As companies increasingly turn to cloud computing for its benefits — including economies of scale and increased productivity — concerns often arise around security. The idea of storing critical business data on a third-party server to which multiple tenants have access could be fraught with danger if not properly planned and executed. As a result, security of data is often a top concern for organizations considering adopting a cloud infrastructure.
The good news is that with the increasing popularity of cloud computing, more cloud vendors have entered the market, giving customers more choices and flexibility. Although vendors often tout security features to differentiate their offerings, it is important to understand the security issues of cloud computing in order to ensure the proper measures are firmly in place to protect company data. Below is a list of top security issues and how to address them in order to gain the comfort to embrace cloud computing.
One key to remember when entering a contract with a new cloud vendor is that although an organization may physically remove data or applications from its immediate control, it doesn’t relinquish the responsibility to ensure that the data remains safe.
An organization is still ultimately responsible for the security and integrity of its own data, even when the data resides in the cloud. Service providers have traditionally been subject to external audits and security certifications. Cloud providers who are unable or unwilling to allow such auditing of its security measures should be avoided.
Location, Location, Location
An organization must assess the specific security risks that storing sensitive data outside the enterprise entails. This requires some data prioritization, considering what should be kept on-site and what should be placed in the cloud, as data in the cloud is typically in a shared environment sitting alongside other organizations’ data.
Access to data can be limited with cloud providers. In some cases, consumers of the cloud may not have access at all. So organizations need to work with business units to determine which data is necessary to share with the cloud provider and understand the provider’s options for where data will be stored, and what level of protection will be provided at each location.
It is important to understand:
- Where the data is being hosted. Data location needs to be part of the contractual agreement.
- Who is managing data in which locations, including data classification, identity access, privacy and response controls.
- How data is being segregated. The cloud provider should offer evidence that encryption schemes are in place and tested.
- Whether data will be accessed beyond the cloud provider’s data centers such as the corporate office or remote locations.
Depending on the above, the customer should decide which data can be placed where. For example, there are some countries where data cannot be transmitted outside of their respected country. These types of requirements should be identified and considered in order to choose a cloud vendor that can meet those requirements.
Requirements and Certifications
It is important to evaluate whether the vendor will enable you to meet compliance requirements, such as the U.S. government’s Health Insurance Portability and Accountability Act (HIPAA) or Sarbanes-Oxley (SOX), the European Union’s Data Protection Directive (DPD) or the credit card industry’s Payment Card Industry (PCI) Data Security Standards (DSS).
Cloud Vendor Supply Chain
Just as a supply chain within a company should be considered so that measures can be taken to secure data in a company, it is important to understand the cloud vendor’s supply chain.
Check with the vendor to understand its supply chain to know who could be accessing information, the types of information being accessed and rules governing information sharing. Based on what you find out, determine the appropriate security requirements.
This will require you to understand the cloud provider’s approach to assessing its supply chain’s security posture.
Contracts and SLAs
Service Level Agreements (SLAs) are extremely important in ensuring that data is safeguarded and that service and control processes will run as planned.
The SLA should address areas such as data classification, identity access, privacy, where the data will be stored and who will manage the data. It should also include notification within a specified time (24 or 48 hours) of any breaches that affect them.
Depending on the organization’s industry, it should also include notification of any significant changes in the cloud provider’s environment to ensure compliance with regulatory requirements.
A consumer of cloud services should perform an on-site review of the security controls as a requirement to enter a relationship with the service provider. In most cases, this is only done once, and the consumer relies on annual reports/certifications for the following years. Also, in the case of a security breach, it will be important that the cloud vendor can demonstrate that it was meeting the organization’s security requirements by having the required audits to back it up.
When evaluating the audit reports, a few key here key items to check are:
- Who audited the cloud architecture, and what are the auditor’s credentials?
- What methodologies and technologies were used?
- What was the scope of the audit, and are there any in-scope facility/processes that were not included?
- Does the report include controls mapped to specific frameworks?
Because the above audits were not created specifically for cloud environments, there are several associations working towards helping organizations assess the cloud. For example, the Cloud Security Alliance (CSA) is currently building a cloud security certification standard. A good resource for accepted practices is the National Institute of Standards and Technology (NIST). For questionnaires and tools, Shared Assessments has a number of different options and the Jericho Forum created a cloud cube model that helps organizations determine the cloud model that fits their needs.
In addition to utilizing the SLA to ensure security measures are in place, companies are using continuous monitoring to ensure security of storing sensitive data outside the enterprise. Data stored on a third-party cloud service will bypass the physical, logical and personnel controls of the organization’s in-house IT team, meaning it is crucial to demand transparency from the cloud vendor to be confident that every precaution is being taken to secure data in the cloud.
A continuous monitoring program helps determine if the set of planned, required and deployed security controls within an information system continuous to be effective over time in light of changes that can happen. Consumers can validate that needed controls are in place on a daily, weekly, monthly or quarterly basis. Continuous monitoring helps organizations with a holistic risk management strategy integrated into enterprise architectures. There is currently a drive in the federal space; the annual FISMA reporting now has some update requirements to cover this. I believe that this move will require integrators and vendors of federal to follow this, and this will move to their supply chain as a requirement as well.
Embracing Cloud Computing
Cloud computing vendors offer massive aggregations of computing power, eliminating the headaches of IT, including server and hardware configurations, developing fail-over plans, and even security.
With an understanding and awareness of the above security issues, organizations can work closely with cloud vendors to ensure that the correct security measures are in place to enable them to embrace cloud computing for its benefits without worrying about security of their data in the cloud.
Randy Barr is chief security officer at Qualys.