Role of Security in Cloud
Businesses around the world are evolving rapidly and Cloud gives a unique opportunity to run successful business models that are scalable enough to attract global customers. There are several business drivers that can be effectively realized by adopting the suitable Cloud delivery options (Private, Public, Hybrid and Community Cloud) and service offerings such as SaaS, PaaS, IaaS etc.
Key Barriers that limits the use of Cloud
• Information security concerns
• Regulatory compliance concerns
• Configurability / level of customization / multi-tenancy and its impact on organization's Intellectual property and its confidentiality
• Quality of support provided by cloud providers
• Single point of failures may lead to costly high availability solutions
• Vendor lock-in
The below issues forms a great concerns for cloud adoption and contributes to barriers discussed above. The security professionals have an important role to ensure these concerns are systematically addressed to overcome the barriers.
• Weak identity and access management
• Inadequate data privacy policies an controls
• Inadequate data loss / data protection controls
• Lack of secured applications
• Lack of portability and interoperability
• Inefficient incident response, communication and remediation processes
• Non-compliance to unique regulatory compliance requirements such as PCI, HIPPA, SOX etc.
• Poor and unmanaged contacts and authority maintenance
• Insufficient logs and audit trails (Independent/Third-party audits)
Legal or Contractual Issues
• Inability to handle loss of confidential & sensitive data, loss of intellectual property, identity thefts etc.
• Inadequate and unmanaged Non-disclosure and third-party agreements
• Lack of business continuity plans, rehearsals and documentation
• Lack of data recovery and plans, rehearsals and documentation
• Costly disaster recovery solutions and options
• Lack of clarity around vendor managed assets leading to assets availability issues
Role of a Security
Given the drastic improvements in the security tools, processes & procedures, increasing awareness about capabilities of security within the board rooms and the dire business need of being cost effective and competitive; it is becoming easier for security professionals to address above mentioned barriers and concern by effectively adopting below techniques.
A. Understand and focus on the key business specific questions such as Management
• Will application run better in the cloud?
• How to manage the cloud/integrate with the cloud?
• Does cloud hardware matter?
• How easily can one switch cloud providers?
• How does licensing work?
• How will IP be protected?
• How to meet regulatory requirements of the land?
• Are there service levels on performance or just availability?
• Will it really save money?
• How to get data back in the event of a disaster?
• Are there any standards in the cloud?
B. Ensure implementation of right and adequate security controls that address above business specific concerns / questions irrespective of CLOUD delivery model or service adoption.
• SaaS: Security controls have to be negotiated into contracts
• Ensure responsibility of security controls is with provider
• Ensure application has inbuilt high level of integrated security
• PaaS: Offers a balance, provider has to secure the platform
• Ensure application security is responsibility of the consumer
• IaaS: Responsibility of security is with the consumer
• Ensure provider has little control on the OS or application or data
C. Ensure organizational security requirements are spelled out and Security Ownerships are identified in the Master Service Agreements with vendors and third parties involved in implementing the CLOUD solution.
D. Ensure all risks are identified and appropriate risks treatment is in place including the transfer of risks through proper and adequate insurance and third party agreements.
E. Ensure Cloud solutions and implementations are thoroughly reviewed and tested prior to go-live.
Key checklist of security measures
Security and Privacy
• Data encryption at rest and in transit
• Data protection from unauthorized access
• Data disposal methods
• Administrative Physical/Logical controls
• Prevention techniques and methods
• Protections and security controls in place
• Assurance procedures, scanning tools etc
• Rights and abilities to verify the security measures
Reporting obligations Compliance, Legal or Contractual
• Segregation of client information - confidentiality
• Compliance standards (ISO 27001 / SSAE 16 /PCIDSS etc)
• Country specific data storage restrictions
• Documentation for HIPPA, Sarbanes-Oxley Act etc
• Internal controls, procedures and audits
Finally, remember the key ROLE of a Security Professional is to see that:
• Providers must ensure that Infrastructure is secure and their client data and application is protected.
• Consumers must ensure that the provider has taken the proper security measures to protect sensitive information.