Posted by Robbie Forkish on Fri, Oct 30, 2009
A new white paper,
Cloud Computing: Business Benefits with Security, Governance and Assurance Perspectives, has just been published by
ISACA. The paper provides a short overview of cloud service models and deployment models, and lists the well-known business benefits of cloud computing -- with cost savings at the head of the list. Ease of deployment, high availability, scalability, efficiency and resiliency round out the list of cloud computing benefits.
But what's interesting to IT and security professionals are the risks and security concerns associated with cloud computing. To those following the literature and debates on cloud security the concerns listed in the white paper are familiar: what is the reputation, history and sustainability of the cloud service provider (CSP); where does data reside, and does it matter if that question can't be answered precisely; how well is information protected; who can have access to sensitive or confidential information; and can sensitive information be located in the event of a disaster. Many of these issues at a minimum can be addressed in contractual service level agreements (SLAs), but writing tight SLAs is not the same as mitigating risk.
The ISACA white paper is relatively brief and high-level. Many other information resources exist that delve into great detail on CSP exposures and vulnerabilities, both real and imagined. But additional detail and technical depth isn't necessarily what organizations need to determine whether cloud benefits outweigh the risks for their situation. Specifically, they need to assess the risk related to their sensitive data that would be operated on or stored in the cloud.
Every organization should -- and many organizations do -- have a data classification strategy in place. COBIT 4.1, for example, mandates that organizations should "Establish a classification scheme that applies throughout the enterprise, based on the criticality and sensitivity (e.g., public, confidential, top secret) of enterprise data... It is used as the basis for applying controls such as access controls, archiving or encryption" (section PO2.3). The following classification guide, from the State of New York's CSCIC, is a good example of an approach for classifying data based on risk levels with regard to data confidentiality, integrity and availability:
Here is another approach, then, to dealing with cloud security risks: Limit cloud-based applications to only those that operate on low- or moderate-risk data. Put another way, your organization may decide to reap the economic benefits of cloud-based services -- but only for applications that fall within acceptably low risk profiles.
This evaluation process is already being employed, if only implicitly. Tens of thousands of companies have opted for SaaS-based CRM solutions, the most well-known being from Salesforce.com. Customer information, while valuable to the organization, is not so critical that having it stored in the cloud is viewed as an unacceptably high risk.
On the other hand, many companies I've spoken to believe that the risk of storing personal identifying information (PII) or other highly-confidential information in the cloud is unacceptably high-at least at the current level of cloud security maturity.
My company, Cloud Compliance, has a keen interest in this question. We believe that internal user names and logon activity are no more sensitive than CRM data currently being stored in the cloud by so many companies. While we've found many organizations that agree with our risk assessment, there are others who aren't so sure.
Identity and Access Assessment (IdAA) solutions such as that being developed by Cloud Compliance need to upload two data sets to the cloud in order to perform their analytics:
- log records from SSO systems, log management systems or from application servers which show all access activity (log on and log off) and includes user IDs and time/date of access; and
- rights or entitlement information from AD, the applications or from an identity management system which lists which users have entitlements to which applications. (Note that if the entitlement/identity management system includes personal identifying information such as SSN or home address it is not included in data sent to the cloud. Also note that data in transit as well as data at rest is encrypted.)
(Please visit our product page for more information on how our solution works as well as a use case demo.)
This is the relevant risk management question: If you assume that IdAA solutions reduce if not prevent audit findings related to access controls, is it worth the risk to have your user names, login activity and entitlement information stored in the cloud?
Here's another way to look at it: Is your internal entitlement and activity data more or less sensitive than your customer data that's being stored in the cloud by Salesforce.com and other CRM SaaS solutions?
I am very interested in your views. Please leave a comment on the blog, or send me your opinion at rforkish@cloud-compliance.com. I'll report back in a future post on the collective wisdom of the blog readers.
Posted by Robbie Forkish on Tue, Aug 18, 2009
It's 2009, so it must be time to cut expenses. Again. Which means many companies are taking a look at leveraging cloud services in order to save money. Will they have to sacrifice security in order to realize significant cost savings?
There are several valuable resources available for evaluating cloud security. In this post I discuss two, one from Gartner and the other from the Cloud Security Alliance.
In their June, 2008 report entitled "Assessing the Security Risks of Cloud Computing", Gartner lists seven specific security issues to investigate:
1. Privileged user access. I would concur with this as the top issue. In theory, once it's sent into the cloud your data could be accessible by admins--privileged users -- that you have never seen or vetted. What kind of protections can you apply to your data (such as encryption, access control lists)? What kind of screening and background checks are performed for admins? How comprehensive are the site's physical controls? Do they have (and use) video surveillance? Do they employ two-factor authorization, and how many times must an admin be authenticated before he or she has physical access to sensitive areas? Is all access logged? Are admins immediately de-provisioned when they are terminated or simply no longer have a business need for access? And so forth.
2. Regulatory compliance. What kind of compliance, such as SAS-70 Type II certification, has your cloud provider achieved? What kind of support do they provide for your certification requirements, such as PCI DSS and HIPAA?
3. Data location. Some compliance standards require that certain data not leave the current regional/national jurisdiction. Will your cloud provider commit to storing and processing your data within a specified jurisdiction?
4. Data segregation. What, if anything, is done to segregate data at rest? Have encryption schemes been tested by qualified specialists?
5. Recovery. Understand and evaluate your cloud provider's disaster recovery and business continuity strategies. An earthquake or flood that completely devastates your cloud-based applications and data constitutes an unacceptable risk for most enterprises.
6. Investigative support. Access to archived data may be required for litigation support, discovery requests or illegal activity investigation. Make sure your cloud provider can support these requirements.
7. Long-term viability. If your cloud provider goes out of business, you may not have access to critical resources stored in that provider's now-defunct data centers. You should have some assurance that your provider is viable for the long term, or protections in place against an unexpected shut down.
A more comprehensive resource has been developed by the Cloud Security Alliance, called "Security Guidance for Critical Areas of Focus in Cloud Computing"; you can find it here. The white paper covers many of the same points as Gartner, but with more depth on foundation and architectural issues, as well as additional items to consider including Information Lifecycle Management, Portability and Interoperability, Encryption and Key Management, and Identity and Access Management.
With regard to Identity and Access Management, the Cloud Security Alliance emphasizes the need for a robust federated identity management system that includes user and access lifecycle management as well as audit and compliance capabilities. At Cloud Compliance we couldn't agree more, and note that most IdM systems are rather weak on the audit and compliance front because they lack the ability to perform identity and access assessment. That's the service that Cloud Compliance provides.