{Moving to the cloud} plantemoran.com doesn t mean outsourcing your security controls.
Cloud computing is a strategic move. Its impact will have a ripple effect throughout an organization.
You don t have to look far to find an article extoling the benefits of cloud computing. After all, by sharing information technology (IT) resources in the cloud, businesses and government agencies of all sizes can leverage their people more effectively. Moreover, cloud service providers (CSPs) can offer shared IT services economically through maximizing IT systems (hardware and software) and systems administration personnel. In addition to lowering one s capital investment, cloud computing provides mobility and can often provide platform-agnostic services. The mobility has the potential to increase the productivity of individuals by providing anytime, anywhere, and from-any-platform access to services and applications. Another potential major benefit of cloud computing is that organizations can leverage what others (CSPs in this case) have built and get back to focusing on their core competencies. An appropriate cloud strategy has the potential to drive innovation not only by changing how IT services are delivered and administered but also the way a business operates. Thus, cloud computing is a strategic move, not an IT-only decision. The impact of such a strategy will have a ripple effect throughout an organization, so the decision to invest in cloud technology should not be taken lightly. So far we ve discussed the positives of adopting a cloud strategy, but as Spiderman s Uncle Ben once said, With great power comes great responsibility ; after all, cloud computing means entrusting one of your most valuable assets data to a third-party provider. That provider has the responsibility of providing assurances that your data is safe at all times. Although Service Organization Control (SOC) standards provide some level of assurances, currently there are no concrete laws or standards that can assure whether a particular CSP is safe or not. As an organization evaluating a cloud strategy, the onus is on you to conduct the due diligence to secure assurances from the CSP that your data is safe in their hands. (We should note that cloud computing isn t necessarily good in all instances and for all data. As an organization, you must weigh the cost benefit for the strategy and proceed accordingly.) According to meritalk.com, the government sector alone could realize savings of up to $14 billion annually by using cloud-based services. So why aren t more organizations jumping at it? You guessed it data security. It s paramount, then, that we find ways to ensure the security and privacy of data in the cloud so that we all can safely reap the full benefits of this continually evolving technology. 1
There are significant efforts by both the private and public sector such as CSA (Cloud Security Alliance), GSA (Government Security Agency), and NIST (National Institute for Standards Technology) to provide tools to assess and select cloud computing services that satisfy security requirements. Standards are a critical component of our ability to realize the true potential of cloud computing, and NIST is working closely with the industry on the development of standards to support cloud computing infrastructure, metrics, interoperability, and assurance. Cloud computing won t realize its true potential until more CSPs and buyers fully understand security requirements in the cloud. So, in its current state, if a cloud strategy is adopted, does that mean that you re at the mercy of CSP security offerings/controls, or that you no longer have control of your data? No not with the right amount of due diligence. By asking the right questions of the CSP, you should be able to realize the potential of the cloud yet sleep well at night knowing that your data is safe and you re in control of it. By establishing basic security requirements early and asking key questions, companies can position projects for success and avoid common security-related issues. Various levels of cloud services can be procured, including Infrastructure as a Service (IaaS), Platform as a Service (PaaS), or Software as a Service (SaaS). Regardless of the service, there are some baseline questions to ask of the CSP. The more you rely on the CSP to provide turnkey services such as the SaaS model, the deeper understanding you need to have on how your data is secured and controlled. So, if I was looking to migrate some or all of my mission-critical and sensitive data to a CSP offering, here are the key security related questions that I would ask. The questions below are targeted to a CSP providing SaaS, but a majority of them would apply to an IaaS or a PaaS offering as well. Who s managing my data? Ask about the qualifications and backgrounds of the cloud company s staff. These administrators have privileged access to your data; you should know who they are. Also ask about how new hires are screened and ongoing checks (such as random testing and background checks). Ask about other business partners that may have direct or indirect access to your data. For example, if they re outsourcing their systems backup to someone else, what controls are in place to secure your data? 2
Where s the data actually located, and will the data be replicated at other data centers? Many enterprises must comply with regulations that are based on the data s geographic location. Based on your regulatory requirements, are there requirements regarding where in the world your data may be stored? Compliance requirements may restrict how data is exported to other countries and dictate what security measures need to be in place and what auditing standards you need to comply with. You should also be familiar with local privacy laws and regulations where the data is going to be stored. Local laws may provide for a government or litigant s right to inspect data being stored by the CSP. Can you take that chance? Strong policies and practices that address legal and regulatory requirements such as data security, data exporting, compliance and auditing standards, data retention, legal discovery, and data destruction should be in place by the CSP. As an organization, these policies and practices should be reviewed by your legal and regulatory experts to ensure that they adequately meet your needs. Between you and the CSP, it should be mapped out how data storage is handled and whether their policies put you in compliance with your regulatory requirements. For companies operating in the United States, Canada, or Europe, there are a number of regulatory requirements and standards in effect, including ISO 27002, Safe Harbor, ITIL, and COBIT. Understanding your data location requirements will ensure you make the best choice for your cloud CSP. What access controls are in place? Just because physical control is being transferred doesn t mean you re giving up your right to know what controls are in place to limit risk. CSPs need to disclose the exact data access control processes that dictate their administrators actions, and you should have a full understanding of who can access what data and under what conditions. Ask how the access controls are tested and how frequently. How will my data be physically secured and separated from other customers? Typically, in a cloud environment, there are some areas where resources can be shared by multiple clients of the CSP. A good CSP needs to clearly explain how your vital business data is segregated and secured from other clients. Some CSPs place all of their clients programs and data in one big application instance and use custom-built code to prevent customers from seeing each other s data; this is unacceptable, as custom code creates too much of a risk. It s critical that CSPs use standard proven practices, namely data encryption. When CSPs use encryption, however, they must also provide evidence that their encryption and other security methods have been tested, fine-tuned, and proven to be effective. Be sure to question the level and type of encryption algorithms. In addition, in scenarios where common hardware resources are used by the CSP, the use of Virtual LAN (VLAN), VPN (Virtual Private Networks), and Virtual Machines (VM) is preferred. How s my data encrypted? More important than physical security is data encryption. There are two types of data data at rest and data in transit. You need to be aware of how both types are secured. The questions to ask are: a. How does the CSP secure data at rest? The CSP should always encrypt data on storage devices (e.g., hard drives and back-ups) to avoid data breaches. b. How secure is the data while it s in transit within the cloud (system-to-system) and between the users and the CSP? Data in transit should always be encrypted, authenticated, and its integrity protected. This ensures that nobody can read or modify the data as it passes through the potential dangers of both public and private networks. There are very well established standards (TLS, IPsec, AES) for doing this that should be in practice by the CSP. 3
What authentication mechanisms are supported by the CSP? The most common form of providing access to data is via the use of passwords. If sensitive data is at stake, a 1-pass authentication such as a password only will not be adequate. A 2-pass authentication such as the use of passwords along with tokens and certificates is recommended. For larger organizations, the CSP should be able to use standards such as LDAP (Lightweight Directory Access Protocol) and SAML (Security Assertion Markup Language) to integrate with your directory services or identity management systems prior to authenticating users and determining their permissions. Using these tools ensures that the CSP always has up-to-date information on authorized users to prevent unauthorized access. What happens if there s a data breach? You should always be prepared for a data breach. The CSP should have appropriate proactive processes and technologies in place to detect if an application or data is under attack; this means an Incident Response Plan (IRP) should be in place. What are the CSP s response times if there s a security breach, and what s its notification process? Request a history of security breaches and how they were handled by the CSP. How transparent was the organization with its responses? Even if you re satisfied with the CSP s IRP, as an organization, you should plan for how you d respond to your clients in the event of a security breach at the CSP. There may be a misconception that as you transfer computing resources and responsibilities, you re also transferring financial liabilities for data loss, corruption, or business interruption. This is rarely the case unless you ve explicitly addressed these items during your contract negotiations, making the CSP responsible for such losses. One thing to check on is the CSP s Technology Errors & Omissions policy and/ or Cyber Liability coverage, typically a part of its primary insurance policy. The Technology Errors and Omissions insurance provides coverage for costs associated with the malfunction of a policyholder s (CSP) product or service, including the cost of fixing the error, replacing the product, and the lost business clients may experience because of the product s/service s failure. Can the CSP pass muster with the auditors? Every business has certain conditions they must meet for regulatory compliance. Depending upon the type of data that you will store at the CSP, it may be a requirement to locate a provider that has undergone a security assessment by a third party. For example, FedRAMP (Federal Risk and Authorization Management Program), although still in its infancy, will require any organization that wishes to store federal government-related data to undergo an accreditation process to ensure proper security controls are in place to protect that data. Customers need to find out whether the cloud CSP conducts regular security audits and what its processes are for accommodating the needs of the customer s auditors as well. Ask whether you ll be able to conduct your own security audit (penetration testing). Can you audit the CSP s data security control? In the event of a security breach, will you be able to conduct a forensic investigation to determine what caused the incident? Is your cloud computing service SAS 70/SSAE 16 compliant? Even though the SOC/SSAE16 does not offer assurances from all aspects, it s certainly a step in the right direction. Cloud users should be wary of cloud CSPs that claim a SOC/SSAE16 report as proof that its offerings are secure. The SOC/SSAE16 only demonstrates that the CSP has a methodical and repeatable process to its operations and appropriate safeguards to protect its IT assets. A comprehensive due diligence effort or the use of a third-party service are currently the primary means of validating the security offerings of the CSP. 4
What is CSP s stability factor? What happens to your data if your cloud service CSP goes out of business or is bought out by another company? What guarantees can your cloud CSP give regarding its long-term viability? What mechanisms are in place to guarantee the return of your data in the event of a bankruptcy or other business shutdown or turnover? At the termination of the contract, what guarantees does the CSP provide for the timely transition, removal, and destruction of your data? These must explicitly be addressed in your contract. Does the CSP offer backup and recovery services? If the provider offers back-up services, what type of services are offered just data recovery, or is the CSP able to offer up more, such as spinning up virtual machines and providing access to both applications and data? Do you have a say in where the data is backed up to? (See data encryption and regulatory/compliance requirements.) What are the contract terms? Contract terms generally favor the CSP. Unlike typical contracts where there s a partnership-style relationship between companies, cloud services are different due to the high degree of contract standardization and services being delivered. An unlikely but possible scenario: what happens to your data and services if the CSP s assets are frozen by law enforcement or regulatory authorities due to CSP or a CSP client s activities? This situation has happened and put some organizations out of business when the FBI seized the servers of the CSP for fraud investigation, rendering its clients data inaccessible. 5
Beyond the standard terms and conditions typically found in most contracts, a cloud service contract should address at a minimum the following: service levels, data security breach notification, legal process notification, use of customer data, confidentiality and security requirements, intellectual property rights, compliance with European data protection laws, limitation of liability and damages, indemnity, representations and warranties, terms for renewal of the contract or termination, termination assistance, and secure destruction of customer data at termination. For this venture to be successful there should be trust between you and the CSP. The CSP should honestly answer all questions and supply all information that you request. There should be total transparency on questions related to security, availability, data integrity, and data privacy. If the CSP refuses to answer, is vague in its response, or cannot provide responses in writing, it s best to move on. By identifying what s important to you, you can build your own scorecard for rating the various CSPs. Remember, these questions are only a piece of the puzzle to help identify a viable solution. Other factors such as cost, business requirements, scalability, and availability should also be taken into consideration prior to making that commitment. As an alternative, third-party services are available that provide a rating scale or assessment rating on a CSP s security, governance, risk management, and compliance. Cloud services have come a long way since their inception. There are many techniques and technologies used today to secure the cloud, and more are coming. Keep an eye out for cutting-edge technologies such as self-protecting data, trusted monitors, and searchable encryption to enhance cloud security. In the meantime, ask questions. This is one endeavor you don t implement first and question later. 6
The Cloud Security Alliance (CSA), a not-for-profit organization that exists to promote security best practices within cloud computing, has published its security guide that provides additional details and questions to examine prior to adopting a cloud strategy. This security guide is available at https://cloudsecurityalliance.org. three major building blocks infrastructure os/backoffice apps applications System Software Database Operating System Servers Network Storage SaaS PaaS IaaS Cloud Security Alliance Cloud Services IT RESOURCES 7
The Authors Judy Wright 248.223.3304 judy.wright@plantemoran.com Sri Chalasani 248.223.3707 sri.chalasani@plantemoran.com joe oleksak 847.628.8860 joe.oleksak@plantemoran.com 8
plantemoran.com 9
plantemoran.com