How to Manage Public Cloud Security
What's a sound approach to minimizing security risk when using public cloud services?
Successful public cloud adopters know you can't delegate responsibility for security to your service provider. It's your job to worry about security during your entire cloud service relationship. This brief presents a three-step approach to minimizing security risks when using public cloud service offerings.
Public cloud computing introduces some new risks: resource sharing, mutual auditability, and loss of technical expertise. With its longer trust chains, cloud also offers more opportunity for existing risks, including privileged user access, regulatory compliance, data location, data segregation, recovery, and electronic discovery. Your public cloud service provider is responsible for securing the infrastructure (IaaS), platform (PaaS), or software (SaaS.) You're responsible for documenting your security requirements in service agreements and monitoring your cloud service provider’s performance.
Cloud is a service delivery model, so by definition you have limited control over your services. All services are prone to the "principal-agent problem." Simply put, your biggest risks occur when the interests of your cloud service provider aren't aligned with yours. A related issue found on your side (service consumer) is loss of technical expertise. By using a cloud service, you can lose the ability to understand provider technology over time, reducing your ability to predict and mitigate new risks.
You can minimize both of these risks if you focus on the policies, procedures, and technical controls of cloud service providers related to service confidentiality, integrity, and availability. This approach should form the basis of your cloud service provider selection, management, and termination efforts.
What You Need to Know:
Minimize risks by focusing on how your service provider manages confidentiality, integrity, and availability across the three major periods of a cloud service relationship: pre-contract, contracting and operating, and termination. Top security risks that arise across these periods are from:
- Poor policies and practices. Most cloud security failures result from the actions of persons not following stated policies around confidentiality, integrity, and availability of your data. This comes from either lack of a stated policy or lack of practices designed to ensure conformance to policy. How well your cloud service provider defines, enforces, tests, and improves its policies and practices is your responsibility to determine, monitor, and act upon.
- Poor confidentiality and integrity controls. Confidentiality means only authorized access to data. Integrity means only authorized changes to data. You must understand how your cloud service provider controls both, and you must routinely monitor these areas.
- Poor availability controls. Availability is the ability to provide service or perform agreed functions when required. Most service outages are unplanned and can include cyber attacks, hardware or network failures, configuration issues, and natural disasters. How your provider handles unplanned outages is critical to your success and is your responsibility to understand.
What You Need to Do:
Focus security efforts on the primary risks (poor policies and practices and poor confidentiality, integrity, and availability controls) and related causes (principal-agency problem and loss of technical expertise) for each of the three major periods of a cloud service relationship (pre-contract, contracting and operating, and termination.) Do not overlook the traditional consumer-side organizational security and privacy requirements. Identity management, security audits, encryption, physical security, and assessment and authorization are always required.
Phase 1: Pre-contract
- Identify your confidentiality and integrity requirements. Understand the laws and regulations you operate under, and be sure to consider data location, electronic discovery, etc. These form the basis for selecting a cloud service provider as well as cloud service and delivery models. Include requirements for terminating the agreement as well.
- Evaluate the cloud service provider’s track record for meeting availability promises while maintaining confidentiality and integrity controls over your data. Topics include planned and unplanned outages as well as backup and restoration. Remember to include return of physical and digital assets as well as erasing copies at termination.
- Analyze interests of the proposed cloud service provider in the context of your own interests,
e.g., the principal-agent problem. Also consider how you'll maintain technical competence over time.
Phase 2: Contracting for and operating a public cloud service
- Engage your legal team to review the service agreement, and include them during all negotiations.
- Be sure all confidentiality, integrity, and availability requirements are in the service agreement or contract, and require that the provider specifically recognize and endorse them. Be sure to include all actions required upon contract termination.
- Continually assess the performance of the cloud provider and the quality of the services provisioned to ensure all contract obligations are being met. Manage and mitigate risk.
Phase 3: Terminating the contract with a public cloud provider
- Bring any contractual requirements relating to the end of the contract to the attention of your service provider. Remember, you should establish these requirements in Phase 1.
- Revoke all access rights or privileges granted to the cloud service provider. Collect all access tokens, badges, etc.
- Confirm the cloud service provider returns all physical and/or digital property held under the terms of the service agreement. Ensure the property is correct and complete. Verify that the cloud service provider properly erases all data and information held.