learn
more
Cloud Security Concerns – And What Can
I Do About It?
By Jason Hicks, Senior Consultant – Governance, Risk &
Compliance | CISSP, HISP, CICP
Cloud computing promises to provide many advantages
over the traditional application delivery model currently
in use at most organizations. Cloud computing can
offer service elasticity or the ability to rapidly expand
and contract available processing capacity. Cloud
computing can also make it possible to reduce your
yearly outlay for IT hardware and data center-related
expenses. Cloud computing provides rapid application
deployment and a streamlined development process.
To use an analogy, sunshine in most parts of the country
is often followed by rain. While cloud computing promises
many advantages, it also comes with its own unique
challenges. Your data can be located in a variety of places
and geographies. Providers may be reluctant to provide you
with sufficient data on their security posture to properly
assess the risk of utilizing their services. It’s possible to
find yourself in a situation where an incident has occurred
and your staff doesn’t have access to the infrastructure
necessary to conduct an investigation. You could find your
data comingled with the data of others on shared hardware.
Rest assured it’s not all doom and gloom ahead.
I’m going to focus on some of the security
challenges and opportunities posed by the adoption
of cloud-based services and applications.
The Challenges
There are significant choices in
how an organization deploys
cloud-based services. There are
multiple architecture choices
for example: Internal Private
Cloud, Hosted Private Cloud,
Public Cloud and, of course,
there’s a Hybrid option. How
does one choose the appropriate
deployment model? What about
the cost? And what impact will
the model we choose have on my
organization’s security posture?
Another challenge is resources. Most information security organizations are stretched thin as it is, and that’s without the added work of assessing the security risks associated with Cloud Security. Some feel as if outsourcing certain business operations is a way to “outsource risk.” This is a dangerous approach, and could not be further from the truth. Sharing sensitive information with third parties does not exclude your organization from the standard obligations associated with data protection. In fact, the sharing of sensitive information with outside organizations increases your risk profile — and obligations. Claiming a lack of resources will not provide a defensible position in the face of a data breach or other information security- related incident.
Your organization has probably spent a significant amount of time debating what applications and services can move to the Cloud and what provider you’re thinking of using. You may already be using cloud-based services or application such as salesforce.com. As the resident security expert, or as
we like to say in healthcare “the jail-able entity” you’re probably concerned about how all this shared computing infrastructure is going to affect your security posture. If you’re like me, you have probably rained on the parade of quite a few excited application development managers thinking they could save a fortune by moving something filled with sensitive data to the ubiquitous Cloud. I can’t count on both hands the number of times I’ve told folks they can have all the Cloud they want as long as it’s in one of our data centers. And yes that means some applications will not be deemed cloud-approved, at least outside of your Internal Private Cloud. Alas times are changing, and
the Cloud does pose significant advantages for the right candidate applications. By employing a well-thought out Cloud Architecture and Cloud Governance model, your organization can take advantage of what cloud computing has to offer while maintaining an acceptable level of security.
What to do
This is a multifaceted challenge
that must be addressed
systematically and holistically.
Step 1
:
Assess your current
applications to determine what
could benefit from a cloud-based
delivery model
An assessment of your current applications should be conducted to determine their criticality to business operations and the sensitivity level of the data they store and process. I recommend breaking them into three groups:
“By employing a
well-thought out Cloud
Architecture and Cloud
Governance model, your
organization can take
advantage of what
cloud computing has to
offer while maintaining
an acceptable level of
security.”
1. Applications that process low security data
2. Applications that process medium security data
3. Applications that process high security data
Once you have an idea of the data sensitivity level of each of your applications, you should also pay attention to identifying applications that need to be rolled out rapidly or that face extremes in processing load.
Step 2:
Ensure there is a
corporate Cloud Strategy and
Governance Model in place before
rolling out your cloud applications
Before your organization makes the leap into cloud-provided applications, it’s important to lay the proper groundwork. Just as Rome wasn’t built in a day, a well-designed and managed Cloud computing infrastructure requires preparation and planning. Two important documents should be created before your organization starts to deploy cloud-based applications:
Cloud Strategy
This document will lay out your organizations official approach to cloud-based applications. This should lay out specific criteria to determine what applications or infrastructure will be provided from the Cloud. It’s important that this document is approved at a sufficient level of management to ensure that it will be adhered to. This should also include the proposed architecture your organization will be utilizing. This could include building your own Internal Private Cloud, utilizing existing Public/Private Cloud providers or a hybrid approach.
Laying the ground rules ahead of time will spare you a significant number of headaches during the qualification and deployment phases.
Cloud Governance Model
This document lays out the specific security requirements that are necessary in the various stages of your cloud application rollout. It is important to determine the criteria for selecting the classification level of data sensitivity that triggers an application assigned to the Private Cloud or Internal Private Cloud or no cloud, if such a designation is made. Equally important is codifying the security due diligence requirements for selecting a cloud service provider. This should include an initial assessment and ongoing assessment activities. This document should also establish any service-level agreement requirements or security/ performance metrics that will be monitored. Finally, this document should lay out the contractual clauses and legal review process that would be expected before a cloud service provider can be utilized. Enforcing consistent security standards is essential to protecting your sensitive data, corporate reputation and intellectual property.
Step 3:
Assess the security
posture of your proposed cloud
service providers
At this point you’re ready to apply the security due diligence standards you established in your Cloud Governance Framework to your proposed or existing cloud service providers. Ideally, this would involve
“Just as Rome wasn’t
built in a day, a
well-designed and managed
Cloud computing
infrastructure requires
preparation and
reviewing the last assessment if they are ISO 27001 certified. I recommend developing your own questionnaire that a cloud service provider would be required to fill out before being approved for use and then again at some predetermined interval such as annually. The Cloud Security Alliance Framework would be a good place to pull your controls from. Another would be Shared Assessments SIG. This gives you a consistent way of measuring the security posture of your cloud service providers. If your contractual agreement allows for more invasive testing, a penetration test of their
infrastructure would be another ideal due diligence measure. Often you may find yourself contractually prohibited from performing any in-depth testing. I highly recommend you attempt to get contractual language included that allows for invasive testing. You have your best chance of getting this language inserted before any contracts have been signed. It would also be extremely beneficial if your contract allowed for application penetration testing of your deployed applications.
It’s equally important to consider the physical security posture of your proposed or existing cloud service providers. Your questionnaire should also probe their physical security posture. This should focus on security of their facilities, their disaster recovery and business continuity capabilities and their methods of media disposal/reuse.
If you have special concerns, i.e., you are a healthcare provider or another highly regulated entity, you should include those specific controls in
your questionnaire and assessment activities.
Step 4:
Establish your contractual
relationships and service level
agreements
Once you’ve narrowed your list of cloud service providers based on your security assessment activities, it’s time to get down to the fine print. While most people’s eyes glaze over during the contract negotiation phase, it’s a good time to put on your “junior lawyer” hat. The choices made during this phase can have a profound impact on your organization’s
satisfaction with cloud delivered applications. In addition to all of the standard things your attorneys are to be looking for, you want to pay special attention to the following items: • Nondisclosure of your sensitive
information
• Destruction of your information upon contract termination • Ability to conduct an onsite
assessment
• The ability to terminate your contract in the event the provider suffers a breach
• Either the ability for your incident response/forensic investigation resources to be granted access to the cloud service provider’s equipment in the event of an incident or investigation, or the cloud service provider needs to have qualified personnel on hand and agree to make them available to conduct incident response activities, forensic investigations and legal holds. This includes access to the logs created by its network devices, servers and
“While most people’s
eyes glaze over during
the contract negotiation
phase, it’s a good
time to put on your
‘junior lawyer’ hat. The
choices made during
this phase can have a
profound impact on
your organization’s
satisfaction with cloud
delivered applications.”
other associated equipment. • The amount of access to the provider’s infrastructure and staff you will receive for security assurance activities. This includes whether they will fill out questionnaires, if they will share sensitive information like diagrams, policies and procedures. This should also entail the amount of testing you will be permitted to undertake. From a testing standpoint, the ideal language would give you the ability to conduct infrastructure and application penetration testing. In practice this will likely be a point of contention between your organization and the cloud security provider. You should insist at the bare minimum that the cloud security provider deliver the results of their own penetration testing activities. You should expect these activities to be undertaken at least annually if not more frequently. A provider that refuses to conduct or share the results of its own penetration testing along with prohibiting you from conducting penetration testing should be excluded from selection.
• How your data will be stored, backed-up and disposed is another important aspect of your contract negotiations. At a minimum you’re going to want to ensure that any data you consider sensitive is not be co-mingled with any other customers’ data. You should also insist that any backup copies of your data are encrypted. This will ensure that if they are transferred off-site for storage they won’t be intercepted
by any third parties.
ͳ How devices that contain your data are disposed of or reused is also important. You want to ensure that any media that contain your data in an unencrypted format is destroyed or degaussed at the provider site before being discarded or returned as a warranty replacement. ͳ You should also insist that
storage devices containing your data are either securely wiped, assuming it was stored in an unencrypted format, or if your data was stored in encrypted format they should erase the encryption key and reinitialize the storage.
• If you require any special agreements to be executed as part of the deal. For example, if you’re a healthcare provider and your planning on storing patient data in a location provided by your cloud service provider, the provider will need to sign a HIPAA business associate agreement as a condition of getting your business.
• Finally, it’s important to capture any service-level agreements you desire to have in place. This is also the time to be capturing any metrics you would like to be provided with in order to quantify the performance of your cloud provided services.
Step 5:
Deploy your shiny new
cloud-based applications/services
Now that you’ve established your Cloud Architecture and Cloud Governance models, assessed the
security posture of your service provider and braved the contract negotiation process, you’re ready for the fun part - rolling out your applications. Depending on the delivery model you’ve selected this can involve a lot of interconnected steps and people, which is beyond the scope of this white paper. By laying the groundwork above, you should be spared from any major security surprises during this phase. This will allow your IT applications staff to stay focused on the application deployment and not on last-minute security issues.
Step 6:
Perform in-depth
infrastructure and application
security testing
Now that you have deployed your shiny new applications, you want to make sure your new delivery method has not introduced any security vulnerabilities. The activities in this phase will depend on the provider you selected and the contract provisions you were able to negotiate. You should aim to complete as many of the following as possible:
• Conducting comprehensive application quality assurance testing to ensure expected functionality is delivered
• Load testing to determine if your new delivery platform can scale to meet your projected demand • Infrastructure and application
penetration testing to determine whether any vulnerabilities exist in your newly deployed application or service
• Ideally you would be able to test the disaster recovery procedure for this application or service.
This is not always feasible, and if you’re unable to complete this at the time, it should be included in your annual disaster recovery testing
• Attempt to obtain whatever metrics you have negotiated and ensure the cloud service provider is able to deliver those metrics in the method you agreed
Step 7:
review your metrics and
optimize your application delivery
At this point you’re ready to kick back and relax and watch your new system perform. Now it’s time to ensure that your policies and procedures are updated to reflect your new cloud service delivery method. This is also the time to start reviewing your metrics as specified in your Cloud Governance model. By reviewing your metrics and other application performance data, you will be well-positioned to continue enhancing your newly deployed application to ensure optimal performance. It’s also important to continue your reoccurring security due diligence activities, whether annually as I recommended or at another interval you feel is sufficient.
Conclusion
Cloud-based services can be a
transformative business enabler.
Cloud-based services can also
be an information security
nightmare if not managed
correctly.
While I can’t possibly cover every facet of this growing area in this paper, I hope I have provided you with enough information to get the wheels in your head turning. Cloud-based services are
“By reviewing your
metrics and other
application performance
data, you will be
well-positioned to continue
enhancing your newly
deployed application
to ensure optimal
performance.”
the future and they’re inevitable for a decent subset of your applications and services. It’s important for the security team members to continue to be seen as business enablers and not as roadblocks. Equally important, take a risk-based approach to your adoption of cloud computing and ensure that your sensitive information is properly protected. By taking a well thought out and balanced approach to cloud computing, you should be able to strike a comfortable posture for your organization.
With this paper, we hope to provide you and your organization with enough information to get you thinking about your cloud security posture and what you can do about it. By following the steps outlined above, you’ll be well on your way to rolling out cloud-based services and still sleeping at night.
For More Information
For more information about FishNet Security products and
services, call 888.732.9406 or visit the website at:
www.fishnetsecurity.com
about
Fishnet security
FishNet Security, the No. 1 provider of information security solutions that combine technology, services, support and training, enables clients to manage risk, meet compliance requirements and reduce costs while maximizing security effectiveness and operational efficiency. FishNet Security is committed to information security excellence and has a track record of delivering quality solutions to more than 5,000 clients nationwide./company/fishnet-security
/fishnetsecurity
