Whenever businesses opt for cloud computation there are big benefits and big saves no doubt, but there are risks too. When businesses, enterprises and their mobile applications go for cloud- services, they agree to have someone else look over their assets in clouds. The existence of external control over the assets can be a matter of concern. How can the organizations mitigate those risks? How can the potential for mismanagement be minimized? What steps can the customers of cloud services take to ensure they are able to reach their business goals while keeping their assets that are in clouds secure? Let’s look at some of the ways cloud service customers and providers can smoothen the concerned brows.
# Effective Governance And Compliance Processes
Customers opting for cloud services should have proper governance and compliance processes in place for using those services. The providers also should have right governance processes for their services which are consistent with the requirement of the customers. There should be clarity on what legal and regulatory controls apply to the provider. Things get complicated because the technical design and operational control of the cloud service remains in the hand of cloud service provider.
The kind of cloud service offered by the provider (IaaS, PaaS or SaaS) is important for splitting the responsibilities between the customer and the provider. As a customer, your data can be stored in and transmitted to any of the servers and devices the cloud service operator has. The servers hosting data could be located in different jurisdictions if the operator has multi-jurisdictional operations. It may be difficult to know where the customer data exactly is at any particular point of time. Jurisdictional issue needs to be clarified as the courts and governmental agencies can hear a matter only if they have jurisdiction over the parties and the subject matter of the action.
In case of a breach the cloud service provider is expected to notify the customers about the same. He should try to stop the breach as soon as possible, apply best-practice forensics in investigating the breach and make necessary changes to ensure the breach doesn’t happen again.
An organization or a business must insist on a suitable master service agreement and service level agreement before commencing.
# Internal Control Service Environment Of A Cloud Service Provider
A customer must know about the internal control service environment of a cloud service provider. If there are reports on cloud provider’s operations by independent auditors, it boosts the confidence of the customer. The audit report could conform to one of the accepted standards for security audit – it could conform to ISO 27001 or ISO 27002.
There are two important aspects of internal control. One, being a multi-tenant environment, it is important to ensure the isolation of customer applications and customer data. Two, the customer assets need to be protected from the unauthorized access by the provider’s staff. The service provider should take care of these two.
Cloud service customers should be provided with appropriate access to cloud provider events, audit trails and logs to ensure them that all necessary security controls are in place and all required information has been logged and stored.
# Identity Management Systems
It is important to know about the identity management systems that the cloud operator uses. There should be robust Identity and Access Management (IdAM) functionality. If the customers have their own IdAM systems they should check if they can integrate it with the cloud services. If not, the Cloud service provider should provide for delegated administration. Some customer organization may want to provide single-sign-on (SSO) along with single sign-off to ensure that the user sessions get terminated properly. If the customers host high value assets in the cloud, they must ensure that their provider supports strong, mutual and/or biometric authentication process.
It is best if the provider is able to give reports and logs on monitoring user access.
# Protecting Data Assets
When using Cloud services, both data-at-rest which is held in storage and data-in-motion which is being transferred from point A to B, need adequate protection. There is risk of data theft, unauthorized disclosure of data, tampering, unauthorized modification of data, risk of loss or unavailability of data. You can go through the security controls described in ISO 27002 that highlight the general features that need to be addressed. The category of cloud service used fixes the responsibility of data protection. For IaaS (Infrastructure-as-a-service) the responsibility of securing the data lies with the customer. For SaaS (Software-as-a-service) the responsibility lies with the provider as all the controls are with the provider. For PaaS (Platform-as-a-service) the responsibility is shared between the customer and the provider.
All data assets should be identified and classified in terms of its criticality to the business. Ownership and responsibility for the data should be fixed, the location at which it is stored and acceptable use of assets must be mentioned. There should be description of the parties responsible for the data and their role. Data assets may also include all kinds of structured and unstructured data like scanned documents, pictures, multimedia files, application programs and machine images. Unstructured data requires special treatment like redaction and masking of (PII) Personally Identified Information. Integrity of data can be validated by techniques such as message digests or secure hash algorithms.
# External Network Controls Of A Cloud Provider
Legitimate network traffic should be allowed and malicious network traffic should be blocked by the cloud service provider. Know if the cloud provider automatically screens traffic by firewall devices or software. Provider’s firewall should protect against both IPv4 and IPv6 attacks. Provider must publish and provide its customers a standard perimeter block list that lists the sites blocked routinely.
The cloud service provider must be able to withstand high-traffic attacks such as DDOS (Distributed-Denial-of-Service) attacks. There must be IDS (Intrusion Detection System) and IPS (Intrusion prevention Systems) in place. Incident reporting and incident handling procedures must be clear. Network logging information must be provided in detail. Customers may want to do a forensic analysis after an attack. Attack notification policies must be in place – the customers must be informed if their data is attacked. Logs must be maintained by the cloud provider of the attacks detected and blocked. They must be shared with the customers. It is a confidence building measure for the customers. They understand how good the detection and blocking capabilities of the cloud provider actually are.
# Security Controls On Physical Infrastructure And Facilities
Infrastructure and facilities of the cloud provider should be in a secure area. On his part the cloud operator can assure his customers that the infrastructure and facilities provided by him are adequately protected by providing audit reports. Best, if he is able to demonstrate compliance to security assurance such as ISO 27002. Only authorized personnel should have access to areas containing physical infrastructure.
There should be adequate physical security for all offices, rooms and facilities that contain physical infrastructure related to the cloud. There should be adequate protection provided against natural disasters like earthquakes, floods, fire and other manmade disasters like civil unrest etc. which have the potential to harm and disrupt cloud services. Utilities like electricity supply, telecommunications, gas supply should be monitored so that there is no malfunction like water leakage etc, in the premise which harms the infrastructure running clouds services. Power cables and telecommunications cables should be protected. All equipment should be maintained properly. Right procedures should be followed when removing or disposing any equipment that may contain data. The cloud provider should have right data back-up, equipment redundancy and continuity plans.
# Exit Processes
Exit processes should be handled securely too. The exit process should be documented as a part of Cloud service agreement. Once a customer is at the end of exit process all of his data should be deleted from the provider’s end. Backups may be retained for agreed periods before being eliminated. Associated event logs and reporting data must also be retained until the exit process is complete.
Though the provider is required to delete all data relating to the customer who ceases to be a customer including the logs and audit trails, some jurisdiction may require retention of his records for period specified by law.
# Current State of Cloud Security According to Forrester
According to Forrester’s Cloud Security Solutions Forecast 2016 To 2021 report global cloud services revenue is up from US$ 68 Billion to US$ 114 Billion in two years. It grew at the rate of 30% year over year. Enterprises have multiple cloud service providers and public, private and hybrid cloud all coexist serving different needs. This complexity creates challenges for cloud security. To serve this need global cloud security solutions market would grow 28% annually over the next four years. It will grow from US $1 Billion in 2016 to US $ 3.5 Billion in 2021.
Whether you are an application developer or an enterprise which has part of its computation process up in the clouds, make sure you understand how the cloud security works. Understand your role as a customer. Ensure you get much needed audit and assessment reports from your cloud provider that certify that your cloud provider has adhered to the best practices and then you can trust your data with him. As a cloud service provider you need to be vigilant and get the right ISO certifications for the cloud services that will serve as a vote of confidence. It will go a long way in assuring your customers.