Cloud Security: It’s in the Cloud - But Where? (Part II)

Monday, June 22, 2015

Steve Durbin

D36d0936f0c839be7bf2b20d59eaa76d

In Part I, I looked at the benefits and business drivers of the cloud. Today, let’s discuss how organizations can enable cloud resilience and why it’s necessary to secure the cloud provider.

Cyber resilience has never been more important than it is today. As everything from supply chain management to customer engagement shifts to the cloud, operating in cyberspace now has bottom line implications if systems are disrupted. Cyber cloud resilience requires a balanced approach that protects both organizations and individuals while also enabling open, safe commerce and communications.     

Unfortunately, the risks that accompany doing business in cyberspace don’t always allow for that. In order to achieve cyber resilience, risk management should encompass the unexpected with regard to confidentiality, integrity and availability of information as it is transferred to the cloud.  At the same time, resilient organizations recognize the unintended business consequences from activity in cyberspace such as how their commercial, reputational and financial risks are real and growing.

Governance

I’ve already mentioned the need for a corporate policy. Businesses of all sizes need a good set of guidelines that will provide insight how to securely manage data in a cloud environment. One example of guidelines would be the Information Security Forum (ISF) Standard of Good Practice(The Standard). The Standard is used by many global organizations as their primary reference for information security. It addresses the rapid pace at which threats and risks evolve and an organization’s need to respond to escalating security threats from activities such as cybercrime, ‘hacktivism’, BYOD, the Cloud, insiders and espionage. As a result, The Standard helps the ISF and our members maintain their position at the leading edge of good practice in information security.

To me, cloud is becoming part of an enterprise’s critical infrastructure. The network boundary has completely disappeared. Today, it is made up of a variety of different devices and different people’s networks. Throwing a security blanket around this is pretty much impossible. So we have to be looking at the way we engage with third parties and the way which we manage information. The Standard is an excellent way of encapsulating all of this.

Cloud Architecture

The effect of cloud architecture shouldn’t be underestimated on your ability to protect your information. If you’re using a SaaS, you will have far less control over what it is you can do to specify to a third party provider in terms of the level of security that they might be able to provide to you. If you are moving more into a PaaS or an IaaS, then of course you want to have more insight into the way that an organization might be providing that level of service to you.

Moving forward, organizations need to focus on information, the impact on information, the risks associated with the loss or contamination of information – and classify the information. Concentrating on the organizations information will bring clarity to decision-making when assessing risk and examining treatment options.

Focusing on information helps prevent being overwhelmed by an ever-increasing collection of device specific or application-specific measures. It also facilitates solutions that work across myriad devices, improving scalability. When sharing information, there are several questions that need to be answered:

  1. How is the information being transferred?
  2. Where is the information being shared?
  3. Who has access to the information?
  4. When do they have access to your information?
  5. How much information is being shared?
  6. How much access do suppliers have to information and assets and how is it controlled?
  7. How is the information being shared protected by those who receive it?

If you can answer each of these questions, then you are well on your way to having a secure cloud implementation.

Securing the Cloud Provider

Depending on the nature and sensitivity of information being stored, greater due diligence is often needed when choosing a cloud provider because, unlike other kinds of suppliers, a cloud provider has access to data that's critical to your business. Furthermore, if something does go wrong -- the cloud service provider is 'harvested,' or worse, cloud services are compromised and data is lost -- the responsibility for that lost data or compromised information lies with you, not with the service provider.

It is essential then that companies go into these relationships with their eyes open, assess the service provider thoroughly and ensure that they are able to provide the level of assurance and contingency that is required. This will vary from company to company so there really is no shortcut here. Do the work, conduct the assessment, assess the risk and then and only then buy the service.

There are three areas that need to be reviewed as part of this process: purchasing, contracting and managing.

The first area is purchasing. For me, cloud purchase is a business decision, so from a security perspective, we need to be helping with the process of selecting the cloud provider. We also must help determine what will be stored in the cloud. This should include an assessment of the information risk.

Agreeing on the cross-border, or multi-jurisdiction legislative or regulatory requirements are key areas for attention.  And here the landscape continues to change. There are many issues that are in a constant state of flux, depending on the different maturity levels of the markets. It can be helped, though, by identifying the critical, sensitive information. It may turn out that some of your data is just not cloud ready.

It is also worth, at this stage, assessing the security practices of your potential provider. Not everyone does that but it could be extremely beneficial to you. The provider is storing some of your most private and sensitive data, so digging into the level of security your provider has and will be providing is of the utmost importance.

In the end, you won’t be with the same cloud provider forever. Also, individual pieces of data won’t be in the same cloud forever and will change and develop over time. How do you manage change and version control?  How will you ensure the appropriate data has been destroyed when this becomes necessary? Think about an exit strategy before you sign that contract.

Second, is the contracting phase. This may seem obvious, but cloud contracts need to be reviewed by legal and purchasing. Until now, involving security in this discussion was just an afterthought. But nowadays, security is being brought into the discussion earlier, and more often, than ever before. This stands to reason as security brings a different point of view than you might see from either the legal or purchasing department, and with information security being top-of-mind, their perspective can often be enlightening.

Contracts should also be kept up to date and reviewed on an ongoing basis. Why do I say that? Cloud providers are frequently updating their infrastructure as technology develops. There may be an impact on the way that your information is being stored and/or managed. Furthermore, contracts need to ensure the confidentiality, integrity and availability of your information and systems. For example: what is your uptime requirement? The answer to all of these things is that they need to comply with the requirements of your business. As this is a business decision, it is very important that the business leaders are involved with the contract phase and all of the decisions made to establish the operating baseline.

Finally, businesses must manage the cloud provider. For me, this is about integrating your cloud provider into your standard vendor management lifecycle. It’s about defining the requirement, finding the right supplier and ensuring that the service continues to be fit for purpose and meets the needs of the business, including maintaining the security requirements. Key questions to consider include how is your business data being stored? If you are managing intellectual property (IP), what levels of security exist?  How do you manage data that may have gone out of date that is being stored in the cloud? Time must be taken to ensure that you have incorporated this thinking into your standard vendor management lifecycle.

 

In Part III, I’ll touch upon the need to institute a cloud assessment process and provide four actions that organizations of all sizes can take to better prepare themselves as they place their sensitive data in the cloud.

11327
Cloud Security General HIPAA PCI DSS General General Infosec Island Budgets Enterprise Security Policy Security Awareness Security Training Breaches CVE DB Vulns US-CERT Privacy Vulnerabilities Webappsec->General General PDAs/Smart Phones
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.