Whitepaper How to Select the Right Service Provider?
Table of Contents Executive Summary 3 What Makes Cloud Computing Different? 4 Top Threats to Cloud Computing 5 Cloud Security Standards 6 Cloud Security Alliance 7 Top 7 Cloud Computing Security Challenges 7 Privileged user access 8 Regulatory compliance 8 Data location 9 Data segregation 10 Track Record of a Cloud Computing Service Provider 11 Security certificates 12 Disaster Recovery 12 Cloud Computing Security Checklist 13 Privileged user access 13 Regulatory compliance 13 Data location 13 Data segregation 14 Recovery 14 Security certificates 14 Long-term viability 14 Track record of a Cloud Computing Service Provider 14 Cloud computing security by Intercept IT 15 Conclusion 16 About Intercept IT 17
Intercept IT Whitepaper | Cloud Computing Security | How to Select the Right Service Provider?
2
Executive Summary In today’s difficult economic conditions companies more than ever before are looking to enhance operational efficiency, reduce headcount and help improve bottom line profits. As such the industry focus on cloud computing should come as no surprise as it provides what IT always needs: a way to increase capacity or add capabilities on the fly without investing in new infrastructure, training new personnel, or licensing new software. Cloud computing encompasses a subscription-based or pay-per-use service that, in real time over the Internet, extends IT’s existing capabilities. But CIOs and other decision makers are understandably concerned about cloud computing security and privacy and this presents a strong barrier-to-entry. According to an IDC Enterprise Panel survey, the number one concern of companies moving into cloud computing environments is security¹. In an age when the consequences and potential costs of data compromises are rising fast for companies that handle confidential and private customer data, IT security professionals must develop ways of evaluating the security and privacy practices of cloud computing. Cloud computing security refers to a broad set of policies, technologies, and controls deployed to protect data, applications, and the associated infrastructure of cloud computing. There are a number of security concerns associated with cloud computing that basically fall into two broad categories: 1. Security issues faced by cloud computing service providers (CSPs) 2. Security issues faced by their customers; i.e. your company The provider must ensure that their cloud computing platform is secure and that their clients’ data and applications are protected, while your company must ensure that the CSP has taken the proper security measures to protect your information. This white paper discusses the security aspects of cloud computing. It provides recommendations and best practices and contains a checklist to help you select the right cloud computing service provider (CSP) to secure and optimise your investments in cloud computing .
Intercept IT Whitepaper | Cloud Computing Security | How to Select the Right Service Provider?
3
What Makes Cloud Computing Different? As cloud computing is achieving increased popularity, concerns are being voiced about the security issues introduced through adoption of this new model. The effectiveness and efficiency of traditional protection mechanisms are being reconsidered as the characteristics of a cloud-based deployment model differ widely from those of traditional architectures. Cloud computing differs from traditional outsourcing because in the latter model, it is still very much standalone computing — either you take your server and put in someone else’s data centre, or you have a service provider managing your devices. In most cases, you know exactly where your data is and what resources, if any, you share with others. Although cloud computing provides tremendous opportunity and value for many organisations, the usual IT requirements still apply. Above all this includes security. In addition, some new issues come about because of the multi-tenant nature (information from multiple companies may reside on the same physical hardware) of cloud computing, the merging of applications and data, and the fact that a company’s workloads might reside outside of their physical on-premise data centre. These differences give rise to a unique set of security and privacy issues that not only impact users’ risk management practices, but have also stimulated a fresh evaluation of legal issues in areas such as compliance and auditing. This delivers a great challenge to cloud computing service providers (CSPs) to prioritise building and maintaining strong management of secure services.
Intercept IT Whitepaper | Cloud Computing Security How to Select the Right Service Provider?
4
Top Threats to Cloud Computing The Cloud Security Alliance2 identifies the following top security threats to cloud computing:
• Insecure interfaces and APIs
CSPs expose a set of software interfaces or APIs (Application Programming Interfaces) that customers use to manage and interact (provision, manage, orchestrate, and monitor) with cloud services. The security and availability of general cloud services is dependent upon the security of these basic APIs.
• Malicious insiders
This threat is amplified for consumers of cloud services by the convergence of IT services and customers under a single management domain combined with a lack of transparency into a CSPs processes and procedures. Areas of concern include how a CSP grants its administrators access to physical and virtual assets, how it monitors these administrators, as well as how it analyses and reports on policy compliance.
• Data loss/leakage
The threat of data compromise increases in the cloud because of the number of and interactions between risks and challenges which are either unique to the cloud, or more dangerous because of the architectural or operational characteristics of the cloud environment. Areas of concern include deletion or alteration of records without backup, unlinking a record from a larger context, loss of encryption keys and unauthorised parties gaining access to sensitive data.
• Account or service hijacking
Cloud computing adds a new threat to the landscape; your account or service instances may become a new base for an attacker. Areas of concern include phishing, fraud, exploitation of software vulnerabilities and often reused credentials and passwords.
Intercept IT Whitepaper | Cloud Computing Security | How to Select the Right Service Provider?
5
Cloud Security Standards Can cloud computing benefit from security standardisation? A Forrester Research report published in 2010 counted 48 industry groups working on security-related standards4. IBM, Cisco, SAP, EMC and several other leading technology companies announced in 2009 that they had created an “Open Cloud Manifesto� calling for more consistent security and monitoring of cloud services3. However, there is a slight reluctance on the part of cloud providers to create standards before the market landscape is fully formed. The fact that neither Amazon.com, Google nor Salesforce.com agreed to take part suggests that broad industry consensus may be some way off. Microsoft also abstained, citing there reason being that IBM was forcing its agenda. Waiting for broader industry consensus around cloud security standards, there are a handful of web standards which companies considering cloud computing should take into account. Chief among these is ISO27001, which is designed to provide the foundations for third party audit, governing security of information and network systems5. The Statement on Auditing Standards no. 70 (SAS 70) is another widely recognised auditing standard developed by the American Institute of Certified Public Accountants and used by some cloud service providers6. Today you can look for SAS 70 Type II and ISO 27001 certifications for general compliance with controls for financial and information security typically required by government and industry regulations, but these do not guarantee that your company’s processes will comply. Standards like ISO 27001 and SAS 70 are helpful but they are point-in-time, and they are not very specific when it comes to data security, identity management and administrator controls7.
Intercept IT Whitepaper | Cloud Computing Security | How to Select the Right Service Provider?
6
Cloud Security Alliance The Cloud Security Alliance (CSA) is a not-for-profit organisation with a mission to promote the use of best practices for providing security assurance within cloud computing. A major goal of the CSA is development of standardised auditing frameworks to facilitate communication between users and cloud vendors. The CSA has formal alliances with ISO (International Organisation for Standardisation) and NIST (National Institute of Standards and Technology), so that its developments can be used by those groups as contributions to standards they are working on. Well underway, for example, is a Governance, Risk and Compliance (GRC) standards suite with four main elements: the Cloud Trust Protocol, Cloud Audit, Consensus Assessments Initiative and the Cloud Controls Matrix. Efforts of the CSA and other alliances, plus those of industry groups and government agencies, are bound to produce a wealth of cloud computing security standards in the next several years.
Top 7 Cloud Computing Security Challenges The most significant difference when considering security from a cloud perspective is the company’s loss of control, as opposed to any particular technical challenge. With an inhouse application, controlling access to sensitive data and applications is crucial. With a cloud-based application, access control is just as important, but the infrastructure, platform and application of security is under the direct control of the CSP. In the next sections this paper discusses the main cloud computing security challenges in the following order:
• Privileged User Access • Regulatory compliance • Data location • Data segregation • Track record of a CSP • Security certificates • Disaster Recovery
Intercept IT Whitepaper | Cloud Computing Security | How to Select the Right Service Provider?
7
Privileged user access Although cloud computing helps free organisations from operating their own servers, storage, networks, and software, it also eliminates many of the traditional physical boundaries that help define and protect a company’s data assets. Without that physical and network isolation, it is harder to limit the access routes of administrators. Since the cloud introduces ever-changing chains of custody for sensitive data and applications, protecting those assets becomes all the more difficult. Sensitive information should not be stored or processed in the cloud without visibility into the CSP’s technology and processes to ensure the appropriate level of information protection. All the data stored outside your infrastructure can be accessed by administrators who have access to cloud servers. Outsiders are now insiders and this can be a threat as administrators hired by another company have full control over your data which they can (in theory) manipulate at will. CSPs should be strict about hiring administrators and the type of data they handle. Only privileged administrators should be given access to control-sensitive data.
Regulatory compliance Compliancy covers a lot of ground, from government regulations such as the European Union Data Protection Directive8 and the Sarbanes-Oxley Act9, to industry regulations such as PCI DSS (Payment Card Industry Data Security Standard) and HIPAA (Health Insurance Portability and Accountability Act) and HL7 (Health Level 7) for health data. You may have internal controls in place, but cloud computing makes it harder for companies to be sure they are complying with industry and government regulations. That is a position many auditors, CIOs and CEOs find themselves in today. They want to know how to leap into cloud computing in a way that preserves their good standing in regulatory compliance. As a customer you are ultimately responsible for the security and integrity of your own data, even when it is held by a service provider. Traditional service providers are subjected to external audits and security certifications. This is no different when working with cloud computing service providers.
Intercept IT Whitepaper | Cloud Computing Security | How to Select the Right Service Provider?
8
Data location The location of data is the most complex aspect of the cloud computing model. When you use the cloud, you probably will not know exactly where your data is hosted. In fact, you might not even know what country it will be stored in. When a business is located in the UK, it will be subject to the Data Protection Act 1998 and the European Union Data Protection Directive when handling personal data. The EU Data Protection Directive strives to keep personal information within the European Union. Under the directive, transfers of personal data outside the European Economic Area (the EEA) are prohibited, unless adequate protection is shown. As a result, if that business decides to use cloud computing it will need to ensure that the cloud computing services comply with the Data Protection Act 1998 or the European Union Data Protection Directive. As the data controller, you are solely responsible for compliance with these government regulations. This includes the obligation to ensure that your retain close control over your personal data, even when the data is being processed by a third party cloud computing service provider on your behalf10. To comply, your CSP should keep your European customer data on servers located in Europe. In addition to the EU Data Protection Directive, you need to be aware that local laws may apply to the data held on servers within the cloud. Laws such as the USA Patriot Act invest US government and other agencies with virtually limitless powers to access information including that belonging to companies like yours. European concerns about privacy laws led to creation of the US Safe Harbor Privacy Principles, which are intended to provide European companies with a degree of insulation from US laws and provides a streamlined process for US companies to comply with the EU Data Protection Directive.
Intercept IT Whitepaper | Cloud Computing Security | How to Select the Right Service Provider?
9
Data segregation Cloud computing works on the principle that commodity hardware is used by a vast number of consumers. This commodity hardware dynamically allocates resources when demand peaks and wanes, allowing cloud computing service providers the ability to provide consumers with a cheaper solution that handles the same workload typically handled by under-utilised in-house servers and infrastructure. This fact dictates that, at some point, you are sharing server space with other businesses so it becomes difficult to assure data segregation. Encryption is one of the methods to secure data in shared environments. Tested and reliable encryption algorithms mitigate this risk by making the data indiscernible without the proper keys. But it is debatable whether encrypted data is privacy sensitive, and whether the location encrypted data requires compliance to privacy legislation11. To explain this, two scenarios are described: data encryption applied by your company and data encryption applied by the CSP. • In case your company encrypts the data before it is sent to the cloud, and does not share the decryption key, the CSP cannot retrieve the original data. This has the advantage that the data is stored encrypted at the CSP, so hackers or CSP administrators cannot read the original data, while under the custody of the CSP. In addition, data encrypted at your site is not considered as “privacy sensitive data”in EU legislation, so data location issues do actually not apply for data encrypted by at your site. However, this way it is not possible to take full advantage of cloud computing benefits like scalable data processing, because the CSP is not able to process the encrypted data. For processing, the decryption key is needed, but this directly makes the data privacy sensitive again. • In the case encryption is added by the CSP, the decryption key is also stored at the CSP. The EU Data Protection Directive still applies to this kind of data, so the location of data is still an issue. CSP encryption does not help in showing compliance, because it does not guarantee the location, it just adds some extra security against intrusion. It can be concluded that both data encryption by you as a customer and data encryption by the CSP represent unique challenges to deal with the challenges of data segregation and data location legislation11.
Intercept IT Whitepaper | Cloud Computing Security | How to Select the Right Service Provider?
10
Track Record of a Cloud Computing Service Provider Moving data storage, storage and management to a cloud computing service provider, creates a large dependency of the company on this external party. A 2011 study by the Ponemon Institute indicated that the majority of CSPs do not view the security of their cloud services as a competitive advantage and that it is their customer’s responsibility to secure the cloud and not their responsibility12. Not all CSPs are created equally; due diligence is extremely important during this search as the overall security of your chosen cloud-based service depends upon the quality of the CSP. There are important criteria to evaluate:
• Data ownership
Ideally, your CSP will never go broke or get acquired and swallowed up by a larger company. But you must be sure your data will remain available even after such an event. The CSP and your company have to make agreements about what will happen in these situations, e.g. perhaps by implementing an escrow agreement11.
• Service Level Agreements
Service Level Agreements (SLA) stipulate the guaranteed service uptime and availability that you can expect for your CSP. It is important to have the SLA documented. Should the CSP not meet its service level, you may qualify for compensation as stipulated in the SLA.
• Historical Performance
Historical performance of a CSP is a good predictor for their future performance. Service availability is the number one most important factor for business success, so find a CSP that can demonstrate historical performance and resolution practices.
• Monitors Service and Service optimisation
CSPs should have a team of technical professionals that monitor customer services, networks and infrastructure for any possible problems, and to maintain optimal performance.
Intercept IT Whitepaper | Cloud Computing Security | How to Select the Right Service Provider?
11
Security certificates Cloud computing service providers of all kinds will have high concentrations of their clients’ data and applications, which will make them top targets of hackers from all over the world. Therefore, while your company is evaluating the potential cloud benefits in terms of management simplicity, economies of scale and workforce optimisation, it is equally critical that you carefully test cloud services by independent third-parties for their ability to resist security threats and attacks. Certifications may become a viable alternative to third-party testing. This means that, instead of asking a third-party security vendor to conduct testing on your behalf, the company will be satisfied by a CSP’s certificate, stating that a reputable third-party security vendor has already tested its applications. Such certification must meet company or industry security standards. CSPs can show this using e.g. an ISO 27001 certification or SAS 70 certification. Gartner Research expects that by 2016 40 percent of enterprises will require proof of independent security testing for using any type of cloud service13.
Disaster Recovery A 2010 survey conducted by the Aberdeen Group uncovered that the top business driver behind cloud computing initiatives was the need for disaster recovery or a backup solution, as reported by 66 percent of those surveyed. As entire record systems move to electronic systems, greater dependence on the uptime and availability of applications and data means the demand for faster and accurate recovery is growing. Cloud computing can deliver both, making it the most efficient method for a disaster recovery plan. However, while cloud computing offers strong disaster recovery capabilities, the outage of Amazon Web Services in April 2011 made it painfully clear that good old operational and security practices apply to cloud computing as well14. Even if you do not know where your data is, a CSPs should tell you what will happen to your data and service in case of a disaster and every good CSP should have a disaster recovery plan in place that they have tested and certified, and that they have geographically diverse resources available to support operations in the event of a site loss. Any offering that does not replicate the data and application infrastructure across multiple sites is vulnerable to a total failure.
Intercept IT Whitepaper | Cloud Computing Security | How to Select the Right Service Provider?
12
Cloud Computing Security Checklist Due diligence is extremely important when selecting the right cloud computing service provider as the overall security of your chosen cloud computing infrastructure depends upon the quality of the CSP. In order to help you with the due diligence, below please find a checklist containing both questions to ask when selecting a CSP, and best practices for you to enforce continued cloud computing security.
Privileged user access
Check with CSP • Has personnel with access to my data been security vetted? • Can you supply specific information on the hiring and oversight of privileged administrators, and the controls over their access? • What levels of security are in place for your personnel? • What measures are in place to prevent unauthorised access to my data? • What technical experience and qualifications are your staff required to have? Best practise • Be vigilant around updates! Make sure that CSP staff does not suddenly gain access privileges they are not supposed to.
Regulatory compliance
Check with CSP • Are you subjected to regular external audits and security certifications? • Do you meet data privacy requirements in my industry and location? • What geographic location is my data stored? • What other third parties may potentially access my data in order to ensure that they are fulfilling their obligations as data controller? Best practise • Ensure that the CSP is willing and able to comply with sector-specific regulation relevant to your business , for example within the healthcare of financial industry.
Data location
Check with CSP • Where is the data kept? • Will you commit to storing and processing data in specific jurisdictions? • Will you make a contractual commitment to obey local privacy requirements? • Do you commit to comply with EU-equivalent data protection standards? • Where is the data stored and what physical protective measures are in place? • Is the data centre monitored by 24 hour security? • Is the building fire and bomb resistant? • What are your redundancy systems like? • What is the cooling infrastructure like (is it robust and fully redundant)? • What kind of back-up power generators are in place in the event of a power failure? Best practise • Ensure that there is continuous physical security at the CSP’s premises and that physical entry to those premises is limited to authorised personnel only. • Perform a thorough investigation on the level of redundancy implemented in the CSP’s data centre. The level of redundancy will directly relate to the level of service you can expect for your cloud service.
Intercept IT Whitepaper | Cloud Computing Security | How to Select the Right Service Provider?
13
Data segregation
Check with CSP • Is my data stored on the same servers, network or backup devices that other customers use? Can I have the option to utilise dedicated servers? • What is done to segregate my data? How do you isolate my data from other customers? • Please provide evidence that encryption schemes were designed and tested by experienced specialists. • Best practise • Consider whether you wish your applications to be hosted on hardware that is specific to you. Note though that this may significantly limit the financial benefits of cloud computing.
Recovery
Check with CSP • What will happen to my data and service in case of a disaster? • How often do you test your back up and recovery procedures? • How quickly can my data be restored in the event of a problem? • Do you have the ability to do a complete restoration, and how long it will take? Best practise • Fully understand how disaster recovery works in your CSP’s offering. • Ensure that there is a sufficient and effective system of back-up should there be a security breach.
Security certificates
Check with CSP • Do you meet company or industry security standards? E.g. a SAS 70 certification or ISO 27001 certification? Best practise • Seek an independent security audit of the CSP and ensure adequate on-going audit rights.
Long-term viability
Check with CSP • How would I get my data returned if needed? Will it be in a format that I can import into a replacement application or service?
Track record of a Cloud Computing Service Provider
Check with CSP • What happens to the ownership of my data if you go into administration or get acquired by a larger company? • Is there an escrow agreement in place? • What is your record for service availability? Do you provide a contractual guarantee for this? • Is there a guaranteed percentage of service availability described in a Service Level Agreement (SLA)? • Can you demonstrate historical performance and resolution practices? Best practise • Confirm that the CSP has a proven track record of service uptime and reliable IT solutions that can be demonstrated. • Confirm that the cloud service provider continually monitors performance to meet and constantly provide the optimal level of service performance.
Intercept IT Whitepaper | Cloud Computing Security | How to Select the Right Service Provider?
14
Cloud computing security by Intercept IT The security of your company’s data is of paramount importance to Intercept IT and, accordingly, extraordinary measures have been taken and there has been huge investment to protect the integrity of our cloud platform and your company’s data. Our cloud services are among the most secure and reliable IT solutions available anywhere in the world today. Top-level security addresses all cloud computing security areas described in this white paper, including the following two key areas:
Privileged User Access
Whilst the cloud platform itself must be protected, a common risk to corporate data is actually from soft threats such as social engineering calls to gain information about users. Callers present false identities in order to obtain data such as usernames, passwords and other personal information that would help them gain access to corporate systems. Intercept IT has taken a number of steps to prevent this from happening. For example, our service desk is designed to keep user details safe by storing unique, encrypted information about each user. Similar to banking systems, if a user requires assistance, they are asked for random characters from the information we hold, relating to a security question and the appropriate answer, before assistance.
Regulatory compliance and Data location
The physical hardware and software used to deliver our cloud services is located in two purpose-built data centres in the UK. These facilities provide unparalleled security, protection and redundancy for all IT equipment. Protection starts with security measures to guard against unauthorised access to the buildings, right through to the safeguarding of equipment against fire, flood, power outages and other physical threats.
Intercept IT Whitepaper | Cloud Computing Security | How to Select the Right Service Provider?
15
Conclusion Make security a priority when considering cloud computing for your business. Cloud computing security refers to a broad set of policies, technologies, and controls deployed to protect data, applications, and the associated infrastructure of cloud computing. The most significant difference when considering security from a cloud perspective is the company’s loss of control, as opposed to any particular technical challenge. With cloud computing the infrastructure, platform and application of security is under the direct control of the cloud computing service provider. It is your responsibility that the CSP has taken the proper security measures to protect your company’s information. The CSP on the other hand must ensure that their cloud computing platform is secure and that its clients’ data and applications are protected. But not all CSPs are created equally; due diligence is extremely important during this search as the overall security of your chosen Cloud-based service depends upon the quality of the CSP. The checklist in the white paper can help you selecting the right CSP en help you enforce continued cloud computing security.
Intercept IT Whitepaper | Cloud Computing Security | How to Select the Right Service Provider?
16
About Intercept IT Intercept IT is the UK’s leading cloud computing and virtualisation service provider. Since 2002 the company has helped companies of all sizes to reduce costs, improve user performance and increase business agility by delivering applications and desktops from the cloud. The company provides a full range of services including strategic advice on the design, build and management of cloud infrastructures, together with fully outsourced solutions from Intercept IT’s own bespoke cloud platform. Intercept IT holds strategic relationships with many of the world’s leading vendors, including Citrix, Microsoft and VMware, in order to provide its clients with unrivalled solutions. For further information, follow updates on Twitter @InterceptIT and visit www.intercept-it.com
IDC, Enterprise Panel, September 2009 Cloud Security Alliance, “Top Threats to Cloud Computing v1.0”, March 2010 3 Open Cloud Manifesto, spring 2009. www.opencloudmanifesto.org 4 Forrester Research, “Getting Past Cloud Security Fear Mongering”, Chenxi Wang, October 2010 5 The ISO 27000 directory, An Introduction To ISO 27001 (ISO27001). www.27000.org/iso-27001.htm 6 SAS 70 overview. www.sas70.com 7 Jonathan Penn, VP and principle analyst for Forrester Research in CIO magazine, August 2011 8 Directive 94/46/EC of the European Parliament and of the Council, October 1995 9 The Sarbanes-Oxley Act of 2002, www.soxlaw.com 10 Hazel Grant, Tessa Finlayson “Cloud Computing & Data Protection”, June 2009 11 J. Noltes, “Data Location Compliance in Cloud Computing”, University of Twente, August 2011 12 Ponemon Institute LLC, “Security of Cloud Computing Providers Study”, April 2011 13 Gartner Research “Application Security Testing of Cloud Services Providers Is a Must”, Jospeh Feiman, October, 2011 14 SearchCloudComputing, “A crack in the cloud: Why the Amazon outage caught so many by surprise”, Carl Brooks, April 2011 1 2
Intercept IT Whitepaper | Cloud Computing Security | How to Select the Right Service Provider?
17