As more organisations are looking at ways of cutting costs, outsourcing IT to the cloud makes sense from a commercial perspective. Is your company and customer data secure in the cloud however? Have you taken adequate steps to do thorough due diligence in the procurement cycle? There may be compliance issues in rushing to the cloud you may not have considered.
Earlier this year I was invited to attend the Cloud Computing World Forum in London. What came as no surprise is that cloud computing is already widely adopted by many large organisations. As one CISO put it so succinctly: when your boss asks you to reduce costs by over 20% – we’ve already bought the cheaper coffee and reduced headcount, we now need to outsource our IT – both to reduce operating costs and free up valuable floorspace for other purposes. Whilst there were some good sessions in the conference on security in the cloud, what struck me is how few vendors present were focused on security.
In many ways the challenges of security in the cloud are no different to what the information security professional has always had to face: confidentiality of data; integrity of data and availability of data and services. The three challenges I would argue that cloud computing presents that are new, however are: due diligence of suppliers to ensure there aren’t legal and compliance issues; user authentication – within the context of being managed by a third-party; and the unique threat that virtualisation plays when used in Cloud Computing.
Due Diligence of Suppliers
Before you can even consider migrating to the cloud, you need to identify and classify your data in-house. What data is customer and business sensitive data? Where is it stored currently? Are you storing personal data and/ or credit card data? Think about the implications for compliance, for example, with the Data Protection Act 1998 and PCI DSS. If you are storing credit card details and you outsource operations, you may well increase the scope of PCI DSS. Usually, for most organisations, it makes sense to outsource credit card payment transactions to a PCI DSS compliant provider. Regarding the Data Protection Act 1998 here in the UK, it is worth bearing in mind the 8th principle of the Act:
“8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.”
As the law currently stands, at the time of writing, in the UK you remain the data controller for personal data – outsourcing the data storage and management to a third party doesn’t change this. You therefore need to make sure you ask appropriate questions of your proposed suppliers. A good starting point –but not exhaustive list:
- Where is the data hosted?
- Where is the data replicated to?
- What technical, physical and procedural controls are in place to protect the outsourced assets?
- Ask whether the proposed provider is certified against any internationally recognised standard. ISO 27001 certified and PCI DSS compliant providers are helpful in this case
- What are the local data protection laws in the country(ies) where the data is hosted and replicated?
It must be stressed that you should always seek legal advice when determining if the proposed supplier offers the same levels of protection as defined under your own jurisdiction regarding data protection.
You should also do a valid risk assessment to identify what services are business critical and what makes business sense to outsource, and what is simply too risky or cost ineffective outsource. What are the legal implications of outsourcing the data? The International standard ISO 31000 -risk management – principles & guidelines – forms an extremely useful reference material for the implementation of a risk management process.
User Authentication in the Cloud
Secure user authentication is not a new challenge in itself; but when combined with a remote network being hosted by a third party it does represent some new challenges. One is for example, if the user is already authenticated internally on your network, perhaps via a directory service, can they be seamlessly recognised by the third party’s network without compromising security? Mobile workers, increasing both in number and from a increasing variety of mobile devices, also need to be able to authenticated by the cloud provider’s network securely without in any way compromising the security of your data on their network or indeed your own network itself.
One vendor which has impressed me in this space is Ping Identity – who offer identity management software to enable Single Sign On as a service for cloud resources. It integrates both with mobile devices and web browsers and integrates with Active Directory or cloud identity providers. In addition, Ping Identity extends the capabilities of Active Directory — enabling control of user management, policies, and access, and integrates with over with 30 identity and infrastructure platforms. I was impressed with their demonstrations at the show and it is worth a look for their innovative offering.
Vitualisation posses a Unique Threat
In cloud computing, a program called a hypervisor allows multiple operating systems to have access to the same hardware resources. In essence the program is controlling access to these resources amongst the different operating systems. Whilst the operating system at the client (the guest OS) thinks it has full access at all times to the resources it requires, in essence what is going on behind the scenes is that the hypervisor program is carefully managing access to the host (cloud hosted) resources of processes and memory, so that each guest operating system gets the resources it requires at that moment in time, without disrupting access to the other guest systems. It is partly this principle that allows the better utilisation of resources that makes cloud computing cost effective (along with economies of scale).
One key concern – rarely addressed to date – is that malicious code could infect one customer’s machine and then spread – via the underlying hypervisor – to other customer’s machines. There was a lot of talk around this time last year of a collaboration between NC State University and IBM, of a prototype product – HyperSentry – that specifically addressed this threat, but it seems to have gone quiet recently. I hope that IBM, as well as other vendors look at ways of addressing this unique threat.
Cloud Security Initiatives
I have no doubt that most large organisations have both the legal and technical resource available to do an effective due diligence process, should they choose to do so. However, when it comes to SMEs, they don’t have access to in-house technical and legal resources. What is required to address these issues effectively for organisations – is a cloud assurance scheme. There are currently two major initiatives in this space:
- STAR – Security Trust & Assurance Registry from the CSA (Cloud Security Alliance)
- CAMM – Common Assurance Maturity Model
In the case of STAR, CSA have created a free, online repository of documents that list the security controls by cloud computing providers who have gone through a self-assessment. The documents list a series of controls and whether or not the provider has them. CSA are currently urging all cloud security providers, large and small, to provide a complete self-assessment for publication.
CAMM’s pilot is currently in its alpha pilot phase, which aims to provide framework in support of the information assurance maturity of a third party provider or supplier (of which cloud providers are currently a major part). These will then be published in an open and transparent manner.
Whilst both initiatives are to be welcomed, both need to address the challenges of SME due diligence (given their constraints) and the unique threat posed by the hypervisor threat. A cloud assurance model that effectively addresses these issues is definitely needed for the industry.