cloud security
MANAGED SERVICES
UNTIL RECENTLY, this stalemate didn’t seem to be much of an issue. The general consensus was that as long as data housed in the cloud was not of a sensitive or classified nature it was deemed an ‘acceptable risk’. But as the benefits of the cloud have become apparent, so our reliance on virtualisation has increased and the type of data we are entrusting to the cloud has become more valuable.
So who does hold the hot potato? The fact is that users are still responsible for data security regardless of its location, with regulators such as the Information Commissioners Office (ICO) going to great lengths to emphasise this. ICO guidelines1
published in September
2012 explicitly state that “the law on outsourcing is very clear… how data is used and protected remains your responsibility”. No matter where it is housed or how it is accessed, the data depositor is wholly responsible for its protection. Unfortunately this message seems to have become lost in the haste of organisations to move to the cloud, keen to gain the competitive edge.
Whether moving to a public or private Cloud, organisations want to embrace the benefits and efficiencies that Cloud technology can bring. Architectural fluidity, capital expenditure savings and location independent resources all combine to make the move to Cloud an attractive option. Yet the organisation is not only virtualising the infrastructure but also handing over critical resources to a CSP and in most cases, presenting access to the infrastructure via the Internet. All too often, the drive for efficiency can lead to a landscape of unacceptable risk to critical business data and the operational environment.
It’s a situation that’s likely to worsen as users become more confident and reliant upon cloud services. A recent study by the Ponemon Institute on behalf of Thales2
found more than half of the 4,000 users
questioned were now transferring sensitive or confidential data to the Cloud and more than 60 percent of those believed the onus was on the CSP to protect that data. There are calls for CSPs to be more explicit in the terms and conditions but ultimately if the situation is to change users need to bring pressure to bear upon the industry.
To start with, it’s worth monitoring levels of service. Is the service running slow, despite sufficient network connectivity? How much downtime are you experiencing, and is this happening daily, weekly or monthly? Is your Intellectual Property (IP) being compromised despite good internal procedures? How responsive is your CSP to changes, incident or events? Service requests such as the management of user accounts, changes of access control requirements, and installation of software and applications may appear convoluted or take an unreasonable amount of time. One telling sign is to see how efficient the service desk is at responding to incidents and requests. This is the customer facing side of the CSP and if this aspect is poor it does not bode well for the provision of the whole service.
The fundamental changes in architecture and business application that are brought about by cloud migration require careful planning, procurement, implementation and management. It’s therefore imperative to take the initiative and ask some probing questions of the CSP before committing to the cloud. The following 10-point plan, which should ideally start at initial procurement and carry on throughout the provision of externally provided services, will help any organisation in redressing and improving cloud services although there is no substitute for ensuring the service is transparently tested on a routine basis:
1. Ensure your requirements are well defined and cover the core principles of information security and information risk management 2. Ensure that service levels are defined, agreed and monitored throughout the delivery of any externally provided services 3. Ascertain any accreditations that your proposed service provider holds, specifically ISO27001, ISO9001 and ISO20000, and check to see if the services they offer are included within the scope of any such certifications
4. Ensure that network connectivity, i.e. broadband services, are appropriate for the size of your organisation and intended cloud service provided services 5. Regularly monitor and audit any externally provided services. Third party providers can assist you with this process. 6. Ensure your service provider has adequate and well-defined business continuity and disaster recovery planning in place to good continued business operations to your organisation 7. Ensure that your service provider reports regularly back to your organisation on system outages and incidents
8. Get your service provider to provide a single point of contact for the effective management of cloud services to ensure timely resolution of incidents, problems and events
9. Agree areas of responsibility between your organisation and service provider to reduce any potential disputes
10. Be aware of where your data is being hosted and stored, i.e. is it off-shored or is multi-tenanted hosting provided. If so with which other organisations, and what are the related threats?
Clearly waiting for sensitive data to be compromised isn’t a good tactic with prevention always being better than cure. But organisations should be prepared for the worst case scenario by undertaking diligent contingency planning. Integrating business continuity and disaster recovery elements with the service level agreement (SLA), for instance, will ensure that disclosure and remediation can be handled speedily and effectively should a data breach occur. Of course, organisations need not ‘go it alone’. Until CSPs provide more open transparent security policies, the organisation can seek the advice of a third party. One of the most effective means of ensuring compliance with the Data Protection Act (DPA) and other relevant legislation is to use a consultancy to assist with the move to the cloud and the subsequent management of virtualised data.
Consultants can advise upon cloud migration from design and development, through to deployment and the continued management of the service and have specialist knowledge of contractual negotiations, IP rights protection, and security and programme delivery. Services are often available in a modular form, enabling the organisation to steer the project and secure expertise at specific stages. Assurance and audit services can also be used to help the organisation monitor and measure functionality and security; metrics that can then be used to prove ROI, inform a remediation roadmap for risk or help prepare the organisation for external audits, for instance. The cloud is a nascent industry and data management and protection remains a complex issue. Data may be stored in different geographic locations and subject to various legislation, and access can suffer from downtime issues. Yet the advantages remain compelling, with the cloud providing real competitive advantage by eradicating cost of ownership and offering scalability and universal access. In the case of a data breach, the CSPs hands remain clean with data security still the responsibility of the user but by asking the right questions of the CSP, careful planning and seeking assistance where it is needed, it is possible to provide assurances and engender trust in the cloud.
1.
http://www.ico.org.uk/news/latest_news/2012/cloud-on-the-horizon-for-data-handling-outsourcing-27092012 2.
http://www.thales-esecurity.com/company/press/news/2013/june/encryption-in-the-cloud
November 2013 I
www.dcseurope.info 23
Page 1 |
Page 2 |
Page 3 |
Page 4 |
Page 5 |
Page 6 |
Page 7 |
Page 8 |
Page 9 |
Page 10 |
Page 11 |
Page 12 |
Page 13 |
Page 14 |
Page 15 |
Page 16 |
Page 17 |
Page 18 |
Page 19 |
Page 20 |
Page 21 |
Page 22 |
Page 23 |
Page 24 |
Page 25 |
Page 26 |
Page 27 |
Page 28 |
Page 29 |
Page 30 |
Page 31 |
Page 32 |
Page 33 |
Page 34 |
Page 35 |
Page 36 |
Page 37 |
Page 38 |
Page 39 |
Page 40 |
Page 41 |
Page 42 |
Page 43 |
Page 44 |
Page 45 |
Page 46 |
Page 47 |
Page 48 |
Page 49 |
Page 50 |
Page 51 |
Page 52 |
Page 53 |
Page 54 |
Page 55 |
Page 56