So now that we know the realms of responsibility in each cloud service, we next need to understand what are the fundamental public sector cloud security and privacy issues, how are they manifested, and ultimately, how can they be mitigated?
These answers are complex. Even if you’ve only skimmed some of the other chapters in this book, you’ve probably come to appreciate that cloud computing is a combination of technologies (virtualization, service-oriented architecture, Web 2.0, utility computing, grid computing, application service hosting, and so on) that have been leveraged to bring forth what we know of as the cloud.
The good thing about this is that we have a solid understanding of many of the security and privacy issues associated with each of these components. The downside is that we don’t necessarily know the ramifications of combining all those things together. And this is one of the fundamental security challenges we currently face with cloud computing.
To help explain and advance the key security risks and privacy issues of the cloud, it’s useful to refer to Special Publication 800-144, Guidelines on Security and Privacy in Public Cloud Computing, developed by NIST.
NIST has identified the following privacy and security-related issues that are believed to have long-term significance for cloud computing.
Governance
The agility and speed with which you can pull together cloud services is a real problem when it comes to governance. It is critical that good controls are deployed to ensure these services don’t leave your agency open to legal or regulatory issues or data exposure. A couple of ways of doing this are:
• Develop a flexible risk management program that continually monitors your evolving environment.
• Rely on automation and other tools to monitor, verify and validate data use (how it’s stored, how it’s protected, etc.) against policy.
Securing the Cloud 50
Governance
Compliance Data
Pr otection
Identity &
Access
Trust Incident
Response
Av ailability Architectu re
& Software Isolation
Compliance
Compliance is a multifaceted issue that can affect cloud computing in several ways. One of the key compliance issues that the cloud presents is data location, where the data is stored geographically. Because the government often requires that public sector cloud data must reside in the continental U.S., cloud providers who operate globally are rapidly addressing this compliance issue with concerted efforts to ensure that data remains within the country origin.
Other compliance issues center on federal laws and regulations such as the Federal Information Security Management Act (FISMA), the National Archives and Records Management Act (NARMA), and even the Health Insurance Portability and Accountability Act (HIPAA), or the Payment Card Industry Data Security Standard (PCI DSS).
Securing the Cloud 51
As defined by NIST
Figure 4: The Key Security and Privacy Issues of Cloud Computing
e-Discovery requirements are another consideration and require that you look closely at the cloud provider’s ability to preserve, identify, collect, process, analyze and produce all forms of electronic files. It’s conceivable that you may want to augment one cloud service with another. For example, if you are using a cloud-based email system, but need a rich, enterprise class method of e-Discovery across not only email but all other digital assets, it may be best to augment the email provider’s capabilities with an external e-Discovery platform.
Lastly, take a look at the certifications that the cloud provider holds. If they hold ISO 27001 for security controls or SAS 70 Type II audits for physical security, these certifications might be a good indicator that they have more familiarity with standards and compliance than other providers or even your internal IT team.
Trust
Trusting and verifying your cloud provider is a must; you can protect yourself in several ways. Areas to pay attention to include verifying the integrity of your provider’s employees, and checking the ToS to verify you maintain data ownership – you don’t want to relinquish control or ownership of any cloud data. Another hidden risk is the use of composite services, meaning a SaaS offering that’s built on top of a PaaS offering. Verification of the supply chain and due diligence across the entire stack or API chain is a must.
Visibility
Because so much of what’s behind the cloud is hidden, you may need to conduct an audit or review past performance and certifications to gain a degree of trust as to what is going on within the infrastructure where your data will reside. It is critical that the cloud provider allow for external audits. Many cloud providers do not allow customers to enter their data centers. In that case, it is important that they have provisions to allow external auditors to access the facilities.
Securing the Cloud 52
Architecture and Software Isolation The cloud provides services via an abstraction layer – a web portal. Behind this abstraction layer is a hidden world of complexity that includes firmware, hypervisors, operating systems, virtual machines, user portals, charge back and metering systems, provisioning, orchestration and other essential functions.
Much of this functionality and its supporting software don’t typically exist within IT
infrastructures. By adding new functionality and software to the architecture, what is known as an attack surface emerges. From a security and privacy perspective, it is something that we need to find ways to deal with.
Another area of concern is how the provider handles software isolation. This is how data is set-up and shared across databases and common application platforms, particularly in multi-tenant applications.
Identity and Access Management
The issue here is the extension of an agency’s existing identification and authentication frameworks into the cloud – and currently it’s
anything but seamless. Providers are, however, working hard to drive some much needed enhancement in this area and finding one which integrates with internal identity controls is critical.
Availability
Is my service up? Can I access it in a reliable manner? Is it meeting my service level requirements? These are all key availability considerations inside and outside the cloud. Make sure you study and run models based on the availability percentages that providers advertise – are they really as good as they sound?
Cloud outages are a hot topic, and they are going to happen, just like data center outages of old. The important point is in how you respond to these outages and whether your disaster recovery (DR) and Continuity of Operations Plan (COOP) plans have the right contingencies built in.
Distributed Denial-of-Service (DDoS) attacks should also be on your radar screen.
Securing the Cloud 53
Attack Surface The attack surface in a software environment encompasses all of the software and functionality that are running in the system. Typically, the more software or functionality provided by the service, the greater the attack vectors by which an unauthorized user may attempt to disrupt or gain control over a service.
Software Isolation Within the context of cloud computing, software isolation is the method by which one user’s code is prevented from negatively impacting another user’s code. In many clouds, the hypervisor and virtualization provide this separation.
Key Terms
To Know
Incident Response
Include this in your due diligence so that you know how the provider is going to respond to an incident before one happens. What are their processes, procedures, roles and responsibilities in the event of a critical incident, or even non-critical? How are they going to handle attack verification, analysis, containment, data collection, preservation, remediation, and restoration?
It’s also critical to understand the demarcation of where the cloud provider’s monitoring ends and the subscriber’s begins. So again, who owns which roles and responsibilities? What do they do? What do you do?
At the end of the day, monitoring the health of the service against SLAs is the subscriber’s responsibility. Make sure you are aware of outages and claiming credits when you can.
Data Protection
For organizations that are moving sensitive or regulated data into a cloud, it’s important to understand how the cloud provider will regulate access to the data and keep it secure. You’ll also need to know how the provider will sanitize the storage when you terminate the service (both active data sets and snapshots).
Securing the Cloud 54
Internal Staff (Re)Specialization By freeing up IT staffing resources, IT teams can concentrate on emerging security threats.
Standards Focus
Standards-based environments are incredibly powerful tools that can deliver services quickly and safely.
Investigation and Forensics New services and resources available within elastic cloud environments, such as snapshots of breaches, can bring additional resources quickly to bear for investigation and forensic purposes.
Logging
Elastic resources let you quickly scale-up storage for logging and log consolidation.
Complimentary Cloud Services Cloud SaaS services are now emerging that are specifically designed to deliver security related services such as log management, identity management, access control, Environmental Resource Management (ERM), and so on.
Cloud Staff Specialization
Cloud data centers are some of the largest in the world and it is in their interest to deliver the best service they can. In many cases, security is better than many of their commercial counterparts thanks to staff who are fully dedicated to handle and strengthen security.
Platform Strength
Homogeneous platforms drive greater standardization which brings with it better specialization, hardening and automation from a security perspective.
Resource Availability
The sheer scale and elasticity of cloud services means that many resources can be brought to bear to respond to attacks as well as capture and analyze forensic data.
Backup and Recovery
Properly leveraged, this can provide great benefit because it allows you to maintain multiple versions and snapshots of virtual machines and data.
Data Concentration
In using cloud services we can keep data off of local mobile devices such as laptops and better protect the government in the event of loss or theft of these mobile devices.