Jason Parms

Build Trust & Security in Cloud ComputingCloud computing has become one of the keenest topics in IT environment. Many people outside of the technical arena have only a vague sense of what cloud computing is. In brief, cloud computing is a public or private network of remote servers – also known as a cluster – is used to manage, store, and process data, rather than in data structures that are maintained on site. This means that all the computer hardware and software you are using rather than being on your desktop or in a server room in your organization’s physical location, are instead provided by another company in another location or locations, and are accessed over a network connection, frequently the Internet.

This creates some significant differences for organizations regarding cloud-computing solutions.

  • The organization’s infrastructure can be vastly simplified by using shared resources. Economies of scale allow a Cloud Service Provider (CSP) to implement complex security measures or large server arrays, which might stress an organization’s resources, or even are out of reach entirely.
  • The service is managed by a service provider, freeing an organization’s IT department from much of the burden of internal maintenance of physical systems, virtual systems, access protocols, encryption, SSL security certificates, etc.
  • The service is on-demand, so you pay for what you need as you need it. This eliminates the need for maintaining a robust system with redundancies and management software, which is especially valuable if your needs vary based on time of year or product release cycles. Cloud services can be purchased by subscription, or usage, or by other cost models.
  • The cloud network can be public or private, or even a combination of both (hybrids), allowing organizations to tune the service to the needs of their business and of their users.

Types of cloud computing

Cloud computing is generally divided into three main types: Infrastructure-as-a-service, platform-as-a-service, and software-as-a-service. Here is a brief look at each of these types:

Infrastructure as a Service (IaaS): It includes network hardware, server management, storage, processing, access, serving, and other essential computing functions in which the hiring organization can deploy and use software, including both operating systems and applications. The CSP manages the foundational cloud infrastructure; however, the hiring organization that controls operating systems, applications, and other features including network management software, as determined by agreement between the provider and the user of the services.

Platform as a Service (PaaS): Allows the hiring organization to deploy its own software (homegrown or third party) onto the cloud infrastructure using an interface or programming languages and tools provided and/or supported by the CSP. The CSP manages the foundational cloud infrastructure, including all network functions, but the hiring organization deploys and controls applications and application configurations, if agreed to by both the CSP and the hiring organization.

Software as a Service (SaaS): Enables the hiring organization to use applications running on the CSP’s cloud infrastructure. The applications may be made accessible through a browser or through another interface provided by the CSP. The CSP manages the foundational cloud infrastructure, including all network functions, operating systems, storage, and application installation and configuration, and the hiring organization has the use of the software and sometimes individual users’ configurations.

Best Practice for Building Trust & Security

Trust and security are salient issues for organizations that can potentially benefit from migration of their business to the cloud. The question of trust is closely tied to, but somewhat different from the straightforward issue of security. In the case of the trust, the organization is asking not only whether or not security is possible, but also whether or not a CSP can be trusted to implement adequate security.

Many organizations named security as the principle reason for not migrating to cloud computing. In fact, this leaves IT organizations using cloud services on an ad hoc basis to solve specific problems, leading to an informal and partial use of cloud computing that is executed without a sound data governance strategy – sometimes even without the expertise of the organization’s IT department.

By coordinating an organization-wide plan, cloud computing can be implemented while maintaining a similar or even lower level of risk. As security issues escalate in the IT world, the scale and expertise of cloud service providers can actually provide a safer environment than one where all storage, retrieval, and security is managed in-house. Some service providers may try to cover costs with less-than-ideal solutions, infrastructure, and technology, but this is true of any service or product that an organization purchases and due diligence must be performed to ensure the integrity of the cloud service provider.

Cloud service consumers must be sure their providers can furnish a secure environment that protects confidentiality and integrity of data without impeding the availability; must provide resilience and robustness so they can meet the frequently changing demands required of such a system, and all data and transactions must be audit-ready to ensure compliance is complete and demonstrable.

The most effective way to establish trust is to ensure that all stakeholder domains are addressed and included in the solution. Stakeholder domains in organizations can be defined as Organizational, Technological (IT), Data Management, Operations, Compliance, and Data Governance. We will take a closer look at each of these domains and their role, duties, and expectations, as well what stakeholders will require from the CSP.

Organizational

Risks: Unintentional and malicious risks from internal and external employees, vendors, suppliers, and users; Misuse by users in the organization; Inherent vulnerabilities in BYOD (Bring-Your-Own-Device) policies, including mobile devices; Access management over time and organizational change.

Organizations should:

  • Define roles and responsibilities as they change during migration. Typically, internal users will no longer have direct operational responsibility for their data, but must step up to their role as owners and governors.
  • Understand and document security and management outlooks for employees, contractors, suppliers, and vendors.
  • Connect IT with the human resource departments of both the CSP and the hiring organization, establishing and maintaining good communication to ensure that access is terminated for employees and third parties as quickly as possible to minimize risk.
  • Train employees to recognize social engineering and other attacks, and to understand how their own roles and behavior can strengthen or undermine security. Ensure employees are familiar with the organization’s security policies and procedures and that they understand what constitutes proper and improper use of data.
  • Adhere to the “principle of least privilege”; meaning organizational access privileges should be assigned at the lowest level that is commensurate with enabling the user to execute his or her job responsibilities.
  • Create a BYOD strategy in collaboration with the CSP, including whether or not to limit device types and/or brands.

Your Cloud Service Provider should:

  • Effectively manage a BYOD environment, including controls that allow the CSP to remotely wipe lost or stolen devices, manage passwords and PIN requirements, and install encryption and anti-malware products on each device. Identifying which cloud services can be accessed from personal devices should be part of this plan.
  • Manage CSP roles and responsibilities in accordance with the organization’s paradigm, and conform to the organization’s confidentiality and non-disclosure agreements and policies.
  • Have a termination plan, so if the CSP is released, a secure hand-off can be effected.
  • Train new contractors, suppliers, vendors, and the internal employees of the CSP itself to the same principles as that of the hiring organization.

Technological

Risks: Vulnerabilities in virtualization infrastructure and application programming interfaces (APIs); Identification and defense of vulnerabilities to the threat.

Organizations should:

  • Implement effective Identity and Access Management (IAM) controls.
  • Confirm the CSP’s infrastructure matches or exceeds the security policies and procedures of the organization.
  • Manage all users centrally, with required access. Duties should be distributed, not concentrated in one or two job descriptions, and the principle of “least privilege” should be maintained.
  • Consider the following when evaluating the CSP: infrastructure management, IAM controls, scalability, flexibility, encryption, and security key management policies, security and availability of APIs, and ownership of essential control mechanisms (the organization or the CSP).

Your Cloud Service Provider should:

  • Maintain access requirements in a secure way while ensuring appropriate people have appropriate access without obstacles.
  • Maintain industry certifications.
  • Provide audit reports to the hiring organization to prove compliance with organization’s policies.
  • Be able to provide industry-standard, robust encryption mechanisms for data, both in transit and at rest.
  • Use standard APIs for secure, easy data analysis.
  • Stay up-to-date with developments in security and encryption, including awareness of threat technology.

Data Management

Risks: Changing locations for data and changing methods of access; Lack of data awareness (i.e. what types of data, where they reside, the value of data); Compliance with legal requirements for certain data types, such as personal data.

Organizations should:

  • Know what data they own and be aware of the value of their data collection.
  • Understand what legal and regulatory obligations are in effect. This can vary by location and by data type, and may include government access to an organization’s data for national security reasons.
  • Adopt a classification schema for data, with usage policies and a defined owner for each classification, and share this information with the CSP.
  • Recognize that a higher level of control must be applied to data that are more sensitive.
  • Confirm the thoroughness of CSP security monitoring and logging to safeguard data.

Your Cloud Service Provider should:

  • Transmit and store data in a way that conforms to the requirements of the organization.
  • Have or create policies and procedures to inventory, classify, and serve data to the appropriate applications and users without impediment but with high security.
  • Have knowledge of regulatory requirements, especially those concerning privacy, financial, and health data.
  • Employ security mechanisms such as SSL for secure transit and robust encryption for data at rest.
  • Monitor activity to identify anomalies and other possible indicators of a threat.

Operations

Risks: Ceding control of IT operations to a service provider; Physical risks; Business continuity and disaster recovery plan.

Organizations should:

  • Negotiate a process for testing each service, with acceptance criteria, clearly defined.
  • Establish an acceptable service level agreement that will meet organizational requirements and which is achievable by the CSP.
  • Have a business continuity and recovery plan in place that includes the CSP.

Your Cloud Service Provider should:

  • Architect systems that are physically secured and robust.
  • Have policies, procedures, and controls in place that monitor and test the service ecosystem.
  • Communicate with the hiring organization regarding risks and back-end issues. This communication is especially important during service disruptions.
  • Provide business continuity information to the hiring organization.

Audit and Compliance

Risks: Contractual obligations; Audit requirements; Legal compliance.

Organizations should:

  • Understand what is required for compliance legally and contractually, and communicate this to the CSP.
  • Identify audit requirements, both internal and third party.
  • Look for a CSP with a reputation for transparency, security, and client-centric policies.

Your Cloud Service Provider should:

  • Provide regulatory information, taking into account the location of the data in the cloud and data types that may require high levels of protection.
  • Help the organization to meet industry regulations, internal compliance requirements, and governmental obligations by providing a comprehensive data management agreement.
  • Conduct audits, which can be independently verified by third parties confirming that the CSP meets industry standards.

Governance

Risks: Risk and Incident management; Supply chain risk management; Data sensitivity and availability.

Organizations should:

  • Establish a data governance policy that includes classification of data, handling of data, data access policies, monitoring and logging of transactions to identify anomalies, and forensic processes to implement if an anomaly has been identified.
  • Evaluate security and data management on an ongoing basis, ensuring continued effectiveness.
  • Define metrics to measure whether the CSP is meeting the organization’s security expectations.
  • Ensure all users of data are familiar with and understand the organization’s data governance policies.

Your Cloud Service Provider should:

  • Hold regular meetings with organizational stakeholders.
  • Conduct risk assessments that evaluate regulatory compliance and policies.
  • Have an electronic incident reporting tool that is available to customers.
  • Maintain and update contact information for regulatory bodies and law enforcement authorities.
  • Follow own forensic procedures when an incident has occurred.

Conclusion

Historically, IT departments have operated on the principle that the first security measure that should be taken is to take control of one’s data store and infrastructure. The cloud computing concept challenges that convention, and as data stores grow larger, infrastructures become more complex, and threats become more targeted, dangerous, and malicious. In this environment, the concept of shared resources and expertise becomes very attractive. However, in an environment that is beset by attackers, hackers, and saboteurs, it is critical that an organization have a great deal of trust in its CSP.

The corollary is that it is of the highest importance for a CSP to establish and maintain trust in its systems. It is not enough, in this environment, to be able to offer a high level of security, a robust infrastructure, and expertise in today’s protection technology. A provider must also foster trust in the hiring organization that the CSP is able to provide and maintain that security, even as threats change and grow, and security and defense technologies evolve.

Leave a Reply

Your email address will not be published. Required fields are marked *