Security Experts:

Baby Steps into the Cloud

When you Outsource, You are Entrusting Someone Else to Worry about Security

Chances are that if you are using cloud computing, you are buying a service from someone else. Yes, sometimes organizations build their own private cloud, but let’s view the fundamental purpose of cloud computing as for an organization to outsource some function offered “in the cloud”. Is cloud computing fundamentally different than outsourcing? Yes and no. Is cloud computing anything really new? Yes and no.

Moving to Cloud ComputingIf we look at the cloud as a rookie, from the outside, like an organization starting to consider cloud services, what does the cloud mean to us?

In its most simplistic form, yes, you can think of a cloud provider as an outsourcer. They are providing a service for you that is outside of your facility and ultimately outside of your control. NIST says that cloud computing:

1. Includes a shared pool of computing resources

2. Enables on-demand access

3. Supports rapid, and dynamic, provisioning and releasing of services

4. Requires minimal interaction from the provider or the requisitioner

So, what is the difference between a cloud provider and a stereotype outsourcing service company? Well, if the brick and mortar outsourcer can allow rapid, convenient provisioning/decommission of services on demand…

The simplistic view, then, is that a cloud provider is just another outsourcer. That means a cloud provider is simply taking some function out of your organization and running it in their facilities. Yes, we all recognize that even if the service is “in the cloud” it does indeed still run on a piece of hardware in a data center somewhere. By outsourcing to the cloud, you are simply transferring some processing capacity from your organization to the cloud provider. But that is the “win”. You get a flexible service for which you do not have to carry the cost of the supporting assets, or the cost of the supporting staff and other facilities. If you need more bandwidth or capacity, the cloud will be flexible enough to support your needs (within the scope of your contract with the cloud provider).

There is a problem with the basic process, however. Just because you are transferring your data and/or processing to an outsourced cloud provider, it does not mean you are also transferring your responsibility for the protection of that data. Regulations like PCI and HIPAA/HITECH carry with them requirements for a processor to protect the associated data. You, as the organization, are still responsible for the data and the protections thereof, regardless of whether or not you are using an outsourcer to actually house the data.

And that is issue number one: if the financial data or the Protected Health Information managed by your outsourced provider is compromised, it is ultimately your responsibility. You can share that responsibility by signing really good contracts with your provider, but if you are a Covered Entity, then you are a Covered Entity. And, if you are a CE, you may not be able to name your cloud provider as a Business Associate, since they may very well function as a data center that doesn’t really manipulate or access the data. Therefore, you probably don’t get to share responsibility with a BA.

All of the Responsibility, None of the Authority.

So what do you do about your data in the cloud? Ah. Back to this question. This is not an easy question. Everything you have to worry about in your own environment, you also have to worry about for the outsourced/cloud vendor. The only difference is that, when you outsource, you are entrusting someone else to worry about that security.

The easy questions are things like protections for uptime and data recovery. The cloud provider is doing backups and providing a certain level of service continuity. Any outsourcer worth two cents has all of the basic operations locked down. This is not to say that you don’t have to worry about it, but if your outsourcer is not doing backups, or does not have a resilient data center, you should be able to find this stuff out pretty quickly with a minimal amount of effort. To some extent, much of this should be defined in your SLA with the cloud provider. If you need 24x7 operations, you need to include the requirement in your contract with the cloud provider. If you need to be able to grow throughput by 300% during peak workload, you need to have that in your contract with the cloud provider. See a trend here? Your contract with the provider is your first protection.

But, obviously, they cannot be your only protection. Just because they signed on the dotted line for your SLA, it does not mean they have all the other protections in place. A variety of searches and sources will give you an even larger variety of concerns or security issues around cloud computing, but ultimately, they boil down to a limited set of real issues.

1. Identity Management/Access control

2. Data/System Segregation/Co-location

3. Encryption

4. Compliance Proof

Identity Management/Access Control

There are several issues at play here. First of all, the cloud provider needs to have sufficient physical access controls that they can effectively control and monitor who has physical access to the systems that house any data. Only duly authorized staff should have physical access to any device that houses or provides access to any client data.

Extend this further by using a strong access mechanism throughout the cloud. Not only for all provider administrative users, but for any outside clients who have administrative access to their data from the outside world. You need to have assurance that only you can access your data – that someone else logging in will not get access to your environment.

If someone else is logging in, they need to be able to know that it is not me, and need to control access accordingly.

At the same time, when I log in, they need to be able to absolutely know that it is me. If I am requesting an extension in service or coverage, or cancelling some service, or submitting some other change request, they need to be able to verify with authority that it is me doing so. This is required to help make sure that only I can submit authorized changes on my account, but to also make sure that if they get a change request that I cannot suddenly say “it wasn’t me!” When evaluating a cloud provider’s identity management capabilities, the ability to ensure non-repudiation is not quite as important as insuring authorized access, but it is close.

Data/System Segregation/Co-location

This is the big bad problem when talking about the cloud. When you are talking about the nebulous “cloud”, how do you make sure that your data is not mixed with someone else’s? How do you make sure that your applications are pointing to only your data, and are never using my database? This segregation is the single largest issue in cloud computing and potential adoption amongst the masses.

Encryption

We all know the value encryption brings to the table. And that is even if you don’t consider the fact that it is required by PCI and practically required by HITECH. Encryption plays best if it is unique to the specific client. My encryption key should not be the same as the encryption key of another client – we are not all the same. This actually goes a long way towards helping enforce data segregation issues as well – if we are different clients, and we have different encryption keys for all of our data, then it certainly makes it more difficult for me to see your data – especially accidentally.

Compliance Proof

Regardless of everything else that the outsourcer is doing, if you have regulatory requirements like HIPAA/HITECH, or are required to meet other standards like PCI, the cloud provider will need to provide some guaranteed level of security and controls over the systems and data. Part of the compliance issue is not just “doing stuff”, but is actually being able to prove that you are “doing stuff”. The cloud provider must be able to provide audit/compliance proof of sufficient quality that an auditor is fully satisfied that the proper controls are in place and working as designed. Again, this includes the same type of logs and reporting, the same type of proof that the auditor would require from you, or from any outsource provider.

Bottom line? Cloud computing is “new” mostly in name only. Most of this is not new ground. We have been dealing with the majority of these issues since we started outsourcing. The current “cloud” only magnifies the issues because of the additional flexibility provided by offering such service over the ‘net.

Subscribe to the SecurityWeek Email Briefing
view counter
Jon-Louis Heimerl is Director of Strategic Security for Omaha-based Solutionary, Inc., a provider of managed security solutions, compliance and security measurement, and security consulting services. Mr. Heimerl has over 25 years of experience in security and security programs, and his background includes everything from writing device drivers in assembler to running a world-wide network operation center for the US Government. Mr. Heimerl has also performed commercial consulting for a variety of industries, including many Fortune 500 clients. Mr. Heimerl's consulting experience includes security assessments, security awareness training, policy development, physical intrusion tests and social engineering exercises.