{Moving to the cloud}



Similar documents
AHLA. JJ. Keeping Your Cloud Services Provider from Raining on Your Parade. Jean Hess Manager HORNE LLP Ridgeland, MS

Clouds on the Horizon Cloud Security in Today s DoD Environment. Bill Musson Security Analyst

Securing The Cloud With Confidence. Opinion Piece

Cloud Computing: Legal Risks and Best Practices

5 Things to Look for in a Cloud Provider When it Comes to Security

Information Technology: This Year s Hot Issue - Cloud Computing

Virginia Government Finance Officers Association Spring Conference May 28, Cloud Security 101

Annex 1. Contract Checklist for Cloud-Based Genomic Research Version 1.0, 21 July 2015

The silver lining: Getting value and mitigating risk in cloud computing

SRG Security Services Technology Report Cloud Computing and Drop Box April 2013

Cloud Computing in a Regulated Environment

GET CLOUD EMPOWERED. SEE HOW THE CLOUD CAN TRANSFORM YOUR BUSINESS.

Data Privacy, Security, and Risk Management in the Cloud

Insights into Cloud Computing

Cloud Computing Governance & Security. Security Risks in the Cloud

John Essner, CISO Office of Information Technology State of New Jersey

IBM Cognos TM1 on Cloud Solution scalability with rapid time to value

Clinical Trials in the Cloud: A New Paradigm?

Wrapping Audit Arms around the Cloud Georgia 2013 Conference for College and University Auditors

How To Choose A Cloud Computing Solution

10 Considerations for a Cloud Procurement. Anthony Kelly Erick Trombley David DeBrandt Carina Veksler January 2015

Cloud Security and Managing Use Risks

White Paper How Noah Mobile uses Microsoft Azure Core Services

Considerations for Outsourcing Records Storage to the Cloud

Cyber Security Pr o t e c t i n g y o u r b a n k a g a i n s t d a t a b r e a c h e s

Cloud Security Introduction and Overview

Cloud Security. DLT Solutions LLC June #DLTCloud

Overview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin

Microsoft Azure. White Paper Security, Privacy, and Compliance in

Cloud Security Trust Cisco to Protect Your Data

Addressing Cloud Computing Security Considerations

Hedge Funds & the Cloud: The Pros, Cons and Considerations

SELECTING AN ENTERPRISE-READY CLOUD SERVICE

Report on Hong Kong SME Cloud Adoption, Security & Privacy Readiness Survey

Legal Issues Associated with Cloud Computing. Laurin H. Mills May 13, 2009

BMC s Security Strategy for ITSM in the SaaS Environment

Cloud Computing: Risks and Auditing

Security Issues in Cloud Computing

Five keys to a more secure data environment

Data Security and Privacy Principles for IBM SaaS How IBM Software as a Service is protected by IBM s security-driven culture

All Clouds Are Not Created Equal THE NEED FOR HIGH AVAILABILITY AND UPTIME

Auditing Cloud Computing and Outsourced Operations

How To Protect Yourself From A Hacker Attack

F G F O A A N N U A L C O N F E R E N C E

Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations. kpmg.com

GoodData Corporation Security White Paper

Securing the Microsoft Cloud

A Flexible and Comprehensive Approach to a Cloud Compliance Program

Understanding Financial Cloud Services

CLOUD COMPUTING. 11 December 2013 TOWNSHIP OF KING TATTA 1

FINAL May Guideline on Security Systems for Safeguarding Customer Information

Data In The Cloud: Who Owns It, and How Do You Get it Back?

Cloud Computing An Auditor s Perspective

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)

Hosted Exchange. Security Overview. Learn More: Call us at

The Intersection of 21st Century Risk Management and Data: Risk Allocation and Mitigation for Customer Data Breaches

Risk Management of Outsourced Technology Services. November 28, 2000

Cloud Computing and HIPAA Privacy and Security

OPEN DATA CENTER ALLIANCE USAGE MODEL: Provider Assurance Rev. 2.0

Cloud Security Alliance and Standards. Jim Reavis Executive Director March 2012

Data Protection: From PKI to Virtualization & Cloud

Recommendations for companies planning to use Cloud computing services

Cloud Computing Risk Assessment

Protecting Data and Privacy in the Cloud

Gain Efficiency, Cost Savings and Compliance with Iron Mountain s Portfolio of Services

Enterprise Architecture Review Checklist

CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES:

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Cloud Computing Best Practices. Creating Effective Cloud Computing Contracts for the Federal Government: Best Practices for Acquiring IT as a Service

Kroll Ontrack VMware Forum. Survey and Report

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium

Cloud Risk Management: How to Consolidate your CSP and Corporate Risk Profile

CLOUD COMPUTING ISSUES FOR SCHOOL DISTRICTS. Presented to the 2013 BRADLEY F. KIDDER LAW CONFERENCE. October 2, 2013

What Every User Needs To Know Before Moving To The Cloud. LawyerDoneDeal Corp.

Anypoint Platform Cloud Security and Compliance. Whitepaper

The Elephant in the Room: What s the Buzz Around Cloud Computing?

Assessing Risks in the Cloud

A COMPLETE GUIDE HOW TO CHOOSE A CLOUD-TO-CLOUD BACKUP PROVIDER FOR THE ENTERPRISE

Cloud Computing; What is it, How long has it been here, and Where is it going?

Cloud Computing: A Question of Trust Maintaining Control and Compliance with Data-centric Information Security

CLOUD STORAGE SECURITY INTRODUCTION. Gordon Arnold, IBM

Understanding Enterprise Cloud Governance

Security Considerations for the Cloud

Dropbox for Business. Secure file sharing, collaboration and cloud storage. G-Cloud Service Description

INFORMATION SECURITY GUIDE. Cloud Computing Outsourcing. Information Security Unit. Information Technology Services (ITS) July 2013

Data Protection Act Guidance on the use of cloud computing

SECURITY MODELS FOR CLOUD Kurtis E. Minder, CISSP

Cloud Computing Contracts. October 11, 2012

GET CLOUD EMPOWERED. SEE HOW THE CLOUD CAN TRANSFORM YOUR BUSINESS.

STORAGE SECURITY TUTORIAL With a focus on Cloud Storage. Gordon Arnold, IBM

The Essential Security Checklist. for Enterprise Endpoint Backup

Cloud Computing Security Issues and Controls

EGUIDE BRIDGING THE GAP BETWEEN HEALTHCARE & HIPAA COMPLIANT CLOUD TECHNOLOGY

Cloud Security Benchmark: Top 10 Cloud Service Providers Appendix A E January 5, 2015

Cloud Data Security. Sol Cates

VMware vcloud Air Security TECHNICAL WHITE PAPER

CONTROLLING CLOUDS: BEYOND SAFETY

AUSTIN INDEPENDENT SCHOOL DISTRICT INTERNAL AUDIT DEPARTMENT TRANSPORTATION AUDIT PROGRAM

Securing the Service Desk in the Cloud

Requirements for Technology Outsourcing

Transcription:

{Moving to the cloud} plantemoran.com doesn t mean outsourcing your security controls.

Cloud computing is a strategic move. Its impact will have a ripple effect throughout an organization.

You don t have to look far to find an article extoling the benefits of cloud computing. After all, by sharing information technology (IT) resources in the cloud, businesses and government agencies of all sizes can leverage their people more effectively. Moreover, cloud service providers (CSPs) can offer shared IT services economically through maximizing IT systems (hardware and software) and systems administration personnel. In addition to lowering one s capital investment, cloud computing provides mobility and can often provide platform-agnostic services. The mobility has the potential to increase the productivity of individuals by providing anytime, anywhere, and from-any-platform access to services and applications. Another potential major benefit of cloud computing is that organizations can leverage what others (CSPs in this case) have built and get back to focusing on their core competencies. An appropriate cloud strategy has the potential to drive innovation not only by changing how IT services are delivered and administered but also the way a business operates. Thus, cloud computing is a strategic move, not an IT-only decision. The impact of such a strategy will have a ripple effect throughout an organization, so the decision to invest in cloud technology should not be taken lightly. So far we ve discussed the positives of adopting a cloud strategy, but as Spiderman s Uncle Ben once said, With great power comes great responsibility ; after all, cloud computing means entrusting one of your most valuable assets data to a third-party provider. That provider has the responsibility of providing assurances that your data is safe at all times. Although Service Organization Control (SOC) standards provide some level of assurances, currently there are no concrete laws or standards that can assure whether a particular CSP is safe or not. As an organization evaluating a cloud strategy, the onus is on you to conduct the due diligence to secure assurances from the CSP that your data is safe in their hands. (We should note that cloud computing isn t necessarily good in all instances and for all data. As an organization, you must weigh the cost benefit for the strategy and proceed accordingly.) According to meritalk.com, the government sector alone could realize savings of up to $14 billion annually by using cloud-based services. So why aren t more organizations jumping at it? You guessed it data security. It s paramount, then, that we find ways to ensure the security and privacy of data in the cloud so that we all can safely reap the full benefits of this continually evolving technology. 1

There are significant efforts by both the private and public sector such as CSA (Cloud Security Alliance), GSA (Government Security Agency), and NIST (National Institute for Standards Technology) to provide tools to assess and select cloud computing services that satisfy security requirements. Standards are a critical component of our ability to realize the true potential of cloud computing, and NIST is working closely with the industry on the development of standards to support cloud computing infrastructure, metrics, interoperability, and assurance. Cloud computing won t realize its true potential until more CSPs and buyers fully understand security requirements in the cloud. So, in its current state, if a cloud strategy is adopted, does that mean that you re at the mercy of CSP security offerings/controls, or that you no longer have control of your data? No not with the right amount of due diligence. By asking the right questions of the CSP, you should be able to realize the potential of the cloud yet sleep well at night knowing that your data is safe and you re in control of it. By establishing basic security requirements early and asking key questions, companies can position projects for success and avoid common security-related issues. Various levels of cloud services can be procured, including Infrastructure as a Service (IaaS), Platform as a Service (PaaS), or Software as a Service (SaaS). Regardless of the service, there are some baseline questions to ask of the CSP. The more you rely on the CSP to provide turnkey services such as the SaaS model, the deeper understanding you need to have on how your data is secured and controlled. So, if I was looking to migrate some or all of my mission-critical and sensitive data to a CSP offering, here are the key security related questions that I would ask. The questions below are targeted to a CSP providing SaaS, but a majority of them would apply to an IaaS or a PaaS offering as well. Who s managing my data? Ask about the qualifications and backgrounds of the cloud company s staff. These administrators have privileged access to your data; you should know who they are. Also ask about how new hires are screened and ongoing checks (such as random testing and background checks). Ask about other business partners that may have direct or indirect access to your data. For example, if they re outsourcing their systems backup to someone else, what controls are in place to secure your data? 2

Where s the data actually located, and will the data be replicated at other data centers? Many enterprises must comply with regulations that are based on the data s geographic location. Based on your regulatory requirements, are there requirements regarding where in the world your data may be stored? Compliance requirements may restrict how data is exported to other countries and dictate what security measures need to be in place and what auditing standards you need to comply with. You should also be familiar with local privacy laws and regulations where the data is going to be stored. Local laws may provide for a government or litigant s right to inspect data being stored by the CSP. Can you take that chance? Strong policies and practices that address legal and regulatory requirements such as data security, data exporting, compliance and auditing standards, data retention, legal discovery, and data destruction should be in place by the CSP. As an organization, these policies and practices should be reviewed by your legal and regulatory experts to ensure that they adequately meet your needs. Between you and the CSP, it should be mapped out how data storage is handled and whether their policies put you in compliance with your regulatory requirements. For companies operating in the United States, Canada, or Europe, there are a number of regulatory requirements and standards in effect, including ISO 27002, Safe Harbor, ITIL, and COBIT. Understanding your data location requirements will ensure you make the best choice for your cloud CSP. What access controls are in place? Just because physical control is being transferred doesn t mean you re giving up your right to know what controls are in place to limit risk. CSPs need to disclose the exact data access control processes that dictate their administrators actions, and you should have a full understanding of who can access what data and under what conditions. Ask how the access controls are tested and how frequently. How will my data be physically secured and separated from other customers? Typically, in a cloud environment, there are some areas where resources can be shared by multiple clients of the CSP. A good CSP needs to clearly explain how your vital business data is segregated and secured from other clients. Some CSPs place all of their clients programs and data in one big application instance and use custom-built code to prevent customers from seeing each other s data; this is unacceptable, as custom code creates too much of a risk. It s critical that CSPs use standard proven practices, namely data encryption. When CSPs use encryption, however, they must also provide evidence that their encryption and other security methods have been tested, fine-tuned, and proven to be effective. Be sure to question the level and type of encryption algorithms. In addition, in scenarios where common hardware resources are used by the CSP, the use of Virtual LAN (VLAN), VPN (Virtual Private Networks), and Virtual Machines (VM) is preferred. How s my data encrypted? More important than physical security is data encryption. There are two types of data data at rest and data in transit. You need to be aware of how both types are secured. The questions to ask are: a. How does the CSP secure data at rest? The CSP should always encrypt data on storage devices (e.g., hard drives and back-ups) to avoid data breaches. b. How secure is the data while it s in transit within the cloud (system-to-system) and between the users and the CSP? Data in transit should always be encrypted, authenticated, and its integrity protected. This ensures that nobody can read or modify the data as it passes through the potential dangers of both public and private networks. There are very well established standards (TLS, IPsec, AES) for doing this that should be in practice by the CSP. 3

What authentication mechanisms are supported by the CSP? The most common form of providing access to data is via the use of passwords. If sensitive data is at stake, a 1-pass authentication such as a password only will not be adequate. A 2-pass authentication such as the use of passwords along with tokens and certificates is recommended. For larger organizations, the CSP should be able to use standards such as LDAP (Lightweight Directory Access Protocol) and SAML (Security Assertion Markup Language) to integrate with your directory services or identity management systems prior to authenticating users and determining their permissions. Using these tools ensures that the CSP always has up-to-date information on authorized users to prevent unauthorized access. What happens if there s a data breach? You should always be prepared for a data breach. The CSP should have appropriate proactive processes and technologies in place to detect if an application or data is under attack; this means an Incident Response Plan (IRP) should be in place. What are the CSP s response times if there s a security breach, and what s its notification process? Request a history of security breaches and how they were handled by the CSP. How transparent was the organization with its responses? Even if you re satisfied with the CSP s IRP, as an organization, you should plan for how you d respond to your clients in the event of a security breach at the CSP. There may be a misconception that as you transfer computing resources and responsibilities, you re also transferring financial liabilities for data loss, corruption, or business interruption. This is rarely the case unless you ve explicitly addressed these items during your contract negotiations, making the CSP responsible for such losses. One thing to check on is the CSP s Technology Errors & Omissions policy and/ or Cyber Liability coverage, typically a part of its primary insurance policy. The Technology Errors and Omissions insurance provides coverage for costs associated with the malfunction of a policyholder s (CSP) product or service, including the cost of fixing the error, replacing the product, and the lost business clients may experience because of the product s/service s failure. Can the CSP pass muster with the auditors? Every business has certain conditions they must meet for regulatory compliance. Depending upon the type of data that you will store at the CSP, it may be a requirement to locate a provider that has undergone a security assessment by a third party. For example, FedRAMP (Federal Risk and Authorization Management Program), although still in its infancy, will require any organization that wishes to store federal government-related data to undergo an accreditation process to ensure proper security controls are in place to protect that data. Customers need to find out whether the cloud CSP conducts regular security audits and what its processes are for accommodating the needs of the customer s auditors as well. Ask whether you ll be able to conduct your own security audit (penetration testing). Can you audit the CSP s data security control? In the event of a security breach, will you be able to conduct a forensic investigation to determine what caused the incident? Is your cloud computing service SAS 70/SSAE 16 compliant? Even though the SOC/SSAE16 does not offer assurances from all aspects, it s certainly a step in the right direction. Cloud users should be wary of cloud CSPs that claim a SOC/SSAE16 report as proof that its offerings are secure. The SOC/SSAE16 only demonstrates that the CSP has a methodical and repeatable process to its operations and appropriate safeguards to protect its IT assets. A comprehensive due diligence effort or the use of a third-party service are currently the primary means of validating the security offerings of the CSP. 4

What is CSP s stability factor? What happens to your data if your cloud service CSP goes out of business or is bought out by another company? What guarantees can your cloud CSP give regarding its long-term viability? What mechanisms are in place to guarantee the return of your data in the event of a bankruptcy or other business shutdown or turnover? At the termination of the contract, what guarantees does the CSP provide for the timely transition, removal, and destruction of your data? These must explicitly be addressed in your contract. Does the CSP offer backup and recovery services? If the provider offers back-up services, what type of services are offered just data recovery, or is the CSP able to offer up more, such as spinning up virtual machines and providing access to both applications and data? Do you have a say in where the data is backed up to? (See data encryption and regulatory/compliance requirements.) What are the contract terms? Contract terms generally favor the CSP. Unlike typical contracts where there s a partnership-style relationship between companies, cloud services are different due to the high degree of contract standardization and services being delivered. An unlikely but possible scenario: what happens to your data and services if the CSP s assets are frozen by law enforcement or regulatory authorities due to CSP or a CSP client s activities? This situation has happened and put some organizations out of business when the FBI seized the servers of the CSP for fraud investigation, rendering its clients data inaccessible. 5

Beyond the standard terms and conditions typically found in most contracts, a cloud service contract should address at a minimum the following: service levels, data security breach notification, legal process notification, use of customer data, confidentiality and security requirements, intellectual property rights, compliance with European data protection laws, limitation of liability and damages, indemnity, representations and warranties, terms for renewal of the contract or termination, termination assistance, and secure destruction of customer data at termination. For this venture to be successful there should be trust between you and the CSP. The CSP should honestly answer all questions and supply all information that you request. There should be total transparency on questions related to security, availability, data integrity, and data privacy. If the CSP refuses to answer, is vague in its response, or cannot provide responses in writing, it s best to move on. By identifying what s important to you, you can build your own scorecard for rating the various CSPs. Remember, these questions are only a piece of the puzzle to help identify a viable solution. Other factors such as cost, business requirements, scalability, and availability should also be taken into consideration prior to making that commitment. As an alternative, third-party services are available that provide a rating scale or assessment rating on a CSP s security, governance, risk management, and compliance. Cloud services have come a long way since their inception. There are many techniques and technologies used today to secure the cloud, and more are coming. Keep an eye out for cutting-edge technologies such as self-protecting data, trusted monitors, and searchable encryption to enhance cloud security. In the meantime, ask questions. This is one endeavor you don t implement first and question later. 6

The Cloud Security Alliance (CSA), a not-for-profit organization that exists to promote security best practices within cloud computing, has published its security guide that provides additional details and questions to examine prior to adopting a cloud strategy. This security guide is available at https://cloudsecurityalliance.org. three major building blocks infrastructure os/backoffice apps applications System Software Database Operating System Servers Network Storage SaaS PaaS IaaS Cloud Security Alliance Cloud Services IT RESOURCES 7

The Authors Judy Wright 248.223.3304 judy.wright@plantemoran.com Sri Chalasani 248.223.3707 sri.chalasani@plantemoran.com joe oleksak 847.628.8860 joe.oleksak@plantemoran.com 8

plantemoran.com 9

plantemoran.com

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information