There are steps security pros can take to achieve greater peace of mind with cloud implementations, reports Alan Earls.
If one went strictly by the numbers, it would seem that there's no looking back for the cloud. According to Gartner, the public cloud services market is forecast to grow 18.5 percent this year, compared to the 4.2 percent rise for worldwide IT spending. But talk to a security professional, and they'll tell that the cloud model presents real vulnerabilities that require effort and focus to bake in defenses.
According to many cloud and security practitioners, those worries are not inappropriate. While the cloud can be safe and secure, it also opens many vulnerabilities. The key is understanding those weaknesses – the issues one's operations bring and those inherent to the provider – and then assessing how cloud might help or hurt.
David Maman, founder and CTO of GreenSQL, a Tel-Aviv, Israel-based database security solutions provider with North American headquarters in Houston, can be categorized as a naysayer. He says those who imagine that cloud services can inherently provide an extra layer of security are mistaken. “There is almost no way whatsoever to even know [that] your sensitive information leaked when you are using any type of shared cloud services,” he says. In fact, Maman says, cloud services are becoming a new target for cyber criminals because targeting cloud management systems lets them attack multiple customers at the same time.
Although going after cloud services requires more knowledge of networking architecture and operations support systems than might be required for attacking a single company, there is a payoff. “The big threat is that once a specific system is breached, the same security mechanism and configuration is being used by thousands of customers hosted on the same cloud, so each and every customer is now in immediate danger,” says Maman. By the same token, he adds, the cloud provides significant opportunities for fraudsters because it offers a much easier way to hide their activity. Nowadays, most attacks are being initiated from the cloud, he says. Criminals can take control of or buy a virtual private server (VPS) in just a matter of minutes, run a one-time attack and then dispose of it. “This is something that happens on an hourly basis,” Maman says.
Rules to live by
But the outlook isn't completely bleak. As worrisome as the cloud may be, practitioners say it can be made less risky with some relatively simple safeguards. For instance, says Trey Keifer, president and CEO of WireHarbor Security, a Chicago-based provider of IT risk management solutions, two things are critically important in verifying the security of a cloud provider. First, he says, designate a person or team with the responsibility. “Too many companies just integrate it into a part of their IS/IT organization, and it falls by the wayside,” he says. So, having a dedicated supplier risk governance group that is both responsible for the initial verification and then any annual follow-up is key. Second, Keifer says, users should ensure that the provider has undergone an independent third-party technical assessment. “You should not trust their internal security teams or a checklist audit of controls. “Make the provider show you a client-facing copy of their reviews,” says Keifer.
He says the “good ones” almost always will have one available, because they get asked for them all the time. And, he recommends avoiding companies that refuse to provide a review because they claim it is confidential information. “This is a smoke screen for poor operational security, or a network that has grown beyond their ability to control,” he says.
Michael Bremmer, CEO of TelecomQuotes.com, an internet and telephone consulting company, offers his own cheat sheet for vetting cloud providers that picks up on Keifer's themes. Specifically, Bremmer recommends inquiring about which certifications one's cloud data center has – SOC I, II or III? SOC III is the best, most comprehensive and most expensive certification, says Bremmer, adding that SAAS 70 TYPE II is acceptable, but is not a true data center certification. “It is a 20-year-old auditing standard that was never designed to be used for data centers,” he says.
In a pinch, this might suffice, but enterprises should not consider placing business data into a co-location facility that doesn't have the latest certifications, Bremmer adds.
It's also necessary to ask whether one's data is duplicated in another data center, Bremmer says. Although this might seem too obvious, he says many companies found out the hard way, in the wake of Hurricane Sandy, that their data wasn't housed in multiple locations. Although Bremmer admits off-site storage “isn't usually free,” compared to the potential cost of data loss it may be a bargain.
Asking how physically secure the facility is another step shoppers must take, as this type of protection also matters. “If possible, ask for a tour and use your own eyes,” Bremmer says. “If you cannot have a tour of the facility you're considering putting your data into, that should be a red flag.”
Before a move to the cloud
Taking a somewhat more legalistic approach, Ben Tomhave, principal consultant at LockPath, a Overland Park, Kan.-based governance, risk and compliance software and service provider, suggests five points to consider before and after moving to the cloud.
Assess the risks: It is imperative, says Tomhave, that no cloud services agreement be inked without at least a cursory risk assessment. These should consider financial, legal and operational risks (inclusive of IT/information risk). For example, he says, consider the tradeoffs, the sensitivity of the data and potential regulatory requirements. However, he warns, “Don't overdo it.” Tomhave recommends that potential users ensure they also develop a fast-path risk assessment process that can be completed in hours so that the organization can move ahead when the data is not sensitive, there are no regulatory concerns and there are major potential cost savings from using the cloud. “Employing a tiered-risk assessment process can be useful,” he says.
Contract, contract, contract: Tomhave says it is vital to review terms and conditions through contracts and, if possible, negotiate for wording that best aligns to the required risk management strategy. “Ensure that legal is on board,” he says. “Work with legal to prepare a template of terms, conditions and service-level agreements (SLAs) that you would ideally have included to help expedite the process.” If the provider won't negotiate the contract, then Tomhave says reassess the risks and decide whether to use them. If a go-forward decision is made, then ensure that adequate compensating controls are identified and implemented. “Don't forget to look at breach notification duties, as well as the associated costs with customer notifications, incident response and ensuing clean-up – and make sure your contract doesn't prevent you from meeting your regulatory duties,” he adds.
Monitoring: If the contract has SLAs, then make sure to monitor for compliance, says Tomhave. Additionally, determine what other monitoring capabilities one is granted. “Ensure that as much monitoring and reporting as is needed gets fully and properly integrated with existing monitoring duties,” he says.
Response: Incidents will happen, says Tomhave. So it is important to know what response capabilities can be applied to the service.
“Commercially reasonable, legally defensible”: Tomhave's mantra is designed to ensure that “commercially reasonable” security measures are in place. This phrase represents an evolving duty of care, but it must be evaluated, demonstrated and documented, he says. Similarly, he says one should make sure that the entire-analysis process is documented, with specific notes on the final decisions about managing key risk factors. Then, he says, consider a potential worst-case legal scenario where a breach occurs and key stakeholders file a lawsuit. “Have you done enough to proactively defend yourself, demonstrating that a reasonable risk analysis and decision process were followed?” he asks.
Finally, Andy Maier, senior product manager of Savvisdirect, a Monroe, La.-based provider of cloud services, says most companies already have a number of security risks based on the choices they've made or avoided in their current IT configuration. Moving to the cloud is not inherently less secure for companies, especially those that don't already have significant IT resources. “Many businesses are subject to very specific security requirements based on their industry,” he says. “Complying with these requirements can include auditing and certification of implementations by third-party agencies.” Still, resting one's hat and reputation on a stack of certification documents won't guarantee job security, customer confidence or security, Maier warns.
Instead, Maier offers a range of suggestions, including figuring out what data needs to be encrypted in the cloud that isn't already. Also, he says, it is wise to determine if existing monitoring solutions can be integrated with the cloud. That should include not only intrusion detection and prevention technologies but application performance monitoring to help assure business continuity.
And, he adds, be sure to find out what kind of mitigation help a provider offers. Does the cloud vendor have a DDoS prevention solution, for example? “Information security alone shouldn't be the only concern,” says Maier. “If you take all the steps of the best security experts, but implement a brittle deployment, lost transactions and customer records could still result in the ruin of your business.”