Public cloud computing introduces some new risks: resource sharing, mutual auditability, and loss of technical expertise to name a few. Cloud also offers more opportunity for existing risks with its longer trust chains including privileged user access, regulatory compliance, data location, data segregation, recovery, and electronic discovery. Your public cloud service provider is responsible for securing the infrastructure (IaaS), platform (PaaS), or software (SaaS), and you’re responsible for documenting your security requirements in service agreements and monitoring your cloud service providers’ performance accordingly.
Cloud is a service delivery model. By definition, you’ve got limited control over your services. Like all services, cloud is prone to the “principal-agent problem.” Simply put, this means your biggest risks occur when the interests of your cloud service provider aren’t aligned with yours. A related issue found on your side (service consumer) is loss of technical expertise. By using a cloud service, over time you can lose the ability to understand provider technology. This reduces your ability to predict and mitigate new risks. You can minimize both of these risks if you focus on the policies, procedures, and technical controls of cloud service providers around service confidentiality, integrity, and availability. This approach should form the basis of your cloud selection, management, and termination efforts.
You can minimize these risks by focusing on how your service provider manages confidentiality, integrity, and availability. Use this approach across the three major periods of a cloud service relationship: pre-contract, contracting and operating, and termination. The top security risks from these periods are:
- Poor policies and practices. Most cloud security failures result from the actions of persons who don’t follow stated policies around the confidentiality, integrity, and availability of your data. This comes from either a) lack of a stated policy or b) from lack of practices designed to ensure conformance to policy. How well your cloud service provider defines, enforces, tests, and improves its policies and practices is your responsibility to determine, monitor, and act upon.
- Poor confidentiality and integrity controls. Confidentiality means only authorized access to data. Integrity means only authorized changes to data. You need to understand how your cloud service provider controls both, and then you must then monitor these areas routinely.
- Poor availability controls. Availability is the ability to provide a service or perform agreed functions when required. Most service outages are unplanned. Unplanned outages include cyber attacks, hardware or networking failures, configuration issues, natural disasters, etc. How your provider handles unplanned outages is critical to your success. It’s your responsibility to understand how the provider manages and recovers from unplanned outages.
Focus your security efforts on the primary risks (poor policies and practices, confidentiality, integrity and availability controls) and related causes (principal-agency problem and loss of technical expertise) for each of the three major periods of a cloud service relationship (pre-contract, contracting and operating, and terminating). NOTE: Don’t overlook the traditional consumer-side organizational security and privacy requirements. Identity management, security audits, encryption, physical security, and assessment and authorization are always required.
Phase 1: Pre-contract, before you move to a public cloud provider.
- Identify your confidentiality and integrity requirements. Understand the laws and regulations you operate under. Consider data location, electronic discovery, etc. These form the basis for selecting a cloud service provider as well as cloud service and delivery models. (Include requirements for terminating the agreement as well.)
- Evaluate the cloud service provider’s track record for meeting availability promises while maintaining confidentiality and integrity controls over your data. Topics include planned and unplanned outages, including backup and restoral. (Don’t forget to include return of physical and digital assets as well as erasing copies at termination.)
- Analyze the interests of the proposed cloud service provider in the context of your own interests (e.g., the principal-agent problem.) Also consider how you’ll maintain technical competence over time as well.
Phase 2: Contracting for, and then operating, a public cloud service.
- Engage your legal team to review the service agreement. Include them during all negotiations.
- Be sure all confidentiality, integrity, and availability requirements are in the service agreement or contract. Require that the provider specifically recognize and endorse them. (Be sure to include all actions required upon contract termination.)
- Continually assess the performance of the cloud provider and the quality of the services provisioned to ensure all contract obligations are being met. Manage and mitigate risk.
Phase 3: Terminating the contract with a public cloud provider.
- Bring any contractual requirements relating to the end of the contract to the attention of your service provider. (See Phase 1 above; these should be known in advance.)
- Revoke all access rights or privileges granted to the cloud service provider. Collect all access tokens, badges, etc.
- Confirm the cloud service provider returns all physical and/or digital property held under the terms of the service agreement. Ensure it’s correct and complete. Verify the cloud service provider then properly erases all data and information held.
Cloud Computing Training