? Who will be able to have access to it? What if it s not available when I need it? Where is that data actually stored? What happens to my data if I need to change cloud providers? Etc. There are many questions that realistically need to be answered before you take the plunge, but by putting some thought into it and making decisions based on rational assessment process, should enable you to take advantage of the benefits offered by the cloud in a way that makes sense to you and is acceptable from a risk perspective. The aim of this article is to provide you with some of the tools you need to make an informed decision before you feel happy putting your data and business processes into the hands of a faceless stranger! Firstly it is important to put some definitions around information security and the cloud. Confidentiality, Integrity and Availability It is well documented that information security is all about maintaining the Confidentiality, Integrity and Availability (or CIA for short) of information. To have a compromise in any of these areas is to have a data security incident. There are many examples of data security breaches in the world today both at home and abroad. It is not uncommon to turn on the news and hear about the company that has left all of their clients sensitive financial details on a stolen laptop or to hear about a new virus or worm that is costing industry millions of Euros per day while it is out in the wild. These examples represent information security compromises and, interestingly enough, the types of controls available to prevent (or dramatically reduce the impact of) such incidents are readily available. It is important to realise that the various controls related to protecting information security in general are not fundamentally any different for protecting information that resides in the cloud. As such the basic tools that can be used to protect your information fall into three categories of controls as follows Administrative Controls (policies, procedures, standards, baselines, guidelines, contracts, user awareness etc) Technical Controls (firewalls, encryption, anti-virus, authentication, resilience, redundancy etc) Physical Controls (secure operating environments, security guards, CCTV, doors, locks, cages, fire suppression etc). Cloud Security Page 1
Your information security management program, if it is a healthy one, should be made up of any number of the above type of controls so that the high priority security issues have been addressed. To answer the questions of which controls are applicable to your environment, it is best to perform an assessment of the various risks that you are faced with, and to select the controls that help to minimise the risks that you have identified to an acceptable level. Conducting a risk assessment is one of the fundamental building blocks of implementing a systematic information security management program. Threats and Risks Given that we are looking at putting our data in the cloud, we are likely faced with a different set of risks than would usually be found within a normal IT environment. The table below lists some of the threats and risks pertinent to the cloud Top Cloud Security Risks ( ref. European Network and Information Security Agency www.enisa.europa.eu) Loss of Governance Lock-in (lack of data portability between cloud providers) Isolation Failure (compromises in shared platform security). Compliance Risks Management Interface Data Protection Insecure or incomplete data deletion Malicious Insider Top Cloud Threats (ref: The Cloud Security Alliance, www.cloudsecurityalliance.org) Abuse and Nefarious Use of Cloud Computing Insecure Application Programming Interfaces Malicious Insiders Shared Technology Vulnerabilities Data Loss / Leakage Account, Service and Traffic Hijacking Unknown Risk Profile Cloud Deployment and Delivery To put some of these risks and threats into context, let us first put some definition around what we mean by the cloud. There are some key distinctions between the types of services available from the cloud and it is important to differentiate between the deployment and delivery models associated with each. It is generally accepted that cloud services are defined by the SPI model i.e. software-as-a-service (SAAS), platform-as-a-service (PAAS) and infrastructure-as-a-service (IAAS). For example, Google Apps could be considered as SAAS service, Microsoft s Azure Platform which allows application developers to design and deploy cloud ready applications would be considered a PAAS offering and any number of hosting partners can provide IAAS services, typically deployed on elastic platforms that allow for rapid scalability in terms of processing power, storage and bandwidth for example. Cloud Security Page 2
Key attributes / characteristics for each model are as follows: SAAS: Is a delivered solution, not that extensible or customisable by the customer, tends to have a high level of security built in (provider tends to bear the burden of security) PAAS: More extensible and customisable, allows developers to build their own apps, more extensible than SAAS and this extends to security controls which would offer customisation of controls. IAAS: Few application like features, huge extensibility and customisation offered extends to security. Customer more likely to have to manage their own security. It is also useful to consider the way in which your cloud is deployed. There are three main deployment models currently accepted as standard and these are: Public Cloud - your cloud based services are provided on a shared platform, the same platform is shared with others; Private Cloud - a dedicated infrastructure maintained and operated solely for your organisation by the cloud service provider; Hybrid Cloud - a combination of both public and private cloud delivery models. Obviously, the whole area of cloud based services is rapidly evolving, so the above concepts are not cast in stone but do provide a baseline to use when comparing service delivery mechanisms. So, when we are looking at the security issues related to the cloud, the first job at hand is really to define what is meant by the cloud. Is it (for example) a new business application being rolled out to your corporate sales force using a SAAS platform over a Public cloud delivery mechanism or; are you replacing your in-house managed web servers to a CSP (cloud service provider) who can handle the annual spikes in bandwidth and processing that occur at the same point every year, with their IAAS model, where you only pay for what you use. When we ascertain what the risks are, we can use an appropriate set of controls to manage these risks. Let us remember that when we are evaluating risks to information security, what we are looking at are risks related to compromises of information Confidentiality, Integrity and Availability. Cloud Security Page 3
Risk Mitigation Example If we take the example of SAAS where perhaps our sales team keep information related to key accounts in the cloud, it is reasonable to assume that, at some point, there may me some data loss or leakage from the cloud service provider. A simple example may be where deletion or alteration of records without a backup of the original content has occurred (probably one of the most common issues to plague computer users ever since computing began, never mind the cloud!). What about where unauthorised access occurs to data in the cloud, thereby resulting in a breach of data confidentiality or integrity. How can we use some of the established types of controls to help mitigate these issues Administrative Controls: Cloud Service Provider Contracts. o o We could contractually oblige our Service Provider to ensure that they provide adequate data backup and retention strategies. We could demand that they wipe persistent media before it is released in to the pool (thereby reducing the risk of inadvertent data leakage ) Policy and Awareness o We could enforce a strict access control policy and; o Ensure that our workforce are sufficiently aware of our polices (by providing awareness training) Technical Controls: Authentication o Encryption o o Implement Strong Access Control / Authentication Mechanisms Encrypt and protect the integrity of data in transit and at rest Implement strong encryption key generation, storage and management and destruction practises. The above list of controls are not exhaustive, but illustrate that there are intersections between the controls used to mitigate risks within a normal IT environment and that of a cloud based one. Cloud Security Page 4
Data Classification A key question to answer when considering the issues related to cloud based security is, what is the kind of data that you intend to put up in the cloud? When determining the kind of data that is in the cloud, what we really mean is, is how sensitive is this data and how critical is this data, what is this data actually worth. By answering these questions we are in-effect classifying the data. Data Classification is the cornerstone of ensuring that an appropriate amount of security is utilised to protect information assets. The key word here is appropriate ; this means not too much and not too little security. For example, you wouldn t spend a million Euros on a state of the art safe (think Tom Cruise, Mission Impossible) to protect something that is worth a few hundred Euros; conversely you wouldn t spend only a hundred Euros insuring that priceless diamond necklace. When Data Classification is performed it helps us to define several key characteristics that drive the security controls necessary. When considering the sensitivity of the data, this helps to determine the requirements necessary for ensuring the confidentiality of the data. We can ask questions such as who should have access to the data? If it is publically accessible data (like a bus timetable or TV listings for example) then the data may be classified as a public and not in the slightest bit confidential, and therefore not require any significant level of data security controls. On the other hand, the data could be the earnings report for the quarter and considered to be highly confidential (particularly if you are a publically quoted company) up until the day it is released to the stock market. In this case, the data may need additional levels of security, such as data encryption and strict access control measures in place. By using these two examples, of classifying the data s sensitivity, we can see that different controls and therefore different levels of security are required. However, in this case we can justify the cost of the controls implemented by performing a data classification process. In the same way that sensitivity is classified, it also pays to establish the criticality of the information. This can help to drive requirements in the key security (and cloud) area of availability. Questions to be asked here could be.is this data we are using considered to be highly critical to our operations? If so, then we need to ensure that this data is available for 99.999% of the time (this comes as at a cost) or is the data less critical, perhaps it is only needed a few times a month (for example when you are doing the monthly payroll). Payroll information is a good example, this is something that could be considered to be confidential but not that critical i.e. we could put more emphasis on ensuring that it remains confidential (perhaps by encrypting it and maintaining a strict access control policy) than on making sure that it is available 99% of the time. When considering the data that we want to put out in the cloud, we should perform a data classification exercise and determine if the type of cloud service is inherently capable of providing the necessary level of security required. Will the security controls in place be adequate to ensure that the sensitivity of the data is maintained and will the necessary controls be in place to ensure that we can access the data when we need it? Let s assume that we have performed our data classification process and established that the data to be processed is highly sensitive. Our cloud service provider is offering us a service that is based on a Shared SAAS platform. We have little or no control over the security of the service and to make matters worse, our Cloud Security Page 5
data is being hosted on a public platform. The risk averse amongst us, may argue that something as common as human error (maybe an administrator inadvertently give access to your data to a competitor) may be enough (if it were to occur) to have a significant impact on your business that it does not warrant the perceived cost savings benefits of putting that information in the cloud (at least for the type of service initially offered). Maybe another type of service is required; perhaps an SAAS service provided on a Private Cloud would adequately address the risk. Alternatively, maybe we should just hire the Infrastructure from the CSP and manage the application ourselves. We can customise the necessary controls to our hearts content; thereby ensuring adequate levels of security are available to address our perceived risks. The downside (assuming you see it like that) is that there is a higher cost associated with managing this security level. Conclusion It looks like the cloud is here to stay, the benefit are too compelling to ignore. Key issues that will continue to effect information security concerns are lack of cloud standards, the perceived loss of control of data, questions over the physical location of data, questions related to availability of service, questions related to the trustworthiness of the cloud service providers etc, indeed this could be a very long list. A comprehensive and systematic approach to information security management is required and this should underpinned by regular assessment and testing. It is important for organisations who are considering taking the plunge to perform a risk assessment and to perform a data classification process. These concepts will not be new to anyone who is currently implementing information security practises in line with accepted best practise methodologies such as ISO27001/2, CoBIT, PCI DSS etc. The type of information security controls that exist today that help organisations manage risk can readily be adopted and ported to cloud based computing systems. Cloud Security Page 6
About Espion Espion are Corporate Information specialists. We work with organisations across all industries and business functions to provide advice and assistance relating to the holistic compliance, protection and management requirements of their most valuable asset information. This allows our clients to focus on their core business and ultimately achieve greater success. Espion Headquaters Corrig Court, Corrig Road, Sandyford Industrial Estate, Dublin 18, Ireland +353 (01) 2101711 www.espiongroup.com