Information Security and Public Cloud Computing

If you asked a group of ten or more IT practitioners or business people what cloud computing is, they would probably give ten different answers. Each would have an answer consistent with his own specific perceptions.

Public cloud computing is a term that has been around for only a few years and refers to the use of information technology services, infrastructure, and resources that are provided on a subscription basis. Public cloud computing is a Web-accessed business solution where much or all of the entire computing infrastructure is contained remotely from the actual contracting business site and is managed by a third party.

Many companies rely upon public cloud computing for their business operations, both critical and otherwise. As we look at information security and public cloud computing, we are looking at a relatively new set of risks that need to be addressed to properly protect a business against unforeseen attacks and events.

There seem to be three major threats faced by cloud users which have been well documented in the press: data breaches, data loss, and loss of service. A few recent adverse events include:

• Carbonite lost customers’ backups in 2009 that could not be recovered
• Evernote lost about 6000 customers’ data in 2010
• Amazon had three major outages where some customer data was unrecoverable
• Honda had a data breach in 2010
• Sony had customer information breached in 2011 from its cloud infrastructure

Before addressing information security concerns, consider the various popular forms of public cloud computing available to businesses. There are three basic types of cloud computing:

• Software as a service (SaaS)
• Platform as a service (PaaS)
• Infrastructure as a service (IaaS)

Software as a service (SaaS) involves renting software from the service provider rather than buying individual software packages for your business. The software is hosted on network servers which are made available to users over the web or internet. This service provides software on demand and is currently the most popular type of public cloud computing because of its flexibility, ability to be scaled, and because maintenance is provided by the service provider as part of the cost. There are many CRM, ERM, and unique applications that are all provided as SaaS services. With web-based services, all employees need to do is register and login to the cloud. The service provider hosts both the application and the data, so the business user is capable of utilizing the service from anywhere on the globe. With SaaS, the service provider is responsible for all issues dealing with capacity, upgrades, security, and service availability.

Platform as a service (PaaS) offers a computing and/or database platform for your business’ developers. The business users develop their own code and the service provider uploads that code, then allows access to it on the web. The PaaS provider offers services to develop, test, deploy, host, and maintain applications on their development environment. The service providers also offer various levels of support for the creation of applications. The PaaS provider will manage upgrades, patches, and system maintenance.

Infrastructure as a service (IaaS) is when a provider delivers the computing infrastructure as a fully outsourced service. The user can purchase various components of the infrastructure according to their requirements (on demand). IaaS operates on a “pay as you go” model, ensuring that the users pay for only what they have contracted for – such as network, computing platforms, rack space, and/or environmental (HVAC and power). Virtualization has enabled IaaS vendors to offer high volumes of servers to customers at a very attractive cost. IaaS users purchase access to enterprise grade IT infrastructure and resources, and personnel to keep the infrastructure running. No application or monitoring of databases or data is provided by the hosting vendor above the OS level, unless contracted at an additional cost.

The caveat emptor of “cloud service” offerings

In the cloud, the services are being provided by third-parties and accessed by businesses via the internet. The resources are accessed as a service on a subscription basis. The users of the services being offered most often have very little knowledge of the technology being used, the security being deployed, the availability of the service being offered, or the operating best practices (monitoring, patching, maintenance, customer data separation, etc.) utilized by the service provider. The business subscribers also have little or no control over the infrastructure that supports the technology or service they are using.

Taking control

Under the standard of “due care” and charged with the ultimate responsibility for meeting business information technology objectives or mission requirements, senior management must ensure that the services they contract, which include these cloud service solutions, are appropriate to meet all of the business requirements, including such areas as legal, technical, financial, and operational.

This information security due diligence comes only through a thorough vetting of the cloud service provider in several areas. Some of the more important ones are below:

LEGAL AND REGULATORY

• Will the service provider meet any of your data breach notification requirements? (Remember even though they are hosting, you are responsible for the data under your protection, i.e., PHI, PII, etc.)
• Will the provider meet data retention requirements of the business?
• Will the provider meet the standards for data encryption and protection you require?
• Are “Safe Harbor” needs met?
• Are data destruction or return on end of contract well defined to meet your business requirements?
• What is their incident management program?
• Are they prepared to react in a timely fashion in case of any eDiscovery needs of data they store for you?

SECURITY

• Do they have a current SSAE 16 Type II audit findings report free of any significant deviations or findings?
• Do they have adequate security policies in effect?
• Do they have a SIEM monitoring activity in place to constantly detect potential intrusions?
• Are there clear notification and escalation procedures in case of a security breach or attack?
• Is your business’ data separated from other businesses contracting with the cloud vendor?
• Are the cloud providers, administrators and systems people trained in information security (certified)?
• Are there clear escalation procedures in case of a security breach or attack?

SERVICE AVAILABILITY

• Are the facilities housing the service provider adequately secured (video surveillance, access control, etc.)?
• Are the RPOs and RTOs consistent with the business’ requirements?
• How often are backups taken, are they maintained off-site, and have backups and restores been tested to your satisfaction?
• Are standard backup methods and media used just in case the business needs to bring data back in-house?
• Are maintenance and maintenance windows satisfactory according to your operational needs?
• What types of technical security do they employ (i.e., firewalls, virus protection, intrusion detection devices, etc.)?
• Are their hours of operation coincident with yours?
• If you are a global company do they provide multilingual support?
• Are there clear escalation procedures in case of an incident?
• Does the vendor provide global diversity so if one site goes down another can be used in its place?

OPERATIONAL

• Have they corrected any areas of concern to your business?
• What capacity planning do they have in place to meet the growing needs of your business?
• What standards of practice do they adhere to (i.e., ISO 27001, BS25999, etc.)?
• Do they have a patch management program in place and what is it? Does it meet your requirements?
• Do their SlAs meet your business and operational requirements?

Summary

I have developed a hosting questionnaire which I require each cloud service vendor to complete to the satisfaction of my client, and I recommend you do the same. Sometimes it takes a few iterations to complete the form to the satisfaction of my client, but when completed, it does provide documentation of due diligence and a clearer picture of what can be expected from the service provider. If the vendor will not complete the questionnaire, then it would be best to move on to another vendor – regardless of cost. If you can’t come to terms before a contract or statement of work is signed, it will be ten times more difficult after the signature to come to an agreement. If the cloud provider does not comply with your needs, you may be better off developing your own cloud.

This article has only scratched the surface and provided information on the basic questions that should be asked and answered to protect businesses utilizing cloud service providers. The intent of this article was to inform the reader that there are many types of cloud service offerings and ways to reduce and/or eliminate problems. The primary issue is one of due diligence. We as corporate or government IT security or business continuity experts need to make sure our organizational leaders have the necessary information to make informed choices for the protection of critical and sensitive information, to allow them to decide between implementing adequate controls and safeguards now to protect against risks, or to potentially pay later in reparations and damaged reputation.