Given the maturity level of IT outsourcing services, adoption of public cloud computing should just have been a natural transition for businesses eager to leverage it's cost savings and benefits. This tellingly has not been the case. - Security has always been cited as the main reason. For most organizations, there is much trepidation about the risks involved.
In this article, we'll take a high level view of why organizations should embrace public cloud computing to leverage its benefits, what the key security issues/challenges are and what actions can be taken as part of a holistic risk assessment framework to address those cloud security challengesThere is no convincing data available to overwhelmingly back up the widely held perception that public cloud computing is less secure compared with in-house security solutions. In fact, nightmare data loss incidents from cyber security attacks on household names and Internet giants such as Google, Sony & RSA simply shows that in-house security can be subverted by sophisticated attacks especially where due diligent security controls are lacking or simply sidestepped. There is still no fix for that age old weakest link in information security - "the human factor."
While these security breaches may not actually be directly linked to cloud computing services, there is just the general trend for intellectual property to be closely guarded by keeping them closer to home. But, can public cloud actually be a good option for protecting your intellectual property? Well, given its scalability, flexibility and on-demand properties, Yes! is the simple answer to that question.
Federal government agencies such as US, Singapore, many Asian and European government agencies have been early cloud computing adopters, facilitating the rapid maturity in public cloud security services and products from service providers. In many instances and selective use cases such as malware, anti-virus and distributed denial of service (DDoS) protection, public cloud security have proven to be more effective and scalable compared to in-house security solutions - An example is Sony's defence against anonymous LOIC DDoS attacks.
In any case, the insatiable consumption of internet services by end-users is now beginning to drive public cloud usage in the form of media entertainment such as music, films, social media and e-commerce at large.
Organizations can no longer play the waiting game. Not embracing public cloud computing where there is overwhelming business case for it will be the biggest risk of all. And if you need convincing, just ask Oracle's Larry Ellison who once thought the cloud was just "a gibberish, insane, idiocy talk". Well he's decided to join the cloud party too! How sane is that?
No, not every type of corporate data or services belongs in the public cloud but with a comprehensive risk assessment framework, the risks with public cloud can be managed to acceptable levels in accordance with business risk appetite and desire for opportunities for new revenue growth.
Knowing your cloud computing risks
Each organization is different, with unique set of security risks depending on their operating environment and industry. These risks must be documented and managed. Public cloud computing also has with its own unique risks not commonly found in traditional IT outsourcing but which become manifested due to the nature of the technology. Below is a non exhaustive list of public cloud computing risks that organizations need to plan for.
Key security risks /issues ascribed to public cloud computing include the following
- Unknown use of cloud computing services - Due to the low cost entry barrier, public cloud computing services are often procured and used by business leaders who see it to be more agile than their IT dept for delivering new products and services to customers. IT Service procurement must be adequately controlled to avoid potential data loss through such unmonitored public cloud channels
- Information security governance - The basic security requirements of confidentiality, integrity and availability are required to protect data through out its lifecycle. Data must be protected when it's created, stored, processed/used, shared, archived and consequently destroyed. This can be particularly challenging when you have no direct control over a service providers infrastructure security practices. Choosing the right public cloud service with data encryption, encryption key management and high availability solutions have never been more important
- Knowing where your data lives - Throughout the data lifecycle, It is paramount to gain assurance from your service provider that your intellectual property information is kept only within geographic locations / boundaries stipulated in contracts, SLA and application legal / regulatory compliance requirement
- E-discovery - Shared tenancy of physical hardware in a public cloud means there is high risk of un-vetted data disclosure to external parties such as government and law enforcement agencies e.g. The Patriot Act means that any data hosted in the USA or hosted by a US registered company could be seized by the authorities during crime investigations without explicit permissions given by the data owner. Sensitive data such as personal identifiable information (PCI/DSS) do not belong on public cloud to avoid falling foul of this issue
- Vendor lock-in - There is high level of difficult in migrating from one provider to another. Many cloud providers have financial incentive to prevent the portability of their customer's services and data to competitors
These risks and many others are well documented in resources available from Cloud Security Alliance (CSA), European Network and Information Security Agency (ENISA), National Institute of Standards and Technology (NIST). They can be used as starting point to understand cloud computing risks.
With visibility of these security risks, organizations can development a risk management framework to assess public cloud service providers in a bid to select the appropriate cloud services for the business.
Data security recommendations for adopting public cloud computing
Recommended actions for mitigating security risks when adopting public cloud services:Develop a cloud computing roadmap plan to include
- A decision making process for adopting cloud services
- Business case and cost considerations
- Identify and establish trust boundaries for your data and gain full understanding of your end-to-end business process dependencies using data flow diagrams and process flow charts
- Cloud usage awareness programme - Your services procurement team and infrastructure personnel must be provided with knowledge and skills to identify cloud services and support such agile infrastructure
- A cloud services register to record your public cloud consumption
- Defining information security policies for Cloud usage
- Classifying your data and knowing if it's fit for cloud hosting based your risk appetite and business opportunities
- Conducting business impact assessment of confidentiality, integrity and availability loss of data
- Documenting your public cloud security risks
- Enumerating mitigating controls for your cloud security risks (A risk-to- controls mapping exercise is useful to identify potential gaps in your security controls)
- Develop or update your information security contract clauses to address security and operational concerns you have when adopting the cloud. This should include compensation schedules for SLA failures, rights to conduct IS audits, forensics and incidents investigations must be stipulated in service provider contracts
- Conduct security penetration testing of cloud service products and assurance review of cloud service provider security controls to select public cloud services which closely match your information security requirements. Consider using a SAS 70 type II report or similar IS audit reports to identify gaps in security controls implemented by service providers
Organizations must develop an exit strategy to avoid service lock-ins and operational pains if services need to be relocated back in-house or to another service provider
Data security in the public cloud is a shared responsibility between the data owner and cloud service providers. However, the data owner is solely and fully accountable for data privacy and protection. They face potentially large financial fines from regulators for inadequate control failures. As such, many organizations have already invested in information security risk management and governance tools. These should be leveraged for the cloud-based architecture security risks to maximize return on their investment. What's often required is to identify and comprehend unique risks which characterize cloud computing and develop the necessary security controls required to adequately mitigate those risks while ensuring they are not acting as road blockers for adoption of cloud computing.
There is certainly no reason why organizations shouldn't board the cloud computing supersonic airways but they shouldn't forget to arm themselves with a well-oiled rudder pedals in the form of holistic risk mitigation controls for smoother navigation.
Tajudeen (Taj) Abubakr (CISSP, CISM, CISA, SABSA) is a certified information security manager with broad consulting experience in Security programmes delivery management, cloud computing, enterprise IS governance, risk & compliance (GRC). He is currently employed as Information security specialist for a global financial services organization in the UK.