Before moving assets to the cloud, CISOs must determine how much security they're willing to contract out, reports Stephen Lawton.
As cloud computing becomes ubiquitous, small and midsize businesses (SMBs) are looking to it as a way of securing their data more efficiently at a potentially lower cost. While service providers tout the cloud as more secure than a corporate data center, experts are not as certain.
At issue is how the company negotiates its security agreement with the cloud provider. Some vendors offering services to consumers or small businesses, such as Amazon Simple Storage Service, write into their user agreement that the provider is not responsible for any data security at all. At the other end are companies such as Carpathia Hosting of Dulles, Va., which provides cloud services to the CIA and the Departments of Defense and Homeland Security. Between these poles are many options.
The question a CISO must address before contracting with a cloud provider is: For how much security is the company willing to contract and how much will remain its own responsibility, says Simon Crosby, CTO and co-founder of security start-up Bromium.
There are no standard service-level agreements (SLA) for corporate-level cloud providers, he says. Rather, CISOs need to perform detailed risk analysis plans to determine how much security they need to buy and how much they must do themselves. Then they need to determine if their provider of choice is willing and able to offer the required security precautions as part of the SLA.
Generally speaking, Crosby says, commercial providers that cater to companies that have regulatory requirements – such as the Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act of 1996 (HIPAA), Federal Information Security Management Act of 2002 (FISMA) or the Sarbanes–Oxley Act of 2002 (SOX) – will have some security built into their offerings. While selecting such a provider will not guarantee a company will have more secure offerings, these sources generally offer a higher level and better quality of surety than an SMB might be able to, Crosby says.
Too, for a small company, a designated security person can be a significant expense, he says. For a provider, it is already factored in.
“If you don't follow best practices, [your data] will be just as vulnerable locally as in the cloud.”
– Anders Westby, senior manager, Logic20/20
Often, providers will contract with hardware security vendors to have specific products protecting their cloud infrastructure, Crosby adds. CISOs need to ask about which products are being used in order to determine if they meet the company's risk profile. Providers generally do not allow clients to put their own security devices in front of the cloud infrastructure unless the client has dedicated servers at the hosting location.
Cloud security inherently is no better or worse than what is in place at corporate data centers, says Anders Westby, a senior manager for Logic20/20, an IT consultancy in Seattle. The bottom line is the same regardless of the physical location of where information is housed. That is, assets must be defended, hardware and software protection needs to be in place, best practices for data assurance needs to be employed and risk must be mitigated. How that is done, be it by a corporate IT department or a service provider, will depend on the level of expertise of the staff and the amount of money a company is willing to spend on protection based on their risk assessment.
“If you use best practices to secure applications, it doesn't matter where the applications are based,” Westby says. “If you don't follow best practices, [your data] will be just as vulnerable locally as in the cloud.”
It is easy enough to look up a company's corporate address and make educated guesses as to whether or not servers will be onsite, Westby says. Often, and particularly for SMBs, the corporate office is where the data center will be housed. For large companies in general, and cloud providers in particular, a corporate office address is no guarantee that it is the location of the data center. Physical access to the data center could be a major vulnerability, he says, so depositories are generally housed in facilities where greater layers of protection are applied.