I’ve got sunshine, on a cloudy day
Even under the best of circumstances, integrating cloud services and devices into an organization’s technology workflow can be challenging. In all fairness, integrating any new device or appliance into the technology stack requires careful planning, new processes, and often a bit of trial and error before all systems are once again up and running smoothly. With cloud, the added issues of data custodianship, security oversight, and availability and accessibility become necessary points of focus.
During his talk at Cloud Security World 2016, Nicholas Takacs, CTO at the Bethlehem Area School District, presented on “Challenges of Cloud Integration.” The education sector comes with its own set of unique requirements not often faced by other industries. Teachers and professors may not be full-time employees and are more difficult to wrangle in terms of policy enforcement; the very nature of education is open and free, necessitating greater access to sites and information that may be more easily locked down by corporate businesses; A Forbes contributor recently called the BYOD situation at campuses a “melting pot of devices, applications, social media groups, and technology fads,” (though this is quickly becoming a security conundrum in enterprise environments as well); and in terms of personal data, Takacs explained that certain student data is not considered private unless the student’s parents specifically make a request, which is an action frequently overlooked (perhaps because the parents don’t fully understand the dangers of leaked PII. Perhaps because there are already so many forms and permission slips to fill out. Perhaps they’re not aware or can’t understand why a young person’s data would be less personal than an older person’s, which is a fine question, indeed).
Nonetheless, Takacs has seen it all and shared his “7 Habits of Highly Effective Clouds,” based on “The 7 Habits of Highly Effective People” or “The Seven Deadly Sins,” depending on your perspective. (N.B. During his talk “seven” did become “eight,” so watch out for an updated version of this talk as cloud evolves and new ideas for securing it are machinated.) According to Takacs, the 7 (a.k.a. 8) habits security practitioners should adopt are:
1.Know Thy Gold Sources
With data in abundance, even in the smallest organization, security pros need to understand the places where the most sensitive and critical data is stored. Those sources, in turn, become most critical—“gold sources”—and authoritative. Finding all of the data stored across systems is a difficult task regardless of on-premises versus hosted, but with cloud, companies don’t have the ability to scan their own systems and see where the data pops up.
Once the “gold sources” for information and data are identified, companies should ensure that data transfer between the sources receives the highest protection, and the security team should tighten local controls, making sure the sources are not altered without both prior notice and a detailed plan for data migration.
2.Thou Shalt Regularly Review Data Flows
The importance of regularly reviewing and understanding how data flows between and within each cloud cannot be underscored enough. Flow diagrams, says Takacs, are a useful tool for helping visualize how data traverses through the environment(s). Some of these include:
- Data flow modeling
- Data exchange systems (EDI, connectors)
- Network/packet flows
If an unknown flow is identified, challenge that flow, document and share results with the project team and any stakeholders, and, of course, review and update these steps regularly, as data, information, flows, and tools can change rapidly and unexpectedly.
3.Thou Shalt Review Service Contracts at Multiple Levels
It’s not enough to have the security team review contracts. It should go without saying, but legal and executive teams, along with any involved technical teams, must be part of contract reviews. Reviewers should be asking about:
- Service Level Agreements (SLAs): what is provided, when, what does the support structure look like?
- Customer data rights: when and how can it be accesses? Does the vendor manipulate encrypted data? Do they even have access?
- Customer rights to on-premises equipment
- Right to visit/audit/penetration test the security of the data
- Liability and responsibility if loss occurs
- Roles and responsibilities for integration with other ISPs
- Termination clauses: what happens with the data when the contract ends or if an agreement must be cancelled?
4.Thou Shalt Not Assume Controls Exist Unless Specifically Described, Contractually Bound, and Tested
When one is good or proficient at his or her job, it’s easy to assume others are too. Just because something should be done doesn’t always mean it is done, or that the person running the project knows to do it. This is especially true of controls, and security teams must not implicitly trust a vendor/provider when it comes to security controls. Cloud consumers should know and outline a base set of controls to be implemented. These should take into consideration legal and compliance requirements and well as standards organizations’ requirements and frameworks. Once the desired set of base controls have been identified, work with the provider to obtain a description of the controls they will put in place, and contractually provision for implementation and enforcement of those controls. A requirement for testing should also be included, along with a schedule. Understand who is responsible for the testing, and if possible, include a provision that allows for customer testing alongside provider testing. While provider tests are a good first step, “trust but verify” absolutely comes into play when cloud services are involved.
5.Thou Shalt regularly and Actively Participate in the Audit Process
Internal audit should be a partner to security. Yes, it’s true, and Takacs did both say and write this on his deck during the conference. Security teams often do not see eye to eye with auditors, but in the case of cloud audits, internal auditors can be security’s best friends, helping find problems in the cloud infrastructure, sharing information found during the audit process, and enforcing remediation if/when control issues are found. Two voices are better than one when highlighting problems, and internal audit can be that second set of eyes to determine risk and that extra voice to communicate risk to stakeholders and executives.
External audit (provider audit) should be used as a verification of internal audit’s findings and can assume responsibility for the provider’s controls.
6.Thou Shalt Regularly Engage Users for Testing
Takacs spent quite a bit of time on this point. It is often assumed that users are the biggest weakness, but Takacs wanted to convey that only through testing can companies determine if this is actually the case or if efforts are better spent elsewhere. He suggested that organizations identify key individuals across the user population—in his case, across multiple populations, to account for the different habits and actions common to each—and leverage feedback as a way to improve processes and access. Testing, he said, should be continuous and feed into production cycles.
7.Thou Shalt Not Become Complacent
Complacency is the enemy of empires, or so it’s said. In the case of technology, this is surely true: technology evolves and grows in the blink of an eye, new device types are connected to or built on top of one another, and users’ behaviors morph as all of this comes to pass. We see these changes occurring right before our eyes, therefore it’s imperative for project teams to adapt quickly to new demands. Takacs offered that cloud integration projects must become part of the company’s strategic technology plan, including operations, cross-training and up-front inclusions of new systems, and regular reviews and updates of security controls (see sections 4, 5, and 6).
I’ve got a sweeter song than the birds in the trees
The “bonus” habit Takacs offered was for security teams to include security principles in all security processes. Once again, on the surface this is a “duh!” moment, but a few attendees of Takacs’ session admitted to not taking this 8th “sin” as seriously as they should. Takacs’ advice?
- Start with clear policy directives
- Application developers should write code based on accepted software security frameworks
- Network engineers should build connectivity and configure devices based on a least-privilege, limited access approach
- Server managers should follow vendor and industry best practices for hardening
- Application APIs and intermediary data transmission systems must enable and provide secure transport mechanism (not necessarily one-size-fits-all)
- Consider endpoint device security based on specific application user cases
Cloud integration will continue to challenge security since cloud devices/hardware/software are not entirely under the company’s control. But that does not mean seamless integration isn’t possible or that projects are doomed to fail. Be methodical and rigorous in your planning and processes, and cloud integrations can be a breeze.