It’s certainly justified for an organization to worry about theft, loss or legal noncompliance as they put data in the public cloud. The cloud is a fast-moving target that continues to evolve so it’s fair to ask such questions as: At what moment will the security and controls be enough? and If we get locked in now, will we be locked out of future progress?
Yet, with competitors already reaping game-changing benefits by using the cloud, remaining on the sidelines waiting for the right moment to commit to the cloud isn’t an option. Risks can be managed and we believe the following steps can help an enterprise craft a strong cloud security strategy:
1. Know your appetite for privacy and security risk.
Compliance with privacy law is a minimum requirement, while security options fall on a continuum based on a company’s appetite for risk, costs and the technological solution.
The security and privacy regulations currently in force were not designed for the cloud – in fact, they are at least a decade old and fail to address such cloud issues as virtualization and shared tenancy. Cloud services themselves are sometimes in direct conflict with regulations. Germany, for example, has put strict controls in place that prevent the transfer of personal data across its borders, thereby blocking German companies from engaging with cloud providers that intend to store their data outside the country.
Even when regulations are not in conflict with what the cloud is trying to do, they can inhibit a company’s initiative to use its services. Until global IT regulations are updated and harmonized, companies should survey the security and privacy controls where they operate or where their data may reside, and then use the cumulative set of requirements as a baseline. This can help businesses and cloud providers resolve impasses regarding privacy and security. Indeed, a close analysis reveals that many countries’ compliance requirements overlap, with relatively few unique requirements.
Furthermore, companies should be aware of recent industry initiatives, such as the Common Assurance Maturity Model which offers a certification level for cloud providers that can help companies with due diligence when selecting a vendor.
When it comes to its cloud strategy, organizational decisions need to be made within the confines of a risk framework that rationalizes the legal, reputational, and cost impacts of security and compliance breaches. Companies must bring on board new applications and users in a manner that is appropriate for the organization; stay on the right side of privacy law; provide a checklist of “must have” security criteria for contracting teams, systems integrators and application developers; ensure that vulnerabilities are caught early and cloud-specific defensive capabilities are employed; and ensure strong coordination with system integrators used to place and maintain regulated data in the cloud.
2. Expect to share responsibility.
It is critical to clarify the roles of the data owner and cloud provider (and systems integrator, if applicable) in delivering legally compliant solutions. While the law doesn’t state any clear division of labor as long as certain things get done, many data owners and cloud providers have misconceptions about their responsibilities. This can hinder the evolution of a secure and compliant cloud solution. The law also has a tendency to fall behind technology developments, thereby inhibiting progress.
Organizations should consider a public cloud as suitable for hosting regulated data – as long as the cloud provider is willing to share the risk and, as such, bear the necessary legal obligations.
There is no turnkey cloud solution. Data owners and cloud providers must be willing to define each of their roles, regardless of the type of cloud solution.
3. Demand transparency and accountability from cloud providers.
Companies should approach cloud providers as they would any vendor – from the bottom up (through technology) and the top down (in terms of security, compliance and governance). They need to ask the following questions:
• Do we know how to secure each cloud provider by incorporating security controls and risk mitigations?
• How does the provider’s technology work and which of its people – including subcontractors – have access to customer data?
• What testing has been completed to verify that services and control processes are functioning as intended and that unanticipated weaknesses can be identified?
• To what extent is security embedded in the cloud solution?
• Does the cloud provider reserve the right to change its terms and policies at will?
• Have we accepted or mitigated the risks? What processes are in place to verify periodically that controls are working?
4. Use the cloud to address identity and access management issues.
Letting the good guys in and keeping the bad guys out needs to be part of a proven and flexible identification and authentication process. Every time a user accesses a cloud resource, a defined interaction should analyze the trust assignments and allow appropriate access.
Identity management is one of the fastest-moving areas in the cloud ecosystem, likely to become a service over the next few years. Expect that identity management tasks – enrollment, provisioning, authentication, authorization, audit, single sign on, and role management and reporting – will soon move from an on-premise solution toward a Software as a Service model.
It’s important to note that the cloud concentrates data into locations that become attractive to criminals who are intent on compromising controls. Therefore, companies need to know the authenticity and integrity not only of people, but also of supporting processes and software.
5. Architect solutions that address the risk.
For the time being, many companies will hedge their bets by choosing to use hybrid clouds until the industry matures and privacy and compliance features are baked into cloud offerings. Public cloud computing vendors have very large financial incentives to provide the privacy and security controls that companies demand in order to move mission-critical applications into shared environments.
To determine which applications to move to the public cloud, organizations will need to make deliberate choices one by one. Over time, companies and suppliers will likely grow smarter about where they run applications and how they manage cloud capabilities.
As an example of a solution architected to address risk, consider a healthcare provider that wants to secure patient-related medical data on a public cloud. The company first needs to look at whether the cloud solution can be HIPAA compliant. The solution would then have to cover unambiguous requirements such as record-level logging and audit capabilities, encryption of data, and breach notification procedures/requirements for any lost or compromised data.
Even with these measures, the third party could still lose data. Security controls to address that gap would need to be implemented which may include a blend of technical security controls, trust models, and human-based process controls.
Companies prepared to take the plunge into the public cloud should keep the following in mind:
• Understand the privacy laws to ensure that none are violated before putting any data in the cloud.
• The right people – from IT, legal, security and corporate governance – need to be at the table whenever cloud decisions are made.
• All business units must follow standardized rules that specify the circumstances in which cloud computing can be used and the data that can be moved.
• The cloud provider’s terms of service need to be read carefully.
As with any technological solution, companies need to understand the risks associated with putting certain data onto the public cloud. They must develop a risk management framework for security and governing data, and then architect solutions to address the risks. While such a move warrants both enthusiasm and speed, organizations also need to maintain a “buyer beware” attitude.
Furthermore, companies should help create cloud ecosystems in which they would be comfortable placing their data by supporting efforts to create cloud standards immediately.