The cloud is growing and it’s easy to see why. Outsourcing IT systems can save money. And cloud-based offerings for infrastructure, businesses services and applications are on the rise.
But shifting applications and infrastructure to the cloud does not mean an organization abdicates responsibility for the security and integrity of its data. Experts in the field, from vendors and consultants to large companies implementing clouds, have developed checklists to help you evaluate cloud strategies and cloud services providers.
These frameworks are a valuable starting point, experts say. “Why people are concerned about cloud security is not because cloud security is not there. The issue is that it is a black box and they don’t trust it,” says Sreeranga P. Rajan, a director at Fujitsu Labs of America and co-chair of the Cloud Security Alliance Big Data Working Group.
The Cloud Security Alliance (CSA), an industry group formed in 2008 that includes leading providers, hardware and software vendors, and corporations implementing cloud-based systems, has published a number of guides for planning and implementing cloud-based systems. Among the reference tools the group has published are:
- The Cloud Controls Matrix lays out specifics for executives seeking to manage risks and ensure their implementations are secure and comply with both corporate policies and government regulations.
- The Consensus Assessments Initiative Questionnaire includes a detailed list of questions for cloud providers that covers everything from third-party access and data governance to operations and risk management.
- The CSA Security Trust Assurance Registry (STAR) is a free, publicly accessible registry that documents the security controls provided by various cloud computing offerings, which helps users assess the security of current or prospective cloud providers.
In addition to these resources, most cloud providers post information online about their security and risk management approaches. And earlier this year, the U.S. National Institute of Standards and Technology (NIST) published a set of privacy and security guidelines for public cloud computing.
Managing data security risks for a cloud implementation requires that you understand a vendor’s capabilities and that you delineate roles in the commercial relationship before it begins.
“Half the battle is to clearly define roles and responsibilities upfront,” says Don Gray, chief security strategist with Solutionary, an Omaha-based information security company. Executives must be clear about their needs and inform cloud providers about the nature of their data. In many instances, it may be necessary to comply with government regulations such as HIPAA or the EU laws, place security codes on proprietary data, or scrub personal identifiable information from proprietary data.
Experts agree that it’s important to complete a checklist detailing roles and responsibilities before signing up with cloud computing providers. Key questions you should keep in mind when evaluating cloud-based service providers include:
1. What measures are there to safeguard the data if something goes wrong?
The first step is to review service level agreements (SLAs) carefully:
- Ask whether there is a standard SLA contract or whether there is flexibility to include additional guarantees in the contract.
- Determine whether SLAs provide compensation for losses that may occur due to outages or losses experienced within your infrastructure.
- Make sure that SLAs relate to your business requirements.
- Ask whether the cloud provider is insured by a third party for losses.
- Find out whether the cloud provider’s logging and monitoring framework provides sufficient detail to determine what data was compromised and whether the breach was limited to a specific cloud tenant.
Importantly, the hosting company should be able to provide such security measures as data encryption and physical security controls. Ask details about these controls and how the cloud provider secures access. And understand clearly how the provider prevents a single point of failure by using multiple hosting locations and backup procedures to ensure high availability.
Some cloud providers will only assume responsibility if cloud tenants purchase one of the provider’s security packages. Determine your cloud provider’s policy, whether packages offer Web and application security, and which package is appropriate for your application.
“Not all clouds provide the level of security that customers are looking for with big data. Make sure you ask the right questions and understand what the provider can provide,” says Ken Owens, vice president, security and virtualization technology at Savvis, a cloud infrastructure provider.
Survey findings released in July by the computer industry group CompTIA showed that IT department managers are concerned that their business counterparts will buy cloud computing services without consulting them, thus leading to data security problems down the road. Respondents who had yet to implement cloud-based systems said security was the top reason.
2. Who has access to the data?
The Cloud Security Alliance recommends asking whether access to your organization’s data is strictly limited to the minimum number of individuals, and whether the cloud provider uses multi-factor authentication for both cloud staff you’re your organization’s employees.
It’s also important to determine whether the provider performs background screening procedures prior to hiring staff.
Understanding the issue of access goes beyond the organization’s data. Companies buying cloud services need to be aware of metadata, or data about their data. “They include data collected to meter and charge for consumption of resources, logs and audit trails,” write Wayne Jansen and Timothy Grace, the authors of the NIST report. “Several points to consider clarifying in a service contract are the types of metadata collected by the cloud provider, the protection afforded the metadata, and the organization’s rights over metadata, including ownership, opting out of collection or distribution, and fair use.
Push for transparency at your cloud provider and get clear answers how they do things, says Wilco Van Ginkel, co-chair of the CSA Big Data Working Group and a strategist with Verizon Business. He adds: If you are not satisfied with the answers, it is time to step away.
3. How does your data center comply with corporate security policies and government regulations?
It’s essential that data stored and used in the cloud continues to be housed and analyzed in accordance with an organization’s privacy and security policies—and with any relevant government policies.
Currently there is no cloud security compliance standard comparable to the HIPAA healthcare privacy rule, although the CSA has developed a framework. Ask your own financial auditor to verify that the cloud provider is complying with CSA guidelines, says Van Ginkel.
4. What happens in the case of a shared infrastructure when one customer’s data is compromised?
Know where your data will reside since data can physically move globally across the cloud. It’s a critical issue for companies with overseas locations that must comply with the Safe Harbor Act (European Union Data Protection Directive) which prohibits the transfer of personal data to non-European Union nations that do not meet the European “adequacy” standard for privacy protection. If you don’t want your data to be in the same physical location as your competition, ask whether the service provider can tag your data with identifiers.
In the event of a breach, tenant data may be subject to subpoena. To address this risk, the CSA recommends asking whether the cloud provider provides sufficient data separation to avoid exposure of uncompromised data owned by other tenants.
5. How is incident response handled and how will it work in conjunction with your company’s procedures?
Determine how the cloud vendor’s security monitor interfaces with your internal monitoring software and procedures. Will your system staff be notified immediately if the vendor’s monitors detect an anomaly?
To minimize risk, the CSA suggests that cloud providers document their security incidence response plans, with clearly specified roles and responsibilities in the event of a security incident. The documentation should include information on what incident information the provider shares with cloud computing tenants.
In an otherwise slow-growth information technology forecast, Gartner projects that enterprise spending on public cloud services will increase almost 20 percent this year to $109 billion in 2012 and continue a steady rise for the next four years.
Ongoing Diligence—and an Exit Strategy
Checklists are essential during the planning and implementation phase, but risk management also calls for ongoing vetting both procedures and installations. “Ensuring systems are secure and risk is managed is challenging in any environment and even more daunting with cloud computing,” write Jansen and Grace in the NIST report. “Audit mechanisms and tools should be in place to determine how data is stored, protected, and used, to validate services, and to verify policy enforcement. A risk management program should also be in place that is flexible enough to deal with the continuously evolving and shifting risk landscape.”
Jansen and Grace also point out that buyers of cloud services need to spell out “any contractual requirements that must be observed upon termination” including stipulations about data access and data custody changes, and the expunging of data that is no longer intended for the cloud.
When it comes to security, there are no iron-clad guarantees. Organizations looking to the cloud need to understand the risks and manage them. They need to be clear on how the new cloud system will impact their technology environment and all the roles and responsibilities involved in managing both the cloud and any relevant systems back home. But with upfront planning, organizations can move their big data to the cloud to reap its financial and operational benefits with greater peace of mind.
Joe Coyle, chief technology officer, Capgemini North America, recommends that customers do a lot of talking with cloud providers before making a commitment. “Get educated, ask those security questions, quiz them, and have those guarantees up front.”
Paula Jacobs is a Massachusetts-based business and technology writer.