By Azeem Aleem, Practice Lead, RSA Advanced Cyber Defense Services (EMEA)
A through risk assessment should be adopted by customers to ensure that the benefits for moving on to the cloud outweigh the potential security threats. Techniques like privacy impact assessment (PIA) and ‘Plan, Do, Act, Check’ are recommended to ensure a moderate, but comprehensive change for them. Evidences shows that there may be issues involving customers meeting their legal obligations when their data are hosted outside of their local context. Hence, this will trigger issues relating to the effectiveness of existing risk governance frameworks. There should be more evaluations conducted to assess the true potential and apparent risks to protect customers and Cloud Service Providers (CSP).
Dependence on cloud for all critical applications should be avoided. The network outage of Salesforce.com for 40-minutes that left 9,000,000 subscribers without access to their data is a stark reminder of possible cloud over-dependence. The closure of CSP ‘Coghead’ in 2009 due to economic conditions remind us again the question of data resilience and data backup as it took organisations months to retrieve their data from the company servers.
In 2008 Sales force.com has witnessed 6 hrs while Amazon’s S3 and EC2 lost 3 hrs of service outage. While in 2009, Google Gmail went down for 3 hrs, approximately 113 million users were affected by disruption in service. However, many cloud service providers now are providing minimum downtime service clause in their SLAs.
Developing a Holistic Cyber Cloud Strategy
It is recommend to assess the following areas during the selection for an appropriate Cloud Service Provider (CSP), that is,
- Communication Route: The communication route between client administrator and cloud host usually occur on an open channel mostly with clear data text transmitted over the internet; there is a need to set up secure channel by organisations to prevent Man in the Middle attack. It is therefore essential for organisations to assess whether CPS offer encrypted admin access to cloud operating systems and applications. The data encryption level (standard) should be assessed before selecting a particular cloud.
- Effective Security controls: CSP must outline how data would be stored and retained; the existing security controls should be highlighted to ensure data integrity and confidentiality. How CPS is storing and segregating its various customers’ data is important – during the event of a security breach how a cloud provider handles customers enquiries are some of the important areas to be looked into. However, over extension of data transparency can create issue as it may aid malefactor and insider theft. It is recommended that reporting channel needs to be agreed and tested before the service commence.
- Audit: The audit facilities needs to be thoroughly assessed as in case of a security breach organisation needs to ensure that data available by authorities or IT Auditors is easily accessible through the Cloud; the issue of data storage in various locations by a CSP should be examined in details as organisation don’t want to end into situation where providers declines clients auditing requests in case of a breach.
- Quality Assessment: Selection of a particular CSP should not be based solely on cloud provider own threat assessment.It is recommended to assess CSP quality prior to selection; third part validation of the controls and assessment of the data security would be increasingly vital. Whether communication channels are periodically tested is an important factor for selection.
- API Security: Confidence in cloud services is reliant on the security of the application programming interfaces (API) that are responsible for safeguarding against the unintentional or premeditated attempts to thwart policy. An API is a specific set of rules that enables software to interact with the software environment that is native to the cloud .Third parties often create add-ons to these interfaces to offer additional functionality which increases organisational risk as they often have to resign certain credentials to them for the APIs to work correctly .This threat can alleviated by ensuring the strongest encryption standards, authentication methods and access controls are implemented.
- Legal implications: Discussion should be carried out with CSP about legal obligation in terms of storing data offshore in other countries. While choosing a CSP the location of the data centres should be kept in mind as the European Union privacy and data regulation prohibits transmission and storage of sensitive personal data outside the EU. Who is liable for the data breach and service outages during an incident involving a criminal activity at one of the data centres of CSP based in countries (for example Asia Pacific) where data protection laws are not that stringent are some of the important issues to think about before selecting a CSP. While choosing a CSP the organisations should make an effort to enquire whether the provider has attained SAS 70 or ISO 27001 certifications.
- Exit Clause: One of the common mistakes the organisations makes are to ignore the ‘exit clause’ when evaluating the SLAs. In the event of failure of the cloud, steps need to be highlighted at how to regain ownership and control of the data. This is a complicated process in terms of retrieved data compatibility and processing of capability of the client.
- Vendor lock-in is one of the major concerns identified- there are no standard APIs (application programming interface) and each CSP is comfortable with its own customised interface; as a result data import, and data move becomes more difficult and the businesses are in a lock-in situation. In case of CSP closure (economic condition the main issue) business clients can face serious repercussions for data migration. Current efforts to develop a consortium of standard APIs such as SOAP or REST to manage cloud services are underway by various stake holders (cloud forum, cloud alliance etc)
- HR Issues: Migration to the cloud will bring also bring new HR issues of appropriate corporate training; the processing of business applications remotely will bring new challenges enforcing corporate standards and procedures.
Following are the Questions to ask before signing the service level agreement (SLA):
Cloud computing has the potential to be a modern day disruptive force in technology circles. The hype that comes with it is unavoidable at this stage but it has caught the hearts and minds of technology gurus and the everyday computer user alike. The impact of Cloud services is expected to drive IT industry growth for the next 25 years.
There is a always a security risk when deciding to go towards cloud platform however, in the current economic condition organisation has much broader risk of business failure by ignoring the call for cloud immigration. The substantial benefit of the cloud immigration is pushing the industry to assess security concerns as business requirement rather than risk.
It is important to note however that security issues that are associated with cloud Computing are intensified by cloud computing but not explicitly caused by it. It is important to understand that security concerns are well founded in a cloud environment due to increasing organised cyber crime activities. Any move to cloud will bring new challenges in terms of security of the data and third party applications. However, many organisations are in a better security position by being on the cloud than on their internal networks.
The above blog abstract is from my recently published article on cloud computing. For more elaborate insight into the threat experience by 200 IT professionals, access the following link
RSA Virtualization and Private Cloud Security Service
For more information on what RSA offers on Cloud security please follow the link
Azeem Aleem is a Practice Lead for the Advanced Cyber Defense Services Practice – EMEA. In this capacity Azeem is responsible for overall professional services engagement for Global Incident Response/Discovery (IR/D), breach readiness, remediation, SOC/CIRC redesign and proactive computer network defense. Azeem has made frequent appearance on regional television and radio programs as an expert on cyber threats. He possesses over 10 years of combined experience in developing technical staff and programs in, e-crime investigations, Incident Response, Advanced Persistent Threat (APT) defense, Cyber Threat Intelligence, operations and projects.