With cloud computing, as with data breaches, it is a question of “when” not “if”, so what can information security professionals do practically to manage security compliance in the cloud?
Public cloud computing gives the individual company much less control than a private cloud – but greater scalability, elasticity and business benefit. Software-as-a-service (SaaS) offerings give the company much less control than infrastructure-as-a-service (IaaS) offerings, where the company remains in charge of operating system configurations and application platform patches.
For John Colley, managing director, Emea, of ISC(2), cloud computing is good news for IT security professionals, since it forces organisations to focus on the basics. “Understand your business and what it is doing, develop the appropriate policy and enforce it,” he says.
After all, using the public cloud effectively is an IT governance issue that starts with an assessment of the impact cloud is having on the organisation to devise a strategic and workable approach.
Colley says security professionals need to assess both planned projects to migrate particular processes over to the cloud and unplanned activities. “We know any employee with a company credit card is able to access a cloud-based resource; and we know that they are, given the popularity of Dropbox, Google Docs, cloud-based collaboration software, Skype for business and the like,” he says.
Colley recommends that chief information security officers (CISOs) shift their focus from managing upward to gain board support and budget to managing across the organisation to engender broader appreciation for requirements across all departments. This should open more doors to engage in the discussions that are taking place informally, as well as the formal, enabling them to anticipate and provide for those requirements, he says.
“It’s about bringing down the barriers and adopting a more open approach to security and IT so both departments have a finger on the pulse of what tools and technologies are considered important to enabling the organisation to achieve its business goals,” he adds.
Colley believes that without an open approach there is no foundation for understanding what matters in terms of compliance. “We can follow all the advice in the world about the development of frameworks – the issues to address with suppliers and the areas they are likely to have addressed anyway – but if we don’t have a grip on the impact cloud is having on our business, we cannot assure compliance.”
Risk assessment to identify costs, risks, probabilities and business impact are key to any successful cloud outsourcing strategy. Phil Stewart, director of communications at ISSA UK, urges CISOs to ask questions such as: What makes business sense to outsource? What is simply too risky or cost ineffective to outsource? And, what are the legal implications of moving the data?
For Stewart, the international standard ISO 31000, "risk management – principles & guidelines", is an extremely useful reference for assessing business risks.
Part of this risk assessment process is also identifying what current assets an organisation has, and the impact to the business should they become unavailable or lost. Stewart stresses the importance of identifying and categorising data already within the organisation and the business processes around them. For example, storing credit card data inhouse currently and outsourcing the storage would mean an increased scope for PCI DSS (although outsourcing the payment transactions themselves to an approved provider usually makes sense). Storing personal data could have legal ramifications if stored or replicated outside the country of the data subject, he warns.
Stewart says there are two pressing issues that need to be addressed by the information security community. His first concern is addressing the new threats that virtualisation poses within cloud computing. The second is the ability for SMEs to perform due diligence effectively for an outsourced provider, given they rarely have in-house technical or legal expertise. “I suspect the answer is an assurance programme for cloud providers that effectively addresses these questions,” he adds.
He says SME security itself can also be improved by innovative suppliers offering “security in the cloud”, such as taking enterprise-class reporting aspects and managing alerts and logs for SMEs remotely: having the expertise to alert them of threats that the SME might not be able to identify for itself.
Data sensitivity issues
Carsten Casper, research director at Gartner, urges companies to look at the sensitivity of their data and their business processes and then find the cloud computing or as-a-service model with the highest benefit and the lowest risk.
“That’s not rocket science. It’s something we’ve been doing in hosting, outsourcing, offshoring, etc, for many years. Some European universities move their students’ e-mail to the public cloud," he says. "Some companies have long been using CRM and HRM as a service, accepting that datacentre locations are barely known and rarely audited.
"Gartner describes three styles of cloud computing: with low sensitivity, where the client accepts whatever security controls the provider has to offer; with medium sensitivity, where the client uses a trusted third party for security; and with high sensitivity, where basically all information is encrypted on-premises before it is transmitted into the cloud.”
Casper urges organisations to consider additional controls, which may technical, contractual or even organisational. Some companies ask cloud providers to commit to a European datacentre location to minimise legal risk. Others would prefer to see that the provider is certified against a cloud security standard, but a widely recognised standard does not exist yet, he warns.
Another option he has seen is encrypting e-mails within the public cloud, where companies keep keys on their own premises while leveraging most features of the cloud platform. For Casper, the most critical requirement in most scenarios is transparency. “Companies – and even more so regulators – want to be able to audit cloud providers. Those who allow this to happen will have a competitive advantage for years to come.”
Dani Briscoe, research services manager at The Corporate IT Forum, says an organisation’s risk appetite will largely direct the amount of cloud that is used. If an organisation has already outsourced its development, support or business process to an external supplier in say, India or China, it is more likely to be predisposed to have a risk appetite that would welcome investment in the cloud. Once that formula has been accepted, then cloud services can be viewed as an outsource agreement with a virtual supplier. The next stage is to understand the contract offered and to ensure that all the necessary questions have been answered sufficiently – the most pertinent being data location, ownership and who is responsible for the controls around the data.
Briscoe says internal access controls are frequently stricter than those applied to cloud services. "At the recent Data in the Cloud workshop hosted by the Forum in London, there was much discussion around the sensitivity of data stored and country-specific legal requirements to be considered when contracting cloud services and the financial and reputational cost of data leakage," she says.
There was also concern about the ease with which end users can circumvent existing security policies and controls and directly contract with cloud suppliers. "This is not a concern where data is non-sensitive and the organisation owns the IP, but of grave concern if data is not vetted before being placed outside the organisation's control…there has to be a business agreement on the acceptable risk,” says Briscoe.
Organisations must develop new policies and processes to take into account the vagaries of data in the cloud. So, current practices not specifically controlling or regulating data in the cloud could leave organisations open to changes made by the provider with little or no notice.
Finally though, the question that must be asked is, "Why be worried?" If there is currently no concern about the security of data held by the organisation, or if there is little security around it, is it necessary to be concerned about moving this data to the cloud? Many members were candid in this discussion, agreeing that there is an element of the "unknown" and a perceived lack of control leading the business and IT professionals working on these projects to take an approach that was sometimes more risk averse than other projects with more traditional outsource providers, says Briscoe.