Cloud Security
Fundamentals
Numerous surveys have found CIOs
citing “security” as their main concern in adopting cloud computing technology.
The Cloud is seen as an environment
that is outside of the CIOs control, and from the perspective of accountability
and compliance this seems to represent a risk. Security and control go
hand-in-hand, and few security-conscious CIOs would be willing to cede control
over core business systems until the benefits far outweigh the risks.
To convince organisations that
risks have been addressed cloud vendors need to provide to their clients details
on their information security management program. A number of vendors have
obtained ISO27001certification for their service offerings. Moving forward this
is something that will no doubt become the benchmark for serious Cloud
providers. Certification, of course, does not guarantee security but at least provides
an independent verification that information is governed by an international
standard.
Due diligence is the key for
selecting a provider. Customers should demand transparency and ask tough
questions regarding risk management and technical security controls. The vendor
must be able to provide assurance that any information will be adequately
protected and that technical controls and security processes are subjected to
regular testing. The customer should dictate the level of assurance detail
provided.
So what is a good starting point
for an organisation considering cloud computing solutions? A very concise and plain speaking document is
the Australian Government ASD guide “Cloud Computing Security Considerations”. It
contains a practical checklist of security considerations to maintain
availability and business functionality in the Cloud. http://www.asd.gov.au/infosec/cloudsecurity.htm
For more detailed guidance and
implementing the appropriate information security controls, the Cloud Security
Alliance website offers much valuable information to assist organisations make
the right decisions. https://cloudsecurityalliance.org/
There are some unique security
considerations when it comes to cloud services which are not encountered when
compared to an organisation’s on-premises operations.
The key ones
are:
·
The
problem of multi-tenancy
Multi-tenancy
is a term used to describe the shared use of a cloud computing resource by
multiple customers. An example of
multi-tenancy might be a large database server running multiple secured
databases for numerous users, or a virtual machine server running multiple
instances of an operating system.
The issue with
multi-tenancy in the Cloud is that a
customer’s instance may be running on the same physical hardware as an
attacker. The attacker may be able to
compromise shared physical resources or escape the virtual machine to execute
arbitrary code on the physical host. Several VM escape vulnerabilities have
been identified by security researchers. As more customers take up virtualized
Cloud computing services, these technologies will come under increased hacker
scrutiny and more vulnerabilities are likely to appear.
·
The chain
of third parties
Cloud
providers tend to work with a number of third parties. A hosted application may
be on another cloud provider’s hosted infrastructure however your service level
agreement is with the hosted application provider. In the event of an incident affecting the
infrastructure provider that results in loss of access to the application it
may be unclear as to each provider’s responsibilities and commitments for service
recovery. An organisation needs to identify with their frontline cloud provider
any potential third parties involved in managing their data and ensure they
answer the same key questions on information security.
·
Data
security and backup
One of the first
questions asked of cloud providers is - where on the global map is my data
stored? The more important questions are around responsibilities for data
security:
I.
Is the provider responsible for data backups?
II.
If a contract is terminated is there a provision
for the cloud provider to supply an export of the application data?
III. Does the organisation have the capability to
meaningful use exported data?
IV.
Is the provider obliged to report incidents
& data breaches to the client?
Often Cloud service level agreements
do not have much detail regarding backup arrangements, nor do they specify what
would happen in the event of data loss or a security breach. The onus of risk for
data security and backup is more than likely pushed back on the customer.
Below is an extract
from a cloud provider service level agreement that CQR recently reviewed:
"Customer remains solely and
fully responsible for any data, material or other content posted, hosted,
stored… using the cloud provider Network or Services. Cloud provider has no
responsibility for any data, material or other content created on or accessible
using the cloud provider Network or Services”
·
The
Virtual System Administrator
A company’s system administrator has
clear responsibilities and functions for controlling user and data access. He
or she abides by the company’s code of conduct and their job performance can be
reviewed and subject to consequences in relation to negligent actions. When the employee moves on the HR process
kicks in to revoke their access and ensure any privileged account passwords are
changed.
In the Cloud depending on the time of
day and/or your location your services could be administered by one of perhaps three
global teams or a provider’s helpdesk with dozens of privileged users. A request
to change a user’s access or application rights may be done by email which is
acted upon by one of these virtual administrators.
The
level of risk these virtual administrators posed to the company needs to be
understood. It is not unreasonable to request the cloud service to provide
evidence of how they manage privileged user accounts in your environment and what
are the processes to grant and revoke such privileges given inevitable staff
changes.
Part 3 following tomorrow...
Greg Starkey
Business Development Manager, Government & Commercial
www.cqr.com