4. Security Management
With the adoption of cloud services, a large part of your network, system,
applications, and data will move to a third-party provider’s control.
The cloud services delivery model brings new challenges to the IT
operations and management staff in the area of availability, access
control, vulnerability, security patching, and configuration management.
As a first step, cloud customers will have to understand all the layers
they own, touch, or interface with—network, host, application, database,
storage, and web services, including identity services. To tackle these
challenges, you will need to understand the interfaces and the scope of
IT system management responsibilities, including your responsibilities
for access, change, configuration, patch, and vulnerability
management.
Although you may be transferring some of the operational
responsibilities to the provider, you may still own some of the
responsibilities whose scope will depend on a variety of factors,
including the type of cloud service. Major factors to consider are the
SLA, monitoring capability, and provider-specific security management
capabilities to support the extension of your internal operations
management processes and tools.
Today, customers largely rely on CSPs for the service
instrumentation to measure and manage the security, availability, and
performance of their services in the cloud. Most CSPs are sharing the
overall service metrics via a dashboard (e.g., Amazon’s service health
dashboard at http://status.aws.amazon.com/).
Although a CSP may be publishing the most up-to-the-minute information
of its overall system status across all customers, the onus is on you to
keep abreast of the service status. To manage the availability of your
application you will need to measure, monitor, and manage service levels
from your perspective (i.e., for your virtual environment).
Unfortunately, the lack of standards and weak capabilities from CSPs to
help customers place probes into their virtualized environment have
exacerbated cloud service management. Hence, as a tenant of a *aaS
service, you will have to understand what instrumentation and dashboards
are made available to you by the service provider to help manage service
levels to your users.
From a security management perspective, a key issue is the lack of
enterprise-grade access management features. Since access control
features will vary with the service delivery model and provider,
customers will have to understand what access control features are
available (strong authentication, user provisioning) and what their
responsibilities are in managing the life cycle of user access to the
cloud service. Some service providers are making an effort to keep their
customers informed of new threats and educating them on ways to protect
the information hosted in their cloud (e.g., Salesforce.com publishing
threat and security practice information via http://trust.salesforce.com/).
In a virtualized environment where infrastructure is shared across
multiple tenants, your data is commingled with that of other customers
at every phase of the life cycle—during transit, processing, and
storage. Even if you are able to install monitoring probes at
infrastructure layers available to you, the resource bottlenecks that
are visible to your instrumentation may not be able to give the
necessary information to perform root-cause analysis (e.g., latency of
packets between your system nodes in the cloud). Outages that impact the
entire population will be visible to all users. Another dimension in
cloud computing is the issue of monitoring and measuring disruptions
across your users—depending on the cloud service architecture, failures
of the infrastructure components may impact only a subset of the
population and it would be hard to detect the service disruption unless
the affected users report it (e.g., Google mail disruption events that
impact only a subset of users). Hence, it is important to understand the
location of the service, service-level guarantees such as internode
communication, and storage access (read and write) latency.
The scope of security management of cloud services will vary with
the service delivery model, provider capabilities, and maturity.
Customers will have to make trade-offs with respect to the flexibility
and control offered by the SPI services. The more flexible the service
(i.e., the lower the service abstraction), the more control you can
exercise on the service, and with that come additional security
management responsibilities. Given that most cloud service offerings
lack transparency in the area of SLA, provider management capabilities,
and security responsibilities, the management functions will continue to
challenge enterprises that have established IT governance, tools, and
processes. Those frameworks, processes, and tools that address systemic
qualities including reliability, availability, and security may not be
extensible to the CSP. If you have adopted standard IT frameworks
including the Information Technology Infrastructure Library (ITIL) and
ISO 27002 in your organization, they should be reviewed and continuously
adjusted based on the cloud service capabilities, sensitivity of
information, and SLA that govern various management functions.
5. Privacy
Cloud computing offers significant challenges for global organizations
that are facing multiple global and sometimes conflicting privacy rules,
regulations, and guidance. Organizations need to adopt a systematic
approach to addressing privacy in the cloud. Given the complexity of
existing global legislation, it is advisable to seek in-country legal
advice and develop a framework against which to design internal controls
to manage processes.
Cloud computing is facing a challenge that has existed for many
years: how to deal with cross-border data flows. Since this involves a
number of foreign jurisdictions, complexities start to develop due to
conflicting rules among foreign governments (or even among various
states within the United States). The nature of, and one of the major
benefits of, cloud computing just expands this challenge. It is worth
noting that an organization can define to the CSP in which country it
would like to have its data stored and processed. However, determining
which specific server or storage device will be used is difficult to
ascertain due to the dynamic nature of cloud computing.
We further explored the impact of cloud computing on Organization
for Economic Cooperation and Development (OECD) and other privacy principles, and we concluded
that:
The CSP requires strong data governance (managing the entire
life cycle of the data from creation to destruction) to enable
client organizations to respond to requests for government
disclosure of data.
Care should be taken to delete storage devices, especially as
it relates to virtual storage devices where storage is constantly
being reused.
Transferring data to third parties will require consent from
the data owner.
Multiple privacy laws and regulations, such as the European
Union and U.S. Safe Harbor Program, require knowledge of where data
is stored at all times. This will encourage CSPs to store data on
servers located in specific jurisdictions that minimize legal risk
(potentially outside Europe and the United States).
Data protection and privacy policies should be applied to data
and should follow through the data’s life cycle to ensure that
original commitments are met and to create accountability and
knowledge of what happens to data.
Organizations are expected to be responsible for knowing and
managing how data is being handled and stored at all times. This becomes
difficult in a cloud computing environment since IT resources are often
shared and used on demand. There are a few steps that a CSP can take to
improve data privacy and security. This includes improving security
solutions such as IAM (restricting access), key management (encrypting
data), secure event and incident monitoring (monitoring for security
breaches), and data loss prevention solutions (monitoring for data
breaches). The organization’s privacy commitments (legal, regulatory,
and contractual) should be attached to the data elements across their
life cycle. There are many debates regarding who should be responsible
for privacy—perhaps the CSPs?
However, it is a commonly held belief that the accountability for
privacy protection falls on the organization that collected the
information in the first place. To fulfill this role, it is essential
for these organizations to understand the privacy and security policies
and security architecture of the service the CSP is delivering, to have
the right contractual arrangements in place, and to monitor the CSP’s
compliance.However, these reports tend
to be generic and may not explain the specific nature of the processes
and controls associated with the specific data in mind. There is a need
for a globally consistent privacy standard that the CSPs will adopt and
independent third parties will monitor for compliance.
It is worth noting that payroll processing has been around for a
long time and data is regularly sent to payroll bureaus for processing.
Such data is sensitive and contains a lot of personally identifiable
information (PII). Most organizations have relied on SAS 70 reports to
gain comfort regarding the processes and controls supporting the payroll
process. These payroll processors have multiple customers and process a
number of payrolls at the same time. The current SAS 70s, however, don’t
provide user organizations with comfort regarding the privacy of the
data.
The risks and issues around payroll processing are very similar to
concepts being introduced by cloud computing. However, since payroll
processing has been around for a longer time, organizations have gotten
used to relying on it for security. Granted, organizations can
recalculate the accuracy of the processing, but the payroll service
provider is still responsible for securing the data.