The level of security required for a cloud-based application or service depends on numerous factors such as:
• Target industry
• Customer expectations
• Sensitivity of data being stored • Risk tolerance
• Transmission boundaries
The target industry often determines what regulations are in scope. For example, if the cloud services being built are in the health care, government, or financial industries, the level of security required is usually very high. If the cloud services are in the online games or social web industries, the level of security required is likely more moderate. Business-to-business (B2B) services typically require a higher level of security, because most companies consuming cloud services require that all third-party vendors meet a minimum set of security requirements. Consumer-facing services or business-to-consumer (B2C) services usually offer a use-at-your-own-risk service with terms of service that focus on privacy but make very limited promises about security and regulations. For example, Facebook has a terms-of-service agreement that states that the security of your account is your responsibility. Facebook gives you a list of 10 things you agree to if you accept its terms of service.
Customer expectation is an interesting factor when determining how much security and controls to put in place. Sometimes it is the customers’ perception of the cloud that can drive the security requirements. For example, a company may plan on building its solution 100 percent in a public cloud but encounters an important, large client that refuses to have any of its data in the public cloud. If the client is important enough, the company may decide to adopt a hybrid cloud approach in order not to lose this customer even though there might be no reason other than customer preference driving that decision. This is common for both retail and health care customers. In the two start-ups that I worked at, both were deployed 100 percent in the public cloud until we
encountered some very profitable and important customers that forced us to run some of our services in a private data center.
The sensitivity of the data within cloud services has a major impact on the security requirements. Social media data such as tweets, photos from photo-sharing applications like Instagram and Pinterest, and Facebook wall messages are all public information. Users agree that this information is public when they accept the terms of service. These social media services do not have the requirement to encrypt the data at rest in the database. Companies processing medical claims, payments, top-secret government information, and biometric data will be subject to regulatory controls that require encryption of data at rest in the database and a higher level of process and controls in the data center.
Risk tolerance can drive security requirements, as well. Some companies may feel that a security breach would be so disruptive to their businesses, create such bad public relations, and damage customer satisfaction so much that they apply the strongest security controls even though the industry and the customers don’t demand it. A start-up or smaller company may be very risk tolerant and rank getting to market quickly at a low cost as a higher priority than investing heavily in security. A larger company may rank strong security controls higher than speed-to-market because of the amount of publicity it would receive if it had a breach and the impact of that publicity on its shareholders and customers.
The maturity of the product often drives security requirements, as well. Building products is an evolutionary process. Often, companies have a product roadmap that
balances business features with technical requirements like security, scalability, and so on. Many products don’t need the highest level of security and scalability on day one but will eventually need to add these features over time as the product matures and gains more traction in the marketplace.
Transmission boundaries refer to what endpoints the data travels to and from. A cloud service that is used internally within a company where both endpoints are contained within the company’s virtual private network (VPN) will require much less security than a cloud service that travels outside of the company’s data center over the Internet. Data that crosses international boundaries can be required to address country-specific security requirements. The U.S.-EU Safe Harbor regulation requires U.S. companies to comply with the EU Data Protection Directive controls in order to transfer personal data outside the European Union. As of the writing of this book, U.S. companies self-certify. After the recent NSA scandal, this law could change in the near future and a formal certification may be required.
Once a company considers these factors and determines how much security is required for its cloud service, the next questions to ask are who is going to do the work (build versus buy), how will the security requirements be met, and by when is it needed. For each security requirement there should be an evaluation to determine if there is a solution available in the marketplace or if the requirement should be met by building the solution internally. There are many open source, commercial, and Software as a Service (SaaS)–based security solutions in the marketplace today. Security is a dynamic field and keeping software current enough to address the most recent security threats and best practices is a daunting task. A
best practice is to leverage a combination of open source or commercial products or Security as a Service (SecaaS)–based software to meet requirements such as SSO, federated security, intrusion detection, intrusion prevention, encryption, and more.
AEA Case Study: Determining the Level of Security Required
Acme eAuction’s (AEA) target industry is e-commerce auction and retail. This industry has embraced doing business over the Internet for years and was also an early adopter of cloud computing. Auction sites like eBay and e-commerce sites like Amazon have been selling goods and services in the cloud for years.
Buyers and sellers will be not be opposed to using AEA’s services if they are deployed in the cloud. They will, however, expect their personal information, credit card information, and financial transactions to be protected against misuse and theft. Channel partners, affiliate networks, and App Store developers will expect secure access to the platform’s APIs and expect that all data transmitted between the two parties will be over a secure protocol.
To avoid having the entire auction platform falling under scope of PCI DSS regulations, AEA chose to off-load all credit card business processes to a certified third-party SecaaS solution. The AEA auction platform integrates with this trusted SecaaS solution, which manages the consumers’ credit card transactions and returns a hash-key value to AEA. AEA stores this hashed value in its database and never sees the actual credit card anywhere on the platform.
After analyzing the requirements of all of the external partners and customers, AEA realizes that building and
maintaining authorization and authentication services for external accounts is a challenging task. Each external party may support a different technology stack and use various protocols for communicating. Instead of building all of the code to support these permutations, AEA chose to select a SecaaS solution to manage the security of all of these endpoints. Another factor for this decision was that AEA has a low tolerance for risk, knowing that a major security breach could create a huge loss of business and expose it to a lot of bad publicity.