Advertisment
Business Technologies

Trusting the Cloud

author-image
DQI Bureau
New Update

Cloud computing is remolding the way information technology is stored, managed, and delivered. For many forward thinking IT managers, the way forward goes to the cloud. In spite of the great promise of the cloud, some government agencies and enterprise organizations are holding back from fully embracing it. For the majority of them, it all boils down to one question: Can they really trust the cloud?

Advertisment

Unlike any conventional outsourcing where it is still very much like unconnected computing, cloud separates data from infrastructure and obscures low-level operational details, like the location of the data and its replication technique, etc. Multi-tenancy, which is an oddity in traditional IT outsourcing, is almost a prerequisite in cloud computing services. These differences give rise to a gamut of security and privacy issues that not only impact your risk management practices, but have also stimulated a fresh evaluation of legal issues in areas such as compliance, auditing, etc.

Majorly, the issues and the constraints related to security and compliance on the cloud can be grouped into the following headers-

Security and Privacy: Concerns such as data protection, operational integrity, vulnerability management, business continuity (BC), disaster recovery (DR), and identity management top the list of security issues for cloud computing. Privacy is another key concern. Data that is collected by the service provider for providing a particular service has major potential to be misused by the different marketing agencies. This data can be further used to promote some irrelevant service and can cause undue stress to the user.

Advertisment

There is an utmost need to encrypt multi-use credentials, such as credit card numbers, passwords, and private keys, in transit over the internet. Although cloud provider networks may be more secure than the open internet, they are by their very architecture made up of many disparate components, and disparate organizations share the cloud. Therefore it is important to protect this sensitive and regulated information in transit even within the cloud provider's network. Typically, this can be implemented with equal ease in SaaS, PaaS, and IaaS environments.

Organizations must approach the cloud with the understanding that they may have to change providers in the future. Portability and interoperability must be considered up-front as a part of the risk management and security assurance of any cloud program. Large cloud providers can offer geographic redundancy in the cloud, hopefully enabling high availability with a single provider. Due to a general lack of interoperability standards and sufficient market pressure for these standards, transitioning between cloud providers may be a painful manual process. From a security perspective, our primary concerns are maintaining consistency of the security controls while changing environments.

Advertisment

Compliance and Audit: The users who have compliance requirements need to understand whether and how utilizing the cloud services might impact their compliance goals. Data privacy and business continuity are 2 big items for compliance. A number of privacy laws and government regulations have specific stipulation on the data handling and BC planning. For instance, EU and Japan privacy laws demand that private data-email is a form of private data recognized by the EU-must be stored and handled in a data center located in EU territories. Government regulations that explicitly demand BC planning include the Health Insurance Portability and Accountability Act (HIPAA), Federal Financial Institutions Examination Council (FFIEC), Basel II, Payment Card Industry (PCI), and the UK Contingency's Act. The problem for the cloud customer is that applications deployed to cloud fabrics are not always designed with data integrity and security in mind. This may result in vulnerable applications being deployed into cloud environments, triggering security incidents and eventually compliance breach for that particular organization. Additionally, flaws in infrastructure architecture, mistakes made during hardening procedures, and simple oversights present significant risks to cloud operations. Of course, similar vulnerabilities also endanger traditional data center operations.

Advertisment



Areas of Concern

Precaution/Recommendation

Advertisment

Governance

The wide availability of cloud computing services, lack of organizational controls over employees engaging such services arbitrarily can be a source of problems. While cloud computing simplifies platform acquisition, it doesn't alleviate the need for governance. On the other hand it amplifies the need. The normal processes and procedures set in place by an organization for acquiring computational resources as capital expenditures maybe easily bypassed by a department or an individual and the action obscured as operational expenses. If such actions are not governed by an organization, its policies and procedures for privacy, security, and oversight could be overlooked and the organization put at risk. For example, vulnerable systems could be deployed, legal regulations could be ignored, charges could amass quickly to unacceptable levels, resources could be used for unsanctioned purposes, or other untoward effects could occur.

For an organization to ensure that its systems are secure and risk free, it is vital that proper governance policies and tools are in place prior to any substantial investment in cloud. Also, audit mechanisms and tools should be in place to determine how data is stored, protected, and used to validate services and verify policy enforcement. Compliance and Audit Of the proliferation of regulations touching upon information technology with which organizations must comply, few were written with cloud computing in mind. Auditors and assessors may not be familiar with cloud computing generally or with a given cloud service in particular. That being the case, it falls upon the cloud customer to understand:



Regulatory applicability for the use of a given cloud service

Division of compliance responsibilities between cloud provider and cloud customer

Cloud provider's ability to produce evidence needed for compliance

Cloud customer's role in bridging the gap between cloud provider and auditor

Having said that, a customer will often need the ability to audit the cloud provider, given the dynamic natures of both the cloud and the regulatory environment. The client should obtain the right to audit clause from the supplier particularly when using the cloud provider for a service for which the customer has regulatory compliance responsibilities. Identity and Access Management In line with today's aggressive adoption of an admittedly immature cloud ecosystem requires an honest assessment of an organization's readiness to conduct cloud based Identity and Access Management (IAM), as well as understanding the capabilities of that organization's cloud computing providers. The key areas which will need extensive focus would be :

Identity Provisioning/Deprovisioning

Authentication

User profile management

Federated identity management

Review and assess the cloud provider's offerings with respect to the organizational requirements to be met and ensure that the contract terms adequately meet the requirements.

Capabilities offered by cloud providers are not currently adequate to meet enterprise requirements. Customers should avoid proprietary solutions such as creating custom connectors unique to cloud providers, as these exacerbate management complexity. Both the cloud provider and the customer enterprises should consider the challenges associated with credential management and strong authentication, and implement cost effective solutions that reduce the risk appropriately.
Advertisment
Business Continuity and Disaster Recovery The sheer pace of change and lack of transparency within cloud computing requires that business continuity planning and disaster recovery professionals be continuously engaged in vetting and monitoring your chosen cloud providers.

The service provider should completely understand and ensure that the Recovery Time Objectives (RTOs) are fully understood and defined in contractual relationships and are merged into the technology planning process. Ensure technology roadmaps, policies, and operational capabilities can satisfy these requirements. The client also needs to check whether the BC program is based or mapped to all the practices listed in BS 25999. The cloud supplier needs to be vetted via the company Vendor Security Process (VSP) so that there is complete understanding of what data is to be shared and what controls are to be utilized. Incident Response, Notification, and Remediation The very nature of the cloud program is confusing when it comes to determine the contact party to inform about any incident or security breach. The issue with cloud is that the applications are rarely designed with cloud integration in mind. This may result in vulnerable applications being deployed into cloud environments, triggering security incidents. Additionally, flaws in infrastructure architecture, mistakes made during hardening procedures, and simple oversights present significant risks to cloud operations. This may further endanger data center operations. The complexities of large cloud providers delivering SaaS, PaaS, and IaaS capabilities create significant incident response issues that potential customers must assess for acceptable levels of service. When evaluating providers it is important to be aware that the provider may be hosting hundreds of thousands of application instances. From an incident monitoring perspective, any foreign applications widen the responsibility of the security operations center.

Advertisment

A number of aspects should be considered by the auditors when reviewing a cloud compliance stature for an organization:

  • Criticality of the application being sent to the cloud. While it is less risky to start with, sending noncritical applications to the cloud, significant applications such as a business-to-business or business-to-consumer website should be moved to the cloud only after careful consideration.
  • Country-specific regulations that affect the organization's business and require specific safeguards. Industry regulations such as the Gramm-Leach-Bliley Act (GLBA) in the US require safeguards to protect a client's non-public personal information, depending on how the organization collects, stores, and uses the information. Under the US model of privacy, consumers have the choice to opt-out of the information being shared with affiliated parties; in the European Union, Canada, and some other countries, privacy laws are stringent and require specific opt-in by consumers.
  • Auditors examining the cloud vendor's policy on vulnerability management and reporting commitment to following up on potential security incidents, and ability to respond promptly to reports.
  • Cloud users' experience with service level agreements (SLAs) and vendor management.

Legal and Contractual: Liability and intellectual property are just a few of the legal issues that you must consider. Liability is not always clear-cut when it comes to cloud services. The same goes for intellectual property (IP). For some services, the IP issue is well understood where the cloud provider owns the infrastructure and the applications, while the user owns its data and computational results. In other cases, the division is not quite so clear. In software components-as-a-service, it can be difficult to delineate who owns what and what rights the customer has over the provider. It is therefore imperative that liability and IP issues are settled before the service commences.

Compliance with recent legislative and administrative requirements around the world forecast stronger collaboration among lawyers and technology professionals. This is especially true in cloud computing, due to the potential for new areas of legal risk created by the distributed nature of the cloud, compared to traditional internal or outsourced infrastructure. Numerous compliance laws and regulations in the United States and the European Union either impute liability to subcontractors or require business entities to impose liability upon them via contract. Courts are now realizing that the information security management services are critical to making decisions as to whether digital information may be accepted as evidence. While this is an issue for traditional IT infrastructure, it is especially concerning in cloud computing due to the lack of established legal history with the cloud.



The Way Forward

Like any developing and emerging information technology field, cloud computing should be approached with due consideration to the sensitivity and integrity of data. Detail introspection and planning helps to ensure that the computing environment is as secure as possible and is in compliance with all relevant organizational policies and that data privacy is maintained.

The objectives that an organization sets for its security drive the decisions like IT services outsourcing and moreover major steps like public or private cloud computing environment. Based on the above stated issues and doubts faced by the prospective cloud client, mentioned are the set of precautions and recommendations for an organization, that it needs to consider from security in the cloud perspective (see Box). Large organizations, who are expanding their operations and looking for ways to neutralize the financial impact by exploring cloud option, should review and comprehensively study the cloud providers security function individually and decide whether the setup of infrastructure, the governing policies, the SLA contracted is sufficient to meet their set of needs.

The current cloud service offering in the market is still in developing stage and as a result, has yet to offer a convincing solution pertaining to security and compliance management. So in the end, it's imperative for the organization to assure that the solution offered by the cloud service provider thoroughly addresses their security and compliance needs.

Advertisment