Thursday 16 January 2014

Securing Cloud Services Part 2

Cloud Security Fundamentals

Numerous surveys have found CIOs citing “security” as their main concern in adopting cloud computing technology. The Cloud is seen as an environment that is outside of the CIOs control, and from the perspective of accountability and compliance this seems to represent a risk. Security and control go hand-in-hand, and few security-conscious CIOs would be willing to cede control over core business systems until the benefits far outweigh the risks.

To convince organisations that risks have been addressed cloud vendors need to provide to their clients details on their information security management program. A number of vendors have obtained ISO27001certification for their service offerings. Moving forward this is something that will no doubt become the benchmark for serious Cloud providers. Certification, of course, does not guarantee security but at least provides an independent verification that information is governed by an international standard.

Due diligence is the key for selecting a provider. Customers should demand transparency and ask tough questions regarding risk management and technical security controls. The vendor must be able to provide assurance that any information will be adequately protected and that technical controls and security processes are subjected to regular testing. The customer should dictate the level of assurance detail provided.

So what is a good starting point for an organisation considering cloud computing solutions?  A   very concise and plain speaking document is the Australian Government ASD guide “Cloud Computing Security Considerations”. It contains a practical checklist of security considerations to maintain availability and business functionality in the Cloud. http://www.asd.gov.au/infosec/cloudsecurity.htm

For more detailed guidance and implementing the appropriate information security controls, the Cloud Security Alliance website offers much valuable information to assist organisations make the right decisions. https://cloudsecurityalliance.org/

There are some unique security considerations when it comes to cloud services which are not encountered when compared to an organisation’s on-premises operations. 

The key ones are:
·         The problem of multi-tenancy
Multi-tenancy is a term used to describe the shared use of a cloud computing resource by multiple customers.  An example of multi-tenancy might be a large database server running multiple secured databases for numerous users, or a virtual machine server running multiple instances of an operating system.

The issue with multi-tenancy in the Cloud is that a customer’s instance may be running on the same physical hardware as an attacker.  The attacker may be able to compromise shared physical resources or escape the virtual machine to execute arbitrary code on the physical host. Several VM escape vulnerabilities have been identified by security researchers. As more customers take up virtualized Cloud computing services, these technologies will come under increased hacker scrutiny and more vulnerabilities are likely to appear.

·         The chain of third parties
Cloud providers tend to work with a number of third parties. A hosted application may be on another cloud provider’s hosted infrastructure however your service level agreement is with the hosted application provider.  In the event of an incident affecting the infrastructure provider that results in loss of access to the application it may be unclear as to each provider’s responsibilities and commitments for service recovery. An organisation needs to identify with their frontline cloud provider any potential third parties involved in managing their data and ensure they answer the same key questions on information security.

·         Data security and backup
One of the first questions asked of cloud providers is - where on the global map is my data stored? The more important questions are around responsibilities for data security:

               I.        Is the provider responsible for data backups?

              II.        If a contract is terminated is there a provision for the cloud provider to       supply an export of the application data?

             III.       Does the organisation have the capability to meaningful use exported data?

             IV.       Is the provider obliged to report incidents & data breaches to the client?

Often Cloud service level agreements do not have much detail regarding backup arrangements, nor do they specify what would happen in the event of data loss or a security breach. The onus of risk for data security and backup is more than likely pushed back on the customer.

Below is an extract from a cloud provider service level agreement that CQR recently reviewed:

"Customer remains solely and fully responsible for any data, material or other content posted, hosted, stored… using the cloud provider Network or Services. Cloud provider has no responsibility for any data, material or other content created on or accessible using the cloud provider Network or Services”

·         The Virtual System Administrator
A company’s system administrator has clear responsibilities and functions for controlling user and data access. He or she abides by the company’s code of conduct and their job performance can be reviewed and subject to consequences in relation to negligent actions.  When the employee moves on the HR process kicks in to revoke their access and ensure any privileged account passwords are changed.

In the Cloud depending on the time of day and/or your location your services could be administered by one of perhaps three global teams or a provider’s helpdesk with dozens of privileged users. A request to change a user’s access or application rights may be done by email which is acted upon by one of these virtual administrators.
 
The level of risk these virtual administrators posed to the company needs to be understood. It is not unreasonable to request the cloud service to provide evidence of how they manage privileged user accounts in your environment and what are the processes to grant and revoke such privileges given inevitable staff changes.

Part 3 following tomorrow...

Greg Starkey
Business Development Manager, Government & Commercial
www.cqr.com

No comments:

Post a Comment