Relying on the service provider to secure your system is all very well but businesses shouldn’t abandon their in-house processes
It seems that the most common and practical approach to cloud computing security is a Reaganite solution – trust, but verify.
How much you get involved in the security of your data depends on the cloud model: with infrastructure as a service (IaaS), for example, you can assume at least some of the responsibility for security yourself. With most cloud provision, however, security is part of the service.
Which is not to say there’s nothing for you to do.
“I think organisations are right to be concerned about security and the arrangements within a cloud provider,” says Adrian Davis, principal research analyst at the Internet Security Forum (ISF). “But I also think they need to look at themselves as well and ask whether they’re cloud-ready.”
The ISF has identified seven deadly sins that a firm needs to tackle to get its own house in order before moving to the cloud.
“The business will want to go to the cloud because of the economics and the flexibility that’s offered,” says Davis, “so if IT and information security stand in the way of that they’re going to get kicked out.”
One of the dangers is abandoning security processes you’ve developed in-house. Larry Ponemon, of research firm Ponemon Institute, explains: “Decisions are being made by people who are not security or compliance experts. You can have secure cloud computing, but someone in the know within the organisation needs to make a decision about what security provisions need to exist in order to make that move. And it seems that a lot of this occurs without the complete knowledge of auditors or security specialists.”
You need to work out how valuable your data is, what can and can’t be moved into the cloud, who owns it, who should be able to access or alter it and which data is subject to what regulatory obligations.
There’s no point paying for a five-star gold service when all you’re going to do is put information out there that’s publicly available anyway” – Samani
In some cases, a hybrid approach might be most appropriate, where highly sensitive data subject to strict compliance requirements is held in a private cloud
“It’s a matter of trying to understand your risk appetite,” says Raj Samani, EMEA strategy adviser for the Cloud Security Alliance (CSA). “It’s just a series of questions, such as what would be the impact if this particular piece of data was released into the wild?”
A key part of this data governance is data classification. “That’s absolutely critical. And that will then have an impact on the type of cloud provider you use,” says Samani. “There’s no point paying for a five-star gold service when all you’re going to do is put information out there that’s publicly available anyway.”
Assessing the security offered by cloud suppliers isn’t easy, though industry standards provide some help. Currently, ISO 27001/2 offer a framework for third-party audits and enshrine the principles of global body the OECD relating to the security of information. The SAS 70 auditing standard is also widely employed. And in 2009, the CSA issued its Guidance for Critical Areas of Focus in Cloud Computing, which has become something of an informal standard.
But we’re nowhere near a full set of cloud security standards. Ultimately it comes down to how much you trust the cloud supplier.
Products and services are emerging to tackle this issue. For example, the RSA’s Cloud Trust Authority (CTA) – a suite of services based primarily around identity management and a compliance profiling service – is designed to help firms feel they can trust the cloud supplier to keep them compliant.
We’re also seeing the emergence of trust frameworks against which cloud service providers can be measured. The Common Assurance Maturity Model (CAMM) project is one of the organisations developing such frameworks.
Firms need to examine their own data security practices. Access control and identity management, in particular, are critical to safe cloud use.
“There’s no magic bullet here, so have a strategy in place,” says Davis. “The best way of doing it from the IT perspective is to say, we know the cloud’s coming, how best can we help the business bring it on board in a reliable and secure manner?”