Member of the ISACA London Chapter Security Advisory Group
Adopting Cloud computing can save money, but good governance is essential to manage the risk.
Cloud computing provides organizations with an alternative way of obtaining IT services and offers many benefits including increased flexibility as well as cost reduction. However many organizations are reluctant to adopt the Cloud because of concerns over information security and a loss of control over the way IT service is delivered. These fears have been exacerbated by recent events reported in the press including outages by Amazon[1] and the 3 day loss of Blackberry services from RIM[2]. So what approach can an organization take to ensure that the benefits of the Cloud outweigh the risks?
To understand the risks involved it is important to understand that the Cloud is not a single model. The Cloud covers a wide spectrum of services and delivery models ranging from in-house virtual servers to software accessed by multiple organizations over the internet. A clear explanation of this range is described by NIST[3]. This document describes the 5 essential characteristics that define the Cloud, the 3 service models and the 4 deployment models. The risks of the Cloud depend upon both the service model and the delivery model adopted.
When moving to the Cloud it is important that the business requirements for the move are understood and that the Cloud service is selected meets these needs. Taking a good governance approach, such as COBIT[4], is the key to safely embracing the Cloud and the benefits that it provides:
- Identify the business requirements for the Cloud based solution. This seems obvious but many organizations are using the Cloud without knowing it.
- Determine the Cloud service needs based on the business requirements. Some applications will be more business critical than others.
- Develop scenarios to understand the security threats and weaknesses. Use these to determine the response to these risks in terms of requirements for controls and questions to be answered. Considering these risks may lead to the conclusion that the risk of moving to the Cloud is too high.
- Understand what the accreditations and audit reports offered by the Cloud provider mean and actually cover.
The risks associated with Cloud computing depend on both the service model and the delivery model adopted. The common security concerns are ensuring the confidentiality, integrity and availability of the services and data delivered through the Cloud environment. Particular issues that need attention when adopting the Cloud include ensuring compliance and avoiding lock-in.
To manage risk an organization moving to the Cloud should make a risk assessment using one of the several methodologies available. An independent risk assessment of Cloud Computing[5] was undertaken by ENISA (the European Network Information and Security Agency). This identifies 35 risks which are classified according to their probability and their impact. When the risks important to your organization have been identified these lead to the questions you need to ask the Cloud provider. I propose the following top ten questions:
- How is legal and regulatory compliance assured?
- Where will my data be geographically located?
- How securely is my data handled?
- How is service availability assured?
- How is identity and access managed?
- How is my data protected against privileged user abuse?
- What levels of isolation are supported?
- How are the systems protected against internet threats?
- How are activities monitored and logged?
10. What certification does your service have?
The Cloud service provider may respond to these questions with reports from auditors and certifications. It is important to understand what these reports cover.
There are two common types of report that are offered SOC 1 and SOC 2. SOC stands for “Service Organization Controls” and the reports are based on the auditing standard SSAE[6] no. 16 (Statement on Standards for Attestation Engagements which became effective in June 2011):
- SOC 1 report: provides the auditors opinion on whether or not the description of the service is fair (it does exist) and whether or not the controls are appropriate. Appropriate controls could achieve their objectives if they were operating effectively.
- SOC 2 Report: is similar to a type 1 report but includes further information on whether or not the controls were actually working effectively. It includes how the auditor tested the effectiveness of the controls and the results of these test.
Note that these reports are based on the statement of the service that the organization claims to provide - they are not an assessment against best practice.
A service organization may also provide an auditor’s report based on established criteria such as Trust Services (including WebTrust® and SysTrust®). The Trust Services Principles and Criteria[7] were established by the AICPA and cover security, availability, processing integrity, privacy, and confidentiality.. A typical auditor’s report[8] on a Cloud service will simply refer to which of the five areas are covered by the report and it is up to the customer to evaluate whether the Trust Principle and Criteria are appropriate for their needs. In addition ISACA have recently published a set of IT Control Objectives for Cloud Computing[9].
Cloud Computing can reduce costs by providing alternative models for the procurement and delivery of IT services. However organizations need to consider the risks involved in a move to the Cloud. The information security risks associated with Cloud computing depend upon both the service model and the delivery model adopted. The common security concerns of a Cloud computing approach are maintaining the confidentiality, integrity and availability of data. The best approach to managing risk in the Cloud is one of good IT governance covering both Cloud and internal IT services.
The Author
Mike Small is a Fellow of the BCS and a Senior Analyst at KuppingerCole and a member of the London Chapter of ISACA. Until 2009, Small worked for CA where he developed CA’s identity and access management product strategy. He is a frequent speaker at IT security events around EMEA. Mike was a speaker on cloud security at ISACA’s Information Security and Risk Management (ISRM) Conference held in Barcelona, Spain, from 14-16 November, (www.isaca.org/isrmeu ). The ISACA ISRM Conference offers a fresh perspective on today’s challenges and future trends, including PCI Data Security Standard (DSS) compliance, cloud computing and data loss prevention. E-mail:
Mike Small has over 40 years experience in the IT industry. He is an honorary fellow analyst with Kuppinger Cole Ltd as well as a Science Technology Engineering and Mathematics Ambassador to schools.
Previously Mike worked for CA (now CA Technologies Inc) where he developed the strategy for identity and access management and was VP responsible for product development. This strategy led to the developments and acquisitions that contributed to CA’s IAM product line.
He is a frequent speaker at IT security events around EMEA and contributor to the security press.
Mike began his career with International Computers and Tabulators (which later became International Computers Limited), where he was the architect for a number of leading edge information technology development projects ranging from system software to artificial intelligence.
Mike is a Chartered Engineer, a Chartered Information Technology Professional, a Fellow of the British Computer Society, and a Member of the Institution of Engineering and Technology. He has a first class honours degree in engineering from Brunel University. Recent Speaking Engagements
1. IAM in the Cloud European Computer Audit and Security Conference Manchester, England, March 2011
2. Finding the Right Approach to Cloud Governance European Identity Conference Munich, Germany, May 2011
3. Security and Trust – Mission Impossible?
Identity Next 2010 The Hague, The Netherlands, December 2010
4. Security in the Cloud – 10 questions to ask ISACA Information Security and Risk Management Conference Vienna, November 2010
5. Identity Issues of Virtualization European Identity Conference, Munich, Germany, May 2010
6. Cloud Computing – Security Smog?
European Identity Conference, Munich, Germany, May 2010
7. Security in the Cloud European Computer Audit and Security Conference Budapest, Hungary, March 2010
8. Integrating Identity and Data Loss Prevention ISACA Webinar November 2009
9. Security Implications of the Virtualised Data Centre, Datacentre 2009 Belfast, Manchester and London November 2009
10.Risk, Reward and Compliance in Challenging Times, Gartner IAM Security Summit, London England, March 2009
11.Managing Roles and Entitlements European Computer Audit and Control Symposium Frankfurt, Germany, March 2008
12.Compliance for Multi National Companies CA World 2008, Las Vegas, November 2008
13.Malice, Misuse or Mistake: Getting to the ‘root’ of the Problem Gartner IT Security Summit, London England, September 200814.Security, Privacy and Trust - Mission Impossible?
European Identity Conference, Munich Germany, May 2008
15. Unify and Simplify Identity Management, ISACA Computer Audit and Control Symposium Stockholm, Sweden, March 200.
[1]http://www.pcworld.com/businesscenter/article/237476/lightning_strike_in_dublin_downs_amazon_microsoft_clouds.html
[2] http://www.bbc.co.uk/news/technology-15287072
[3] http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf
[5] http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment
[7] http://www.webtrust.org/principles-and-criteria/item27818.pdf
[8] https://trust.salesforce.com/trust/assets/pdf/Misc_SysTrust.pdf