High-end computing is now available as a "metered" service of sorts thanks to cloud computing. The costs involved are low, the technology and computing power is the best available at any given time, and all an end-user needs to connect is a low-end computing device (even a smart-phone or a tablet) with reasonably good Internet connectivity.
The cloud has some clear arguments in its favor – cost, agility, scalability, reliability, location independence, and overall performance. However, cloud computing also introduces several information security risks that need special attention. An organization eyeing cloud computing as their next stop should take a long, hard look at the following key issues:
Segregation of Data. Organizations need to ask their cloud service provider precisely how they will offer isolation of their data. How, for instance, will they ensure that data is treated according to its classification? What does the cloud service provider do to ensure that classified data is not handled by a server (or cluster) that processes public requests? Is the data encrypted and, if so, what type of encryption is used for data at rest and in transit?
E-Discovery. When a cloud comes into the picture, organizations will then be faced with identifying where the information is stored, how it is backed up, and how it is secured. The Electronic Discovery (E-Discovery) rules assume that the physical examination of storage devices, media, and just about anything stored electronically is possible. This will change completely with the cloud which will add a whole new dimension to electronically stored information. Organizations need to consider that if they are, at any point, involved in litigation, E-Discovery will be a demanding task.
Data Loss and Leakage. The question organizations need to ask their cloud service provider is: "How will data loss and leakage risks be minimized to acceptable levels?" How, for instance, will they address these risks at the design-level itself? How will they deal with persistent media? What provisions and safeguards do they have for backup, restore, and storage?
Logging and monitoring. When moving to the cloud, organizations need to ask their cloud service provider how logging and monitoring will be performed. Organizations using the cloud will need to take note of the fact that analyzing an ocean of data, available from the heavy and comprehensive logs that clouds can generate, is not an easy task.
Incident Response. Information security incidents at organizations need to be identified, contained, investigated, and even reported in accordance with regulations and mandates. Organizations need to obtain clarity from their cloud service provider on how they will help and support the entire incident response process that was earlier followed when the infrastructure was in-house. How exactly will the cloud service provider help identify the root causes of the incident?
Forensics. Digital forensic investigations that ensue following an information security breach or incident pose another significant challenge. Organizations need to consider how evidence will be preserved and what that evidence will be considering that the cloud does not offer much visibility into it as, say, a normal workstation would. How will evidence be collected from the machine image since there is no longer the luxury of working with the full disk? How will evidence be collected from data resting in the Random Access Memory (RAM) or slack space considering that these areas are no longer well-defined and could be spread across hundreds of machines? How will routing information be collected?
Physical Security. A cloud service provider has physical machines and computing resources located at some physical location on the globe. This is an important aspect to look into for organizations considering moving to the cloud. What kind of a business continuity plan (BCP) and disaster recovery plan (DRP) does the cloud service provider have in place? In the past, this was dealt in-house but now you are relying on a third party for assurance and this needs to be examined.
People and Processes. People are often considered the weakest link in information security. An aspect that cannot be overlooked in the cloud perspective is what is sometimes known as the "human firewall". Organizations would do good to find out more about the people and the processes that work behind the scenes of their cloud service provider. What does the cloud service provider do to test the "human firewall"? What controls are enforced on individuals that have access to the cloud service provider's customer data? In a situation where an employee turns rogue, it could mean serious consequences for all organizations hosted with the cloud service provider because an insider is a serious threat to information security considering he/she has detailed knowledge of internal processes and "knows his/her way around". Another important consideration for organizations eyeing the cloud is to investigate what their cloud service provider does to train its employees in information security. A malicious employee is bad enough, but an unaware employee is not any better.
Legal and Regulatory Concerns. Cloud computing makes it harder for enterprises to be sure they're complying with industry and government regulations. When you evaluate cloud vendors, start by looking for sound practices and strategies for user identity and access management, data protection and incident response. Be aware of new challenges the cloud may add to your IT workload. Track the fast-changing standards landscape. Standards like ISO 27001 are helpful but they're point-in-time. A tool like RM Studio can be used to map requirements to their IT control areas.
Contracts. Organizations might look at stringent contractual and service level agreements with cloud service providers. Regardless of your company's size or status, don't assume your cloud vendor's standard terms and conditions will fit your requirements. Start your due diligence by examining the vendor's contract. These agreements need to incorporate issues like regulatory requirements, third-party service provider oversight, right-to-audit the cloud infrastructure, clear wording on liability, intellectual property, end-of-service considerations and responsibilities, record-keeping requirements, data jurisdiction, and the cloud service provider's compliance with internationally recognized standards.
Testing and Certification. Organizations need to get clarifications from their cloud service provider as to how their offered cloud will be tested for information security vulnerabilities and controls in place on an ongoing basis to ensure that the infrastructure on which the organization's information rests is secure at all times. Certification is key.
The Right Expertise
The advantages of cloud computing are undisputed and surely need to be harnessed. However, the information security issues that have followed cloud computing are serious and need to be carefully considered and addressed by organizations that are looking to take advantage of the cloud.
With the right information security expertise backing an organization's advance into the cloud, there is clearly no stopping the organization's progress into this new world of opportunities. This is where the RM Studio Team can help. The RM Studio Team offers expertise in information security and quality management consulting with services ranging from information security risk management to development of secure telecommunications networks.
Make security a priority. To best understand your potential risk, as well as your benefits, you should bring your security team into the conversation at the earliest possible opportunity. The RM Studio team is here to assist you. With over 50 years of combined experience in information security, network design and quality management, our team of experts is here to help you and your organizations meet your risk management, quality management and compliance needs. We will position your organization to meet the ever changing needs of your unique market and complex security demands like cloud computing.
Post by: Dr. Rey LeClerc Sveinsson
Rey is an information technology audit, compliance, risk management and security expert.