Cloud

Embracing the public cloud and keeping your data secure

Conventional wisdom says the public cloud is insecure, and yet in-house security stratagems often go awry in spectacular fashion. Tajudeen Abubakr lays out the basic recommendations for cloud risk management.

Given the maturity level of IT outsourcing services, adoption of public cloud computing should just have been a natural transition for businesses eager to leverage it's cost savings and benefits. This tellingly has not been the case. - Security has always been cited as the main reason. For most organizations, there is much trepidation about the risks involved.

In this article, we'll take a high level view of why organizations should embrace public cloud computing to leverage its benefits, what the key security issues/challenges are and what actions can be taken as part of a holistic risk assessment framework to address those cloud security challenges

There is no convincing data available to overwhelmingly back up the widely held perception that public cloud computing is less secure compared with in-house security solutions. In fact, nightmare data loss incidents from cyber security attacks on household names and Internet giants such as Google, Sony & RSA simply shows that in-house security can be subverted by sophisticated attacks especially where due diligent security controls are lacking or simply sidestepped. There is still no fix for that age old weakest link in information security - "the human factor."

While these security breaches may not actually be directly linked to cloud computing services, there is just the general trend for intellectual property to be closely guarded by keeping them closer to home. But, can public cloud actually be a good option for protecting your intellectual property? Well, given its scalability, flexibility and on-demand properties, Yes! is the simple answer to that question.

Federal government agencies such as US, Singapore, many Asian and European government agencies have been early cloud computing adopters, facilitating the rapid maturity in public cloud security services and products from service providers. In many instances and selective use cases such as malware, anti-virus and distributed denial of service (DDoS) protection, public cloud security have proven to be more effective and scalable compared to in-house security solutions - An example is Sony's defence against anonymous LOIC DDoS attacks.

In any case, the insatiable consumption of internet services by end-users is now beginning to drive public cloud usage in the form of media entertainment such as music, films, social media and e-commerce at large.

Organizations can no longer play the waiting game. Not embracing public cloud computing where there is overwhelming business case for it will be the biggest risk of all. And if you need convincing, just ask Oracle's Larry Ellison who once thought the cloud was just "a gibberish, insane, idiocy talk". Well he's decided to join the cloud party too! How sane is that?

No, not every type of corporate data or services belongs in the public cloud but with a comprehensive risk assessment framework, the risks with public cloud can be managed to acceptable levels in accordance with business risk appetite and desire for opportunities for new revenue growth.

Knowing your cloud computing risks

Each organization is different, with unique set of security risks depending on their operating environment and industry. These risks must be documented and managed. Public cloud computing also has with its own unique risks not commonly found in traditional IT outsourcing but which become manifested due to the nature of the technology. Below is a non exhaustive list of public cloud computing risks that organizations need to plan for.

Key security risks /issues ascribed to public cloud computing include the following

  • Unknown use of cloud computing services - Due to the low cost entry barrier, public cloud computing services are often procured and used by business leaders who see it to be more agile than their IT dept for delivering new products and services to customers. IT Service procurement must be adequately controlled to avoid potential data loss through such unmonitored public cloud channels
  • Information security governance - The basic security requirements of confidentiality, integrity and availability are required to protect data through out its lifecycle. Data must be protected when it's created, stored, processed/used, shared, archived and consequently destroyed. This can be particularly challenging when you have no direct control over a service providers infrastructure security practices. Choosing the right public cloud service with data encryption, encryption key management and high availability solutions have never been more important
  • Knowing where your data lives - Throughout the data lifecycle, It is paramount to gain assurance from your service provider that your intellectual property information is kept only within geographic locations / boundaries stipulated in contracts, SLA and application legal / regulatory compliance requirement
  • E-discovery - Shared tenancy of physical hardware in a public cloud means there is high risk of un-vetted data disclosure to external parties such as government and law enforcement agencies e.g. The Patriot Act means that any data hosted in the USA or hosted by a US registered company could be seized by the authorities during crime investigations without explicit permissions given by the data owner. Sensitive data such as personal identifiable information (PCI/DSS) do not belong on public cloud to avoid falling foul of this issue
  • Vendor lock-in - There is high level of difficult in migrating from one provider to another. Many cloud providers have financial incentive to prevent the portability of their customer's services and data to competitors

These risks and many others are well documented in resources available from Cloud Security Alliance (CSA), European Network and Information Security Agency (ENISA), National Institute of Standards and Technology (NIST). They can be used as starting point to understand cloud computing risks.

With visibility of these security risks, organizations can development a risk management framework to assess public cloud service providers in a bid to select the appropriate cloud services for the business.

Data security recommendations for adopting public cloud computing

Recommended actions for mitigating security risks when adopting public cloud services:

Develop a cloud computing roadmap plan to include
  • A decision making process for adopting cloud services
  • Business case and cost considerations
  • Identify and establish trust boundaries for your data and gain full understanding of your end-to-end business process dependencies using data flow diagrams and process flow charts
  • Cloud usage awareness programme - Your services procurement team and infrastructure personnel must be provided with knowledge and skills to identify cloud services and support such agile infrastructure
  • A cloud services register to record your public cloud consumption
Adopt or develop a risk assessment framework for cloud computing. This includes:
  • Defining information security policies for Cloud usage
  • Classifying your data and knowing if it's fit for cloud hosting based your risk appetite and business opportunities
  • Conducting business impact assessment of confidentiality, integrity and availability loss of data
  • Documenting your public cloud security risks
  • Enumerating mitigating controls for your cloud security risks (A risk-to- controls mapping exercise is useful to identify potential gaps in your security controls)
  • Develop or update your information security contract clauses to address security and operational concerns you have when adopting the cloud. This should include compensation schedules for SLA failures, rights to conduct IS audits, forensics and incidents investigations must be stipulated in service provider contracts
  • Conduct security penetration testing of cloud service products and assurance review of cloud service provider security controls to select public cloud services which closely match your information security requirements. Consider using a SAS 70 type II report or similar IS audit reports to identify gaps in security controls implemented by service providers
Develop a public cloud exit strategy

Organizations must develop an exit strategy to avoid service lock-ins and operational pains if services need to be relocated back in-house or to another service provider

Conclusion

Data security in the public cloud is a shared responsibility between the data owner and cloud service providers. However, the data owner is solely and fully accountable for data privacy and protection. They face potentially large financial fines from regulators for inadequate control failures. As such, many organizations have already invested in information security risk management and governance tools. These should be leveraged for the cloud-based architecture security risks to maximize return on their investment. What's often required is to identify and comprehend unique risks which characterize cloud computing and develop the necessary security controls required to adequately mitigate those risks while ensuring they are not acting as road blockers for adoption of cloud computing.

There is certainly no reason why organizations shouldn't board the cloud computing supersonic airways but they shouldn't forget to arm themselves with a well-oiled rudder pedals in the form of holistic risk mitigation controls for smoother navigation.

About

Tajudeen (Taj) Abubakr (CISSP, CISM, CISA, SABSA) is a certified information security manager with broad consulting experience in Security programmes delivery management, cloud computing, enterprise IS governance, risk & compliance (GRC). He is curre...

8 comments
ScionT
ScionT

Who is going to protect your data from the cloud vendors and their employees? Sure a cloud vendor can tell you that your data is stored in San Diego California, but it might be stored in several locations across the globe and Peggy's basement in Russia. Once you put your data on the internet "cloud, lol" it is no longer you data and there is and never will be a way around this fact.

dogknees
dogknees

You compare cloud security to current security, but miss the point that many peoples data is currently on internal servers that have no internet exposure at all. That is where a lot of us are starting and the proponents need to address this situation. Show us the stats that compare data theft from internal servers and PCs that are not online to data theft from cloud vendors. Similarly, compare cloud uptime and availability to that of private networks. With internal data, it doesn't matter if the internet is unavailable, my server is always there. This is what the cloud vendors/proponents need to address in their comparisons if they want to be honest and accurate.

HAL 9000
HAL 9000

Who owns the Data when the Public Cloud Provider goes Broke or is Bought out? The big issue here is the fact that Private Companies do go broke for a variety of reasons and they are taken over in Hostile Take Over Bids. So who owns and has control of your Data in the event of a Company Going Broke? Can the Receivers Appointed to wind up that Company sell your Data to anyone with the funds to buy it to generate Income for the now closed company? In the event of your Public Cloud Provider going broke can you get your Data Back without the need to pay for it? In addition to the above question in the event of the Public Cloud Provider going broke can you get your Data back in a timely manner or do you have to wait 18 months for the Receiver to sell it back to you? Till those questions can be answered in a manner that makes it worthwhile to use a Public Cloud it's just a [b]Rush to Destruction[/b] adopting the Cloud for your Business. You don't even need to consider Data Security if you can not access your own data or it gets sold to your competition who has launched a Hostile Takeover on you. ;) Col

LocoLobo
LocoLobo

You said Larry Ellison joined the cloud party. Does that mean Oracle is storing their financial and critical data in the "cloud"? Or does that mean they are selling cloud services to others? Which would mean any data Oracle stores in the cloud is actually on their servers. If so is Oracle's data on the same servers they provide as "cloud" servers or really in-house? Your article hasn't convinced me.

wizard57m-cnet
wizard57m-cnet

Your article mentions Sony twice...once as an example of a target of miscreant attack on its in-house server, the other as an example of using the "public cloud" to thwart an attack. Are you saying that had Sony used some cloud for data storage, the attacks could have been sidestepped? Just throwing out a statement such as "In many instances and selective use cases such as malware, anti-virus and distributed denial of service (DDoS) protection, public cloud security have proven to be more effective and scalable compared to in-house security solutions " without ANY facts to back your postition is not acceptable. People once thought the world was flat, and a sailing ship would fall off the edge if it ventured too far. It was also widespread belief that the Earth was the center of the Universe, so much so that anyone that dared to question this were labeled "heretics". However, when confronted with "fact", those who held these beliefs were gradually converted. In my opinion, the world is not flat...and the "cloud" is not inherently "more secure" than in-house data storage!

wizard57m-cnet
wizard57m-cnet

You mentioned the "human factor" playing a role in security breaches. Are you implying that using a "cloud" storage system eliminates this potential threat? If this is your position, a few statistics to back up this statement would be useful. From your summary: "Data security in the public cloud is a shared responsibility between the data owner and cloud service providers. However, the data owner is solely and fully accountable for data privacy and protection." OK, if I as the "owner" of some data being stored on some cloud server somewhere in the "Blue Nowhere" (borrowing a phrase from J Deaver) is held accountable, why not keep the data where I have full control, or at least a semblence thereof? Why would I trust some unknown entity with potentially damaging data, just for the sake of "convenience"? There is no "cloud"! The data IS stored on someone's server, somewhere... storage media are relatively inexpensive at the moment, so why not keep vital data on MY server, as opposed to the throwback technology labeled as "cloud"?

Michael Kassner
Michael Kassner

Gartner is disagreeing with you. You may want to check out their sentiments -- just aired -- at Symposium 2011.

CharlieSpencer
CharlieSpencer

I think all of your questions center around Tajudeen's opening premise. He apparently thinks this sector of the industry is more mature than you and I do. I don't consider a service as mature while the majority of potential customers still have these questions.