Cloud computing seems to be on the forefront of everyone’s mind. The promise of increased performance and reduced costs is a compelling story. A major challenge is determining if or how cloud computing can be done securely. To that end NIST recently released two useful documents. Cloud security best practices and a definition of cloud computing. It seems everyone has a different meaning when discussing cloud computing, so it’s nice to see NIST taking a stab at defining it.
When discussing cloud security it is important to remember that there is no such thing as perfect security. Not in your data center. Not in the cloud. Managing systems is all about understanding the risks, then making informed decisions. The goal is to maximize usefulness while reducing risk to acceptable levels. Every day we are making trade-offs between security and functionality. Being successful then is a matter of having a process for effective risk management. So how do you achieve that with the cloud?
Preparation – Before you get started, you need to have a plan.
- Understand your data, where it is and its sensitivity.
- Consider security and privacy upfront – attempting to bolt on security later may require substantial changes or even moving to a different provider. It will be complex and more costly. For example what are your obligations for electronic discovery? Can you store data for the required time period? Can you purge data to match policy?
- Evaluate the current controls you have protecting the data. Are they adequate? You will want to make sure your cloud deployment meets and hopefully exceeds them.
- Service Agreements – Non-negotiable service agreements are the norm. This means you will get a standard service agreement and are not likely to modify it to your business. With Amazon EC2 instances costing 1.5 cents an hour, this is a volume business. It will not be easy to negotiate a custom service agreement. Would you ask the McDonald’s cashier to talk to the Maitre’D about the wine list? If you are a small to mid-size firm set your expectations accordingly. Thoroughly review the standard service agreements to make sure the provider meets your requirements.
Understand the Security challenges of the Cloud:
- Complexity – Effective elasticity and scalability is often complex to build. There are more pieces to break and more things to go wrong from a security perspective than a simple server build in your own data center.
- Shared Multi-tenant Environment – you don’t have a dedicated server room that only your team has access to.
- Internet-facing services – when hosting internally you may hide all your services on the internal network and have users VPN in. With the cloud your systems are typically Internet facing.
- Loss of control – You are relying on the service provider for things that your internal IT team was traditionally doing. The controls specified in your internal policies are not directly enforceable by you.
- Increased Client-Side Risk – Shifting to the cloud places your data in the cloud and much of the access is going to be via a web browser.
Security Benefits of the Cloud:
Moving to the cloud has the potential to actually improve security (particularly in the case of small organizations). For example:
- Specialized security expertise of the cloud provider will often exceed that of small in-house teams.
- Homogeneous environment allows solid processes for security updates, monitoring, etc.
- Redundancy/scalability – often multiple data centers and geographic redundancy is built in, or at least an easy addition.
- Backup/recovery – quickly shift to new data centers, quickly spin up new servers. No need to order and build out new physical hardware.
- Centralized data concentration – central storage as opposed to data distributed across mobile workers systems.
Bottom Line – You want to ensure that the provider has security controls in place that meet or exceed those currently implemented in-house. This is dependent on the cloud providers ability to implement security controls to protect your data and provide evidence of the effectiveness of those controls
Here are a few questions to help you determine the cloud providers security posture.
Top Cloud Security Questions to Ask:
- How is customer data protected from insider access by employees at the cloud provider? What background checks, job roles, clearances and access controls are in place?
- Is the cloud provider relying on cloud services from other providers? This raises additional concerns since you are relying on other unknown entities.
- What is the contracted Service Level Agreement(SLA)?
- What is their process for problem reporting, review, and resolution?
- What is their process for information handling, disclosure agreements and procedures?
- What physical and logical access controls are in place?
- What type of network connectivity and filtering is in place?
- What is the process for system configuration and patch management?
- What is the backup and recovery process?
- Are there documented incident reporting, handling, and response processes?
- How is account and resource management protected?
- What independent security assessments have taken place. Are the results available to review?