make a good business better

Resource Center better insights

Print Divider Print Divider Branding
 

Three Steps to Cloud Peace of Mind

07/20/2015  |  By: Sese Bennett, CISSP, CISM, QSA, ITIL, HITRUST CSF, Senior Manager, Information Security

Share

Social Logo Social Logo Social Logo Social Logo

When you think about implementing cloud services, what feelings does it bring to mind? Are you feeling anxiety because of risks from a security, business or legal perspective? If so, you are not alone.

According to a recent survey published by the Cloud Security Alliance, 75 percent of IT decision-makers are “extremely anxious” about security using cloud-based services - yet 79 percent of U.S. enterprise executives are adopting cloud storage and web applications within their business.

So how can you reduce your anxiety while implementing cloud services that will benefit your business? A starting point is clearly understanding the issues involved, such as: 

  • How implementing cloud will increase the complexity of your environment.
  • How your productivity will be impacted by separating the data owner (your company) from the data processor (the cloud provider).
  • Whether you can tolerate not knowing where your data resides, both geographically and within your provider’s servers.
  • Whether you can tolerate loss of control over security mechanisms to protect your data.
  • The possibility that you may end up changing providers.

This article outlines a three-step process to reduce risk in security, compliance and contracts with providers, along with an additional section on special considerations for federal contractors.

Step 1: Define Requirements and Identify Controls

Some may say that defining your requirements is by far the least interesting part of a project. Security and business folk alike cringe at the prospect of being locked in a room and methodically defining what they want a cloud provider to do and how it will interact with their environment. However, this first step is arguably the most important part of the entire process. Documenting what you want the cloud service to accomplish and how it will meet your needs will save you many a headache in the future. So spend the time working with your organization to develop solid requirements; in fact, insist on them. As part of the requirements-gathering process, ask your organization and your cloud partner these tough questions:

  • Will my cloud provider be transparent about governance, security and operational issues?
  • Will I be considered compliant if I use this cloud service provider, and how will it help me maintain compliance?
  • Will I know where my data is at all times?
  • What controls does the cloud provider have in place to prevent unexpected security obsolescence?
  • Will my provider secure my environment as well as I would?
  • Will my cloud provider submit to an annual audit to validate its compliance with security standards?

Being transparent about how your cloud service is managed, secured and operated is key to ensuring that the cloud provider is meeting its responsibilities and protecting your data adequately. If your business model is dependent on compliance with a regulation or standard, then you must ask early in the conversation if moving your data to the cloud will put you out of compliance. Closely related to compliance is the question of where your data is stored and who has access to it while it’s in the cloud provider’s possession. Some compliance requirements state that certain types of data must remain in the United States and must only be accessed by U.S. citizens, so be sure you understand your requirements before engaging a cloud provider, as many cloud providers use data processing facilities that are outside the United States.

The final question seems like a “no brainer,” but it’s one that needs to be asked. In the past, many cloud service providers considered security of the data to primarily be the customer’s responsibility. But that thinking is beginning to change with the introduction of new regulations and standards aimed at better protecting data in the cloud. In the meantime, find out how the cloud provider intends to protect your data and compare their approach to your own intentions and expectations related to the security of that data.

To make this a productive conversation with your cloud provider, you must have a defined set of baseline security controls. Examples include:

  • Strong authentication. 
  • Multi-factor authentication.
  • Identity management and access controls.
  • Strong encryption of data in transit and at rest.
  • A security testing and validation process.
  • Continuous monitoring.
  • Hardened virtualized environments.

Once you have defined your requirements/expectations and identified your baseline security controls, you are ready to move on to step two.

Step 2: Evaluate the Risk

Once you have successfully completed the first step, you will want to consider how to evaluate your cloud adoption or migration risks prior to implementation. For an organization to successfully execute this step, it must be able to clearly define what data is to be protected and what value that data has to the organization. This process is called data classification, and it can occur in the form of a data inventory or catalogue. The goal is to be able to group data into classification levels based on the data’s sensitivity so that the appropriate controls can be implemented to protect that category of data. This concept of classifying data becomes important for data in the cloud when you have a mixed environment where some data is public and other data is private. The waters become even muddier if further classification levels exist within the private data, such as restricted or confidential. Once you have classified your data based on its sensitivity, consider how you will evaluate the risk of your cloud-based initiative. When evaluating your risk, include the criteria defined in step one, assign weights for each criteria based on the items that are most important to you, define the choices between fully deploying in the cloud, deploying partially in the cloud or not deploying at all (keeping it in-house), and, finally, include an average criteria scoring for quick evaluative purposes. In the same document, map out the pros and cons of cloud hosting vs. in-house or hybrid hosting and conclude your analysis by documenting the impact each option may have to your business. Evaluating your risk in an easy-to read, one-page summary chart is a great way to solidify the goals, identify risks associated with the cloud migration to all project participants, and provide an effective and relevant decision-making tool to your executive team.

The final step in evaluating risk is to implement your cloud strategy in a controlled manner. Once the decision is made about the cloud solution to be used, planning is necessary before data is migrated to the cloud. One very important aspect of this planning process is working with the cloud vendor to ensure that proper controls are in place before you develop your project timeline. Many organizations fall into the trap of thinking that a quick transition always translates into a successful transition. In reality, this is not always true. Organizations that rush to put information into the cloud without a documented plan can find that unauthorized or unclassified data is being stored in the cloud without the company’s knowledge or, even worse, without the proper security controls to protect the data from unauthorized access.

Step 3: Carefully Draw the Contract

The final step in the cloud migration process is to consider the contractual implications of using the cloud. The notion of storing your data in a location that you don’t own, don’t manage and maybe have never even seen creates a whole new set of challenges contractually.

Think back to the requirements you defined in step one. Be sure that there is corresponding language in your contracts supporting each of those requirements, so the vendor is obligated to meet your minimum security specifications. Just in case you didn’t hit some of the most important security considerations in your initial list, here is a list of the items you want to be sure are addressed in cloud provider contracts:

  • Segregation of data and virtualization.
  • Return and destruction of data. 
  • Breach notification, incident response and forensics.
  • Geographic restrictions on data storage.
  • Business continuity planning/disaster recovery.
  • Vendor vs. client responsibilities. 
  • Data center operations: patching, logging, change management.
  • Encryption and key management (who controls the keys and who has access to data).
  • e-Discovery and legal hold.
  • Certifications and due diligence by the cloud provider.

This is not an exhaustive list of contractual issues related to the cloud, but it covers many of the areas firms struggle with from a contracts and agreements perspective. Careful attention to the contracts portion of a cloud initiative will reduce the likelihood that some aspect of your cloud service is not implemented according to your documented specifications and requirements.

Special Considerations for Federal Contractors

If your company does business with the federal government and your product or service is delivered with the help of the cloud, you may be required to get a certification from the Federal Risk and Authorization Management Program (FedRAMP). FedRAMP describes itself as “a government wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.” In short, it’s the government’s means of ensuring that cloud providers are reasonably secure.

The certification process is two-fold. First, the business must document that its processes make it eligible for certification, then it must be audited by a FedRAMP-certified provider to ensure that the requirements have been met.

In the case of complex or large-scale migrations, organizations may want the assistance of a certified Third Party Assessment Organization (3PAO). A 3PAO will bring the expertise to help companies gauge the risk level associated with their data, verify a cloud service provider’s compliance and overall security fitness, and help coordinate contract negotiations in a way that makes all parties’ rights and responsibilities clear. A 3PAO can also help create a detailed migration plan that puts security first, and once that plan is implemented, a 3PAO can continually validate the cloud service provider’s security controls.

Conclusion

The cloud is a revolutionary technology paradigm shift that is changing the way business is done, and it is here to stay. As the cloud increasingly moves into the mainstream, expect to see regulations for tracking and formally disclosing cloud security incidents as well as more rigor around the responsibilities for cloud providers to protect data.

For those organizations desiring to move to the cloud now, there are ways to take advantage of the positive aspects of the cloud while minimizing the risk to your organization. When selecting a cloud provider, be sure to force a clear understanding of roles and responsibilities through the use of effective agreements. Partner with cloud providers with whom you can establish a trusting relationship, and insist on accountability, transparency and communication. Remember that cloud security is an ongoing initiative. It requires frequent review and updates to your vendor relationship on a regular basis, so look for those vendors who are willing to be your long-term partners.

Three Steps to Cloud Peace of Mind

Publication

Tennessee CPA Journal