As a security solution provider, you have a particularly tough row to hoe with regard to securing your client’s data in a cloud computing environment.
Cloud capabilities and ubiquity have advanced greatly, but have the security capabilities and protocols kept up? Unfortunately, in many cases, the answer is no. If you are going to support a client moving to a public cloud, or are asked to support them after the fact, there are many
issues with cloud computing
Many companies developing and offering cloud computing products and services have not properly considered the implications of processing, storing and accessing data in a shared and virtualized environment. In fact, many developers of cloud-based applications struggle to include security, even as an afterthought. In other cases, developers simply cannot provide real security with currently affordable technological capabilities.
Having a written plan about what the cloud provider will do in a security event, such as a breach, is required by many regulatory standards, and with many states and the federal government.
At the same time, many solution providers helping a client move to a cloud solution fail to spend enough time and effort to verify the cloud offering’s security. This may be because the client’s primary reason for moving to the cloud is to reduce costs. Therefore, there may be little profit for the solution provider in the cloud relationship. These factors, and the reality that cloud providers often lull your clients into believing there’s little reason to worry about security, make your role as a security solution provider even more difficult.
The ubiquitous use of cloud is so new that the National Institute for Standards in Technology (NIST), which is tasked with writing guidelines for proper use of technology, is only at the draft release stage with its cloud computing guidance. In the draft Guidelines on Security and Privacy in Public Cloud Computing (800-144), released May 16, 2011, it is clear that even NIST members are rightfully concerned and cautious about the rapid and seemingly unfettered move to cloud computing. As the document points out, “Many of the features that make cloud computing attractive, however, can also be at odds with traditional security models and controls.”
Even if one could show a modicum of short-term cost savings in public cloud versus client premise architectures, the risks (with some exceptions) significantly challenge the potential gains. There are considerable obstacles to securing data housed and controlled by an entity other than its owner, and this is amplified with a public cloud, where communications, computing and storage resources are shared and data is often co-mingled.
The difference between protecting data in a public cloud versus data in a client organization’s own systems is like protecting the president in a crowd on the streets versus in the White House. He still has some protection on the street, but without the ability to fully control the environment, he is at far greater risk. It should be noted that even with the recommendations we’ll cover below, there is no such thing as infallible security in a public cloud environment.
10 steps to conquer client’s security issues with cloud computing
There are 10 steps that security solution providers should take when moving clients to a public cloud solution.
1. Contract with the cloud provider yourself, on behalf of your customer .
Aim to sign a contract with the cloud provider yourself, rather than having the cloud provider deal directly with your client. This may not always be possible, as some cloud providers—even those who sell through channel partners—will only sign a contract with the customer. When they do, your risk may not be worth the reward. If anything goes wrong in that cloud, your customer could come after you for recommending the cloud provider in the first place. Also, although cloud providers who contract directly with the customer will pay a margin to the reseller who brought the customer to them, these margins may diminish over time as the cloud provider takes control of the customer.
2. Have cloud provider’s security measures written into the contract.
Take the time to investigate thoroughly how the cloud provider secures its systems. This means getting assurances from the cloud provider written into the contract. You might also require an independent audit report and/or certification verification. The written assurances must include applications, infrastructure and configurations. If you cannot get verification because the cloud provider won’t share the information, or they don’t have it readily available, run fast to the nearest exit.
3. Look closely at employee and contractor backgrounds.
Find out if all the cloud provider’s employees or contractors who could have access to the cloud provider’s systems are fully vetted for their criminal background, have been drug tested, and have the requisite skills needed for the roles they will fill. Have these details added to the contract.
4. Find out who will monitor your customer’s data.
Ask the cloud provider to detail who will have access to data, and why and when they are accessing it. Why is this important? Well, for example, Google had a security engineer, David Barksdale, who was found to have been snooping on the activities of teenagers, including reading emails and listening to Google Voice calls before going to meet them in public places. When asked if they had been monitoring this activity, Google’s response was, “We monitor on an as needed basis. We are increasing the amount of monitoring we do.”
5. Have a plan for security events.
Ensure cloud provider’s contract gives precise details about compliance commitments and breach remediation and reporting contingency. The contract should predict and describe, to the best possible degree, what responsibility the cloud provider (and you) are promising, and what actions the cloud provider (and you) will take during and after security events. In fact, having a written plan about what the cloud provider will do in a security event, such as a breach, is required by many regulatory standards, and with many states and the federal government.
6. Verify the access controls being used by the cloud provider.
Just as you would implement access controls for your client’s own systems, the cloud provider must describe and implement the controls it has in place to ensure only authorized users can access your client’s data. Be especially vigilant if your client must comply with regulatory obligations; housing data somewhere other than the client’s premises does not relieve the client or you of legal responsibility.
7. Stay in control of your client’s access devices.
Be sure the client’s access devices, such as PCs, virtual terminals and mobile phones, are secure. The loss of an endpoint access device or access to the device by an unauthorized user can negate even the best security protocols in the cloud. Be sure the computing client devices are managed properly, secured from malware and supporting advanced authentication features. If you have not already done so, work with your client to establish pre-defined “standard operating procedures” to remediate a security event involving the loss or theft of a device that is configured to access cloud resources.
8. Look at the cloud provider’s financial status.
Obtain written assurance about the financial condition of the cloud organization. Be wary of a security breach that could be caused by a cloud provider (that you recommended) suddenly shutting down and disappearing in the night. In fact, a local police department suffered this exact problem with a cloud service provider when the provider’s Web hosting company shut down and literally disappeared without any notice. (Luckily this incident only involved the loss of a website and blog database, and not private records or critical criminal case data.)
9. Specify how data will be returned.
Get details written into the contract that describe how your client’s data can and will be securely returned to the client in the event of a cancelation of services. For example, I am currently working with a client who came to me because it was being held hostage by a cloud provider not reacting properly to the client’s request for their data. The client needs to report its compliance, but the cloud provider will not share diagrams or other information, or provide audit records. The provider admits the entirety of client data is in a shared common network, with shared drives and applications in a multi-tenant configuration. This client is now in danger of being hit with significant fines and penalties.
10. Don’t forget about data deletion.
Verify the proper deletion of data from shared or reused devices. Many providers do not provide for the proper degaussing of data from drives each time the drive space is abandoned. Insist on a secure deletion process and have that process written into the contract.
The results from these 10 steps should be written into the cloud provider’s contract (if they are not already in the standard contract). Do not rely on brochures or data sheets from the cloud provider, or verbal conversations you have with the cloud provider. At the end of the day, it will be the contract that rules if anything should go amiss and you find yourself in court defending your decision to use a particular cloud provider. The contract is the best protection for you and your client.
As the trusted security advisor of a client using a cloud solution, you will likely be held culpable when there is a breach. You must remember that your client and, by association, you are still liable when it comes to security and breach. By following these 10 steps to tackle the security issues of cloud computing, you and your client will have peace of mind knowing that you have done what is prudent to assure your client’s security in the cloud.
About the author:
Kevin B. McDonald is Executive Vice President and Director of Compliance Practices at Alvaka Networks, a 27-year strong Network Services and Security leader in Irvine, California. He is a trusted technology and security consultant and public policy advisor to some of America's most influential people and organizations. He serves as a senior advisor to businesses, state and federal legislators, law enforcement leaders, charitable boards, abuse prevention professionals and municipalities. He is a sought after presenter, panelist and commentator. McDonald consults on the issues surrounding advanced technology, physical and logical security, regulatory compliance, organizational development and more.
McDonald is a HIPAA Privacy and Security Expert and a member of the CompTIA HIT, Advisory Council. He is Chairman of the Orange County Sheriff/Coroner's Community Technology Advisory Council (C.T.A.C) and member of the High Tech Crimes Consortium. He has written for, or been interviewed, in dozens of national and regional publications and he has authored the novel, Practically Invisible.
This was first published in June 2011