.

Gaura Travel

Gaura Travel

Home World

Home World

Cloud Security: Protecting information in the cloud

August 5, 2014

Harpeeet is an experienced IT consultant with strong strategic, analytic, architectural and leadership skills. His has broad experience in IT management, architecture and has lead teams in various projects. He specializes in IT architecture, Program governance, IT roadmaps and strategy.

He is positive, results-driven and innovative individual with proven success in balancing operational synergies and business growth with client satisfaction, offering over 13 years’ experience in management and architecture positions in world-class organisations within the IT industry.

He is presently working as Program Architect for Department of Attorney General & Justice. He has been involved in architecture road map for the overall design and is working to establish synergy between various programs to be hosted in cloud environment.

Harpreet has passion for IT Strategy and Architecture, Adventure Sports and Travelling.

He can be contacted on harpreet.bhatia@outlook.com

Earlier this year I wrote about cloud computing and its impact on the IT business model. It is clear that companies are already reaping game-changing benefits by using the cloud to improve time to market or quickly scale up or down their capacity demands. I have been actively involved in discussion with various business groups and most of the organisations have raised issues related to the security aspect of the cloud computing and its impact on the decision making process.

Typically, security is a bolt-on affair, limited to dealing with the inadequacies of a specific technology. That approach is reactive and bottom-up. As companies transition to the cloud, they have the opportunity to adopt a top-down approach in which the security framework is understood, set and supported by management. An effective cloud security program will delegate layers of security to various parties, with cloud providers doing their part as well. This paper discusses some strategies that can prepare an enterprise to mitigate the risks involved in cloud computing.

The 5 main areas of cloud security

In order to gain better understanding of the security scenario around cloud computing, we need to break the issue into 5 broad areas that can guide an organisation towards mitigating risks involving cloud computing.

Enterprise risk appetite

Legal and regulatory issue gets amplified in a cloud environment and these issues can pertain to the handling of an incident, protecting individual data privacy or collecting evidence. Cloud technology is evolving so fast that legislation and regulations have not been able to keep apace of its development, leading to different and sometimes conflicting obligations in terms of who has to follow the law. It is important, first, to distinguish between data privacy and security. Compliance with data privacy law is a minimum requirement; security is a broader topic that allows an organization to take clear-cut action in accordance to strategic objectives and the importance of the assets that will be at risk.

To figure out whether a risk is worth taking, companies need to classify (and value) their data and make internal policy decisions regarding how to handle each class. Enterprises may decide to retain confidential and regulated data in-house or filter it before passing it through to the cloud.

It has been seen that the security, data privacy laws and regulations that are currently in force were instituted pre-cloud era. In order to understand the risk – organisations need to review the internal risk appetite they can afford while souring solutions on the cloud. Across the European Economic Area (EEA), data privacy laws prevent data from being accessed or transferred outside the EEA unless certain preconditions are fulfilled. In order for companies to store EEA data in clouds outside of Europe, these conditions must be satisfied by the cloud providers and described in the terms of service. Until global IT, data privacy and information security regulations are updated and harmonized, companies should survey the cloud provider’s security and data privacy controls in the countries where they operate or where their data may reside, and then use a cumulative set of requirements as a baseline.

Whose responsibility is it anyway?

It is crucial to clarify the roles of the data owner, cloud provider and system integrator, in delivering legally compliant solutions. From a legal perspective, there is no clear division of responsibility between the cloud provider, an application manager (or system integrator), and the data owner. Unfortunately, many data owners and cloud providers have misperceptions of their responsibilities that hinder the evolution of a secure and compliant cloud solution. The division of responsibility varies by the cloud service model that the organisation chooses or fit into. Some requirements will be in the span of the cloud provider’s control, others in the tenant’s control.

A slew of security and compliance capabilities can be added to a cloud provider’s standard offer. The willingness of the cloud provider to share the risk as a “service provider,” and in turn bear the necessary legal obligations on the part of the data owners, is a key part of the equation. Encryption is one way to obfuscate data, but there are other ways to achieve the same end, including masking the data and making it difficult to reassemble. Given that the key used for encryption for data at rest in most cloud solutions usually leads to a loss of possession of the key itself, Google’s obfuscation approach, which keeps even Google from easily reconstructing the data, may be a valid alternative.

The issue of data residency is significant and poses a real hurdle to the adoption of cloud computing. Enterprise users of cloud services are uneasy about the potential for a foreign government to demand access to their data. On the other hand, governments worry about losing the legal ability to oversee data in the cloud and apply their laws to data that is stored outside geographic boundaries. All organizations, multi-nationals in particular, can reduce data privacy risks by creating accountability through robust contractual agreements. Accountable party is then responsible for the data handling and protection including addressing the important issue of transferring data across legal jurisdictions.

It is your right to demand transparency and accountability..

Cloud providers should be transparent and willing to tell customers what they do and industry standards they follow to meet organisational / client requirements. And they should be accountable and willing to take responsibility for their acts and omissions. If data owners cannot win a reasonable amount of transparency and accountability from cloud providers, they should walk away from the negotiating table. It is not reasonable to expect cloud providers to divulge their trade secrets or compromise the security of their network. However, subject to nondisclosure agreements, when both parties are known entities, there must be sufficient disclosure to allow data owners to make meaningful risk-based judgments about how to handle their data. Lacking transparency, basic risk management methodology forces companies to assume, or at least plan for, the worst-case scenario.

Another angle to this issue is that cloud providers are sometimes also customers. For example, a provider of SaaS (Software as a Service) may contract with another provider for infrastructure. As customers, these providers can lack the visibility and control into the workings of other providers that would allow them to commit to a specific level of service. A combination of security reviews across the physical infrastructure, cloud management software and the application will provide the complete compliance and situational awareness picture. Companies should approach conversations with cloud providers as they do any other vendor conversations— from the bottom up (people, process and technology) and the top down (risk, compliance, governance). A cloud provider that has a good process will likely have a good product and it will be your responsibility as the buyer to evaluate the assurance level of a cloud provider’s claims.

As a consumer of cloud services, data owners or system integrators should ask the following questions:

  • How does the provider’s technology work, and which of their people (including subcontractors) have access to customer data?
  • What testing has been completed to verify that service and control processes are functioning as intended and that unanticipated vulnerabilities can be identified?
  • To what extent is security embedded in the cloud solution?
  • Does the cloud provider reserve the right to change its terms and policies at will (this right significantly magnifies data privacy and confidentiality risks)?
  • Do we know how to secure each cloud service provider by incorporating security controls and risk mitigations?
  • Have we accepted, reduced, transferred or mitigated the risks? What processes do we have in place to verify periodically that controls are functioning?

With all these outstanding questions, there needs to be a more effective way forward to achieve accountability. The aim is to improve regulatory applicability and reduce divergence across jurisdictions, while considering the maturity of the overall industry. Minimum regulatory standards are not a solution – they are often not sufficient to reduce complexity, as they do not stop countries from introducing additional provisions.

Identity and Access Management (IAM)

IAM in the cloud matters just as much as outside the cloud: Let the good guys in and keep the bad guys out using a proven, flexible identification and authentication process. Companies want one view into users and applications, regardless of whether they reside on the cloud or on its premises. Every time a user accesses a cloud resource, a defined interaction should analyse the trust assignments and allow appropriate access. Access control is the first line of defence to protect corporate assets and resources. Access control spans administrative controls (e.g. internal policies, screening of personnel, security awareness training, passwords, software configuration etc) and physical controls (e.g. protecting individual networks, locks and alarms on exterior doors, security guards).

Logical IAM is one of the fastest moving areas in the cloud ecosystem, and is expected that identity will become a “service” over the next few years. In other words, identity management tasks (enrolment, provisioning, authentication, authorization, audit, single sign on, and role management and reporting) will progressively move from an on-premise solution to a SaaS model.

Each cloud provider will vary in terms of their level of protection against cyber-risks /attacks. While standardization and large-scale operations help prune out errors and vulnerabilities; the attack surface is larger and the opportunity, motive and methods of criminals are advanced and persistent. Companies with a high degree of data sensitivity should assess the supply chain risk if a component, business process or individual is compromised. Some of the questions to ask include:

  • Is our supply chain geographically and geopolitically resilient to risk?
  • Is the risk spread across an appropriate number of partners?
  • Are our contracts and relationships flexible?
  • Do our service level agreements protect our exposure?
  • Can we predict a supply chain risk event?

Redesign IT security architecture

In the near term, many enterprises will select hybrid clouds as a bridge solution waiting for the industry to mature and data privacy and compliance features to be gradually “designed into” standardized offerings. A hybrid model allows organizations to hedge their bets and keep parts of their system in house while taking advantage of running dedicated processes as cloud services. Public cloud computing vendors have very large financial incentives to provide the data privacy and security controls that companies are requesting in order to move mission-critical applications into shared environments.

Over the next five years, companies and suppliers will grow smarter about where they run applications and how they deal with security management on the cloud. As they do so, they will use the savings to invest in security architectures and innovations that add value to the business. The security architecture implementation will address gaps and could incorporate innovations such as:

  • Apply format preserving data encryption. If data is going to be processed in the cloud, it usually has to be temporarily decrypted. During this brief period of decryption, the supplier may have the technical ability to access data. By using format preserving encryption applications can continue to function even while data is in cipher text.
  • Limit the information sent to the cloud for processing. If the clients name is not needed, don’t send it; if zip code suffices, don’t send the whole address.
  • Consider multiple cloud vendors. Processing different subsets of the data in different places might provide additional data privacy in case some information is compromised.
  • Apply encryption and/or tokenization at a proxy server, potentially using a private network or a trusted third party. These vendors create trusted communication paths and data processing canters to help customers adhere to data security and regulatory concerns of using cloud- hosted applications.

Where are we heading to

The fast pace of cloud maturation provides new solutions to old challenges. There are clear benefits to highly elastic, scalable, on-demand computing power and an ecosystem of providers eager to meet the needs of large enterprises. For the most part, there are no barriers to the placement of non-regulated, non-personal data onto a public cloud.

But that does not mean that companies should throw caution to the wind. Data privacy and security implications are amplified when putting regulated personal data onto the cloud. Enterprises have to determine which data and applications make the most sense for the public cloud and which require a different solution, such as a hybrid pass-through of data into the cloud for number-crunching and then back to a private data center for storage.

As with any technological solution, companies need to understand the risks associated with multi-tenancy in the cloud, develop a risk management framework for security and governing data, and then architect solutions to address the risks. Furthermore, companies should help create cloud ecosystems in which they would be comfortable placing their data. Companies considering the cloud should keep these final thoughts in mind as they move forward:

  • Study data privacy laws to ensure that none are violated.
  • Bring the right people (privacy, IT architecture, security, legal and corporate governance etc) to the table when cloud decisions are being made.
  • Do not allow any ad hoc cloud computing solutions.
  • Read a cloud provider’s terms of service, and cross check with your organizational internal policies.

References

  • Banafa, A, 2014, Cloud Computing Security 2014, Digital image of Linkedin < https://m.c.lnkd.licdn.com/mpr/mpr/p/4/005/054/35a/014fdad.jpg>
  • Technology Business Research October 2010 Cloud Study. Jonathan Penn, “Security and the Cloud,” Forrester (October 20, 2010).
  • Kevin Fogarty, “Cloud Computing: Today’s Four Favourite Flavours, Explained,” CIO (July 8, 2010)
  • Advancing public cloud computing: What to do now? Priorities for industry and government; Part II of the 2011 World Economic Forum project.
  • Accenture and the World Economic Forum, “Advancing Cloud Computing: What to Do Now? Priorities for Industry and Governments”, 2011
  • IDC, “Business Strategy: Western Europe Government Sector IT Cloud Computing Trends”, 2012–2013. January 2013