In my last article the “Cloud Computing for Healthcare”, I tried putting my insights on the benefits and challenges of cloud computing. As enterprises today increasingly migrate their data and applications on cloud, they are challenged by risks of security of their data hosted on public cloud. In order to protect the information, especially those of sensitive nature, they are required to focus on possibilities of security breaches that could be potentially encountered. Failure in doing so could incur damage in form of high costs or huge loss to business, which would defy the benefits associated with cloud computing.
The responsibility of having a clear understanding of the advantages and the risks associated with cloud computing lies with both the service provider and the end customer. The service provider ensures protecting the safety of client’s data and application. Simultaneously, end users take required measures to secure their applications and prevent data breaches with verification measures such as strong passwords.
The Cloud Security Alliance Conference, 2016, listed data breaches, compromised credentials and broken authentication, hacked interfaces and APIs, exploited system vulnerabilities, account hijacking, malicious insiders, the APT parasite, permanent data loss, inadequate diligence, cloud service abuses, DoS attacks anddangers of shared technology as the top 12 cloud computing threats referred to as “Treacherous 12”, that organizations generally face today.
A few best practices in the area of cloud computing security have been prescribed for customers as they transition their applications and data to the cloud. These measures help them evaluate and maintain the security of their use of cloud services and assist them in risk mitigation and support delivery at an appropriate level.
1. Ensure effective governance, risk and compliance processes exist.
The key element for an organization, while choosing to host their data on cloud, is security. The customer and the service provider must enter into a master service agreement as the Service Level Agreements (SLAs) in accordance with security and compliance policies. In absence of such an agreement, an organization must refrain from availing the service.
2. Operational and business processes
Every organization recognizes the importance of auditing the compliance of IT systems. It is the right of every customer to expect a report on the operation of their service provider made by external auditors. The service providers, at their end, must provide access to their customer on their audit logs and trails, including workflow and authorization, relevant to customer specific data or application
3. Manage people, roles and identities
In a cloud set up, there are employees at the end of the service provider who have access to the customer’s data and application. Similarly, there are employees with the customer who perform operations on the provider’s systems. An authorization right is granted on per resource, application or service basis at either end.
The cloud provider must provide an Identity and Access Management (IdAM) system for managing unique identities, allowing user access to provider’s management platform, irrespective of role or entitlement and monitoring and logging for auditing all access to customer data and applications.
4. Ensure proper protection of data and information
Data is of two kinds- data at rest, held on some form of storage system and data in motion, being transferred over some form of communication link. Data breaches always list at the core of IT security concerns for any organization, especially those using cloud services. The risks associated with data security could be data theft, unauthorized disclosure, modification or tampering of data and loss or unavailability of data.
Organizations must identify data assets and classify them in terms of criticality to the business. Structured and unstructured data must be given different treatment. A database encryption should be employed to protect all data at rest. Laws and regulation must be laid down to secure data privacy.
5. Enforce privacy policies
Data privacy and protection is now a global legal regulation with laws protecting and regulating acquisition, storage and use of personal data; legally termed as personally identifiable information (PII). In cloud solutions, companies are increasingly imposing restrictions on the use and accessibility of PII to unauthorized parties. They are defining policies that are formulated by Legal and Risk Management departments within their organizations, complying with related laws and regulations of the area of jurisdiction. A legal agreement between the data controller and the service provider is hence a practical decision.
6. Assess the security provisions for cloud applications
Any application has a typical life cycle of being conceptualized, designed, tested and implemented. Protection of such business application from external and internal threat therefore becomes critical. If an application is compromised at any juncture, it incurs financial liability and reputation damage for a company.
An application security policy consideration must be understood and well implemented at the customer’s end. Such measures come at a cost since the technology is engineered within every structure from ground up – including resources, interventions and audits but it’s a cost that all must bear.
7. Ensure cloud networks and connections are secure
Malicious network traffic, like anywhere on internet, is a very common problem encountered in cloud services as well. Some traffic may initially look legitimate but on further inspection indicate spam, viruses and other malicious attacks. The service provider must ensure blocking and notifying the customer of such an attack.
Sending and receiving legitimate traffic as per the customer’s plan, also assists the service provider in devising the external perimeter safety measures by blocking the flow of unwarranted traffic. Troubleshooting, incident handling and incident reporting etc assists in effective detection and blocking features that further secures the connection.
8. Evaluate security controls on physical infrastructure and facilities
Physical infrastructure and facilities go hand in hand with the well being of the IT structure and security. Security standards must comply with ISO 27002 and similar.
Physical security perimeter, containing physical infrastructure for the provision of cloud service, must have only authorized user access. Prevention from theft of valuable and sensitive assets should be made. Protection from external and environmental hazards such as fire, flood, civil unrest, earth quakes etc should be provided. Diligent restrictions can be applied to prevent personnel with authorized access to make any future malicious attempt. The provider must also ensure appropriate backup of data and contingency plan in case of equipment failure.
9. Understand the security requirements of the exit process
During termination of a service contract, “reversibility” has to be achieved from security point of view, i.e. none of the customer data should remain in the cloud of the service provider. The data should be permanently removed and complete backup must be handed over to the customer. Any associated event log, audit trails and reporting data must also be handed over until the exit process is completed.
Some jurisdiction, require company information to be stored on cloud for a specified period after the termination process is over. The parties must ensure cleansing of such information after the assigned period is over.
10. Manage security terms in the cloud service agreement
The security terms at both the end of the service provider and the customer must be laid down clearly and in agreement. An explicit document laying down terms like notification to both the parties during time of system and information breach, timely actions to prevent and rectification of such breach, application of best practices to ensure long term safety measures for future etc must be put in papers. Parties must also include indemnification clauses, damage and liability due to negligence etc.
Further information on security metrics can be gained by resources:
- ISO 27004:2009 [15]
- ISO 19086
- NIST Special Publication 800-55 Rev.1, Performance Measurement Guide for Information Security [16]
- CIS Consensus Security Metrics v1.1.0 [17]
Once the security measures are devised and successfully implemented, cloud computing leaves an organization with a myriad of advantages to improve its efficiency such as flexible cost, improved cash flow, improved mobility, improved collaborations and disaster recovery among many others. There is no fool proof solution but with time we can be hopeful for an effective cloud computing experience.