Cloud security: how to protect your data

To use Cloud computing securely requires companies to know where their data is stored and who has access to it. Ironically, the reason Cloud is so popular is because organisations don't want to worry about these details.

So can the issue be solved by adhering to standards? Increasing legislation? Maybe we need a global technical disaster to ‘sober up’ an industry drunk on the power ofMoore's Law.

“The Cloud” carries with it the stigma of being a marketing concept which some argue merely poses the same risks as standard data hosting.

It is also an emerging field of computing with a lot of momentum behind it, however it lacks a broadly accepted standard for secure data handling and is often pursued without adequate concern for security arrangements.

“Many organisations are blindly focusing on the latest buzz initiative: The Cloud, the virtualised data centre, the unfettered mobile worker. In their haste, they are forgetting about the security fundamentals thereby creating a vicious cycle,” says Jason Edelstein, chief technology officer of consultancy, Sense of Security.

One of the first questions organisations should be asking is where critical data actually is, advises Mark Goudie, Verizon Business' Asia Pacific investigative response managing principal.

“Knowing the location of your critical data and keeping that under control is priority number one in the Cloud computing world. If you don't know where your data is located, and that means all copies of the data, you cannot expect to be able to protect it.”

Seeing through the Cloud

Due diligence should answer where data is stored, how it's secured, what redundancy processes are in place, what is encrypted and, if so, who holds the keys.

But is this even possible today? In many cases, no,says Gartner's security, privacy and risk research director, Andrew Walls.

“We shouldn't assume that because it's out there, it's a higher risk. It may actually be better. But the devil is in the detail and we have to be looking at who that vendor is and how they're doing things.”

The problem is that transparency is pretty much absent,according to Walls. “It's improving a little bit, but the ability to assess how these vendors actually do implement security is verylow,” he warns. “In the Cloud, step one is trusting, and that's not security — that's hope.”

The view from the service provider side is, not surprisingly, different. Cisco's US-based chief security officer, John Stewart, says the real issue is the lack of consensus on how a service provider should explain what they're doing to protect customer data.

“I don't know whether it's so much a lack of transparency,especially in Cloud. We have a relatively new domain, and so I would not say that there is a commonly held belief yet on how to precisely measure or explain the operational practices.”

He points out that Cisco is ISO 27001 certified, viewed by some as the de facto security standard for Cloud operations. “It's being sought after by customers to ensure that they're feeling comfortable ... that you as a vendor, have taken the topic very seriously and have put controls in place,” says Stewart.

Battle for standards On the other hand, large providers such as Google and Rackspace have opted for the SAS70 Type II audit, a US process that was originally designed to ensure service providers adequately protect health and medical data.

The payment card industry data security standard (PCI DSS) is also emerging as a useful method for assessing vendors, according to Sense of Security’s Edelstein.

“While the PCI DSS is a standard for the payments industry, service providers that have validated compliance with this standard should have the ability to host non-payment related systems to an acceptable level of security for most commercial implementations,” says Edelstein.

One thing customers should demand in a contract is a “right to audit” clause. “This entitles the customer the right to audit the environment at any frequency, but recommended at least annually, at the client's expense with any determined remedial activities for the service provider's account,” Edelstein suggests.

Meanwhile, there are moves by industry and vendors to agree on a set of security standards for Cloud hosted environments. Dozens of vendors, including Cisco, Google and Microsoft have rallied around the Cloud Security Alliance.

“It's about transparency,” explains Stewart. “Here's what we do, how we do it, when we do it, and that we're measuring it and proving that we're doing it in the controlled way we're supposed to.”

But perhaps more than standards, what the industry needs is its Gulf of Mexico disaster — the one which forces business, governments and citizens to demand greater oversight and transparency than is currently possible.

“A cascading failure that turns into real money may sober the industry up to getting real about transparency around how they provide the Cloud service and how they secure it,” says Gartner's Walls.

“And when we get that transparency, well then you can really start to do risk management. You can quantify the risk to some extent.”

Leadership and governance Despite the emergence of Cloud, corporate networks will remain at risk for the foreseeable future. There are plenty of threats to choose from, including data breaches, insider attacks, and the more fundamental issue of governance.

While Australian regulators currently lack the instruments to publicly “out” companies that suffer data breaches, there are still headlines, warns Verizon Business' Goudie.

Vodafone Australia, cosmetics company Lush, and commercial and military components firm, Rojone, are just a few recent cases in point.

The first step to preventing this from happening is knowing where data resides within the organisation, but he says, often they do not. “Many CSOs and IT managers don't have control of where there data is located,” says Goudie, adding that data is more often than not found in surprising locations. “When we investigate data breaches, the scope always expands. The breach is nearly always worse than the victim thinks because it involves more systems.”

Technology hungry senior executives pose another classic problem for the security professional.

“I've spoken to IT security professionals who are tearing their hair out that senior organisational executives just want to use their iPad when they go on business trips overseas,” IBRS security adviser, James Turner says.

But he says IT security personnel only have themselves to blame “because they cannot articulate the risks in a clear, succinct, and relevant way”. “That's a tough call I'm making,but it is the job of the communicator to ensure that the message gets across to the recipient.”

If executives continue to take risks and fail to understand what those risks could translate to, is something else missing?

Are CSOs essential? After delivering a scathing report on NSW government agencies'information security practices, NSW Auditor-General, Peter Achterstraat has set a June 2011 deadline to establish more stringent governance and accountability arrangements.

Achterstraat wants security to be built into new systems from the outset, assurance that products meet international security standards and that agency heads certify the security of systems under their domain. Security should be part of performance reviews, said the auditor, and agencies should report their state of security and any data breaches to Parliament annually.

These measures may raise the bar, but will it be enough to ensure visibility at the highest levels? Should agencies also appoint a single chief information security officer (CISO) to be responsible for each organisation's state of security?

Verizon Business' Goudie believes so. Every organisation,whether it's in the public or private sector, needs a CISO, he says. “Someone needs to be responsible for showing the risks. Good CISOs are invaluable in focusing an organisation on the real threats they face rather than glossing over information security or worrying about a threat so remote it would make a good movie script.”

In the US, the pressure to do this has come in the form of the controversial Cybersecurity and Internet Freedom Act. If passed, every agency would be required to appoint a CISO.

It's hoped the role would move agencies beyond paper compliance with its Federal Information Security Management Act (FISMA) for the public sector. The CISO would be granted sweeping powers, including the ability to influence IT budgets and conduct real time monitoring of its IT systems, according to the Center for Strategic and International Studies.

There are mixed views on whether this would be essential for Australian agencies, or indeed what a CISOs responsibilities should be.

In the case of the NSW government, it could help create accountability, Sense of Security's Edelstein says. “We do need better accountability within government departments, and if having a CISO appointed within each agency would achieve this, it would be a good move.”

IBRS security industry analyst, James Turner, says mandating a CISO role could litter agencies with security “sock puppets”. “If every government organisation in Australia had to create a role called "CISO” and fill it, the difference in capabilities across the board would be staggering," he says.

“Some of the appointees would be genuine you-can-putthem-in-front-of-a-minister material. Whereas others would be just sock puppets and completely out of their depth.”

And then there's the scope of responsibilities. For example,says Gartner's Walls, there is the potential to create a CISO role that deals solely with information, but not technology.

“If it's information security and not IT security, that's a whole other game. You're talking about document, phone and user behaviour security. There's a whole gammut of things that fit into information security, that are not covered by the classic IT security teams.”

Follow CSO Australia on Twitter: @CSO_Australia

Tags governancePCI DSSverizonIBRSCSOssecure cloudsecuring the cloud

More about Andrew Corporation (Australia)CiscoGartnerGoogleIBRSISOMicrosoftSASTechnologyVerizonVerizonVerizon BusinessVodafoneVodafone