Cloud services are gaining in popularity thanks to business benefits including cost savings, improved time to market and the ability to speed up innovation. However, few standards exist (the Cloud Security Alliance, a worldwide nonprofit organization that promotes best practices in security assurance in cloud computing, is making strides toward establishing industry-wide standards—but they’re not there yet), and that presents a considerable problem for information security professionals looking to implement and maintain cloud services.

Transparency is a Must

Businesses must take precautions when entering into cloud-based service agreements. They need visibility into cloud providers’ processes and systems to maintain necessary ITgovernance, says Jim Reavis, executive director of the Cloud Security Alliance. “You cannot outsource governance, risk and compliance,” he says. “It is also important to understand that to a large degree, focus must be on the data: where it is located, what regulations are applicable and how it is being protected. Acoherent architecture is also important to achieve portability and interoperability between different cloud providers.”

The key, says Irfan Saif, a principal with Deloitte Consulting LLP, is to gain an understanding of what the provider is doing behind the scenes. “Find out how they are managing their offering, what controls are in place, and how they can provide assurance given there is not a prevailing standard,” he says. When you work with a provider, you typically have a point person managing your organization’s data, “who has access to things that in a traditional world you would have managed internally. In these instances, there needs to be not only the contractual pass-through, but also a way to somehow validate that the provider is following outlined practices and managing the appropriate risks on your behalf. This becomes increasingly important when managing compliance risk.”

Visibility should also include access at a granular level, including the actions of privileged users, says Slavik Markovich, chief technology officer of Sentrigo, a Calif.-based database security software provider. “As a case in point, the recent Google disclosure that an engineer had viewed the private chat and Gmail of a user shows that this not only is possible, but likely occurs regularly,” he says. “The more frightening point is that the privileged user is often able to cover their tracks, deleting or modifying log files to eliminate records of their access. Only with more sophisticated tools that ensure separation of duties can this be prevented.”

Planning for Risks

One way to head off pitfalls is to look at risk across the enterprise, with cloud being one channel. Saif says this enables a company to maximize cloud benefits while gaining broad visibility. It’s important to determine whether to utilize public, private or hybrid cloud environments (see Cloud Definitions on page 9). The approach must fit the organization’s requirements and in-house capabilities while meeting its needs for improved time to market, lower total cost of ownership and a timely return on investment.

Understanding the risks of each option is the key to success. With public clouds, servers are often shared between applications, introducing potential threats not present with dedicated hardware. “Administrators and developers with privileged access to one application may be more easily able to misuse access, affecting a broader range of systems,” says Markovich. “Since you can’t conduct background checks yourself on third-party personnel, you’ll want assurances that the cloud provider meets certain criteria, such as SAS 70,” an in-depth auditing standard.

In theory, private clouds seem to be the safer option because they offer the ability to retain control over physical assets. But many companies lack the resources to manage private clouds cost effectively, and there are some compatibility risks to consider. “The reality is that most organizations will be using services in multiple clouds, and will be managing hybrid cloud environments,” says Reavis.

Establishing Ground Rules

Before entering into a partnership with a cloud provider, get a clear understanding of service-level agreements and functionality. “The procurement and contract negotiation phase may be your best bet to getting the security guarantees you need,” says Reavis.

Confirm whether the provider is maintaining its systems at the latest patch levels, adds Markovich. “It is often difficult to bring down production servers to implement recent patches to the operating systems, databases and other infrastructure software, yet these are very easy targets for hackers,” he says. “Knowing that an application uses a certain piece of software, and that the vendor just issued a patch for a specific vulnerability, the hacker now knows exactly how to break in—at least until the patch is applied.”

Another piece of advice: Understand how the provider handles physical copies of data. For example, if a drive goes bad in their storage farm and it is replaced, what happens to the old drive? How does the vendor ensure it is rendered unreadable? “The big players certainly have policies for this, but when you trust sensitive information with a smaller provider, a single lost drive could cause significant damages,” says Markovich.

Many companies already have sensitive data outside their enterprise, via Software-as-a-Service (SaaS) applications such as salesforce.com or NetSuite. Typically, SaaS vendors have policies in place to prevent even their own privileged insiders from viewing your company’s data, as well as controls to protect multi-tenancy environments. But you should investigate and ask questions.

“For example, can the administrator managing the backend database for your SaaS application make a copy of all the credit card numbers you’ve entered with orders?” Markovich asks. “Also, can the system administrator for that server you’re sharing with an unknown number of other companies in your cloud infrastructure simply make a backup copy of the drive with the Social Security numbers of every employee in your company? Before putting this data on these systems, you should understand how the provider will protect these cases, as your own compliance team will likely want to know.”

Internal Affairs

Don’t overlook the need to tackle cloud compliance issues internally, too. Training and awareness are crucial elements. “Employees cannot just do things in a cloud environment without thought. Alot of security-related challenges are often inadvertent, which is why awareness in the cloud environment is so important,” says Saif. To that end, heighten awareness among employees enterprise-wide about what information can be sent to cloud providers in light of organizational policy and regulatory requirements.

Meanwhile, ITneeds to granularly monitor applications to ensure policies are enforced. “If it is possible to encrypt information before transmitting, by all means [IT] should do so,” Reavis says. “In the long run, interesting developments such as format-preserving encryption have great promise to automate protection and prevent information outside of the enterprise from being compromised.”

Without training and awareness, business units and departments will continue to obtain services without IT’s involvement. “The enterprise compliance requirements need to be crystal-clear so more parts of the enterprise talk to ITdirectly rather than procuring cloud services on their own,” Saif says. “Often, employees will go out and procure services on their own because it helps them achieve faster time to market and they feel like they do not need IT’s permission. Yet this fractured approach creates real challenges and often results in a loss of cost benefit.”

While there are potential pitfalls, cloud services represent a beneficial way for ITleaders help their companies gain new efficiencies. The key to success rests in understanding the compliance issues and talking openly with cloud service providers.

Questions to Ask Cloud Providers

It’s crucial to have a comfortable working relationship with a cloud service provider for ongoing success. Kathy Owen, senior vice president and global CIO at Chattanooga, Tenn.-based Unum, a large insurance company, recommends asking some critical questions before entering into a contract or agreement:

• Who has access to the data?
• How many employees have root, database and infrastructure access?
• What policies are in place to prevent the cloud provider’s employees from getting access to your company’s data?
• Is the data encrypted at rest and in motion?
• Is the environment a multi-tenant one and if so, what controls data segmentation?
• Will data be stored on servers in other countries? If so, how does this impact compliance?
• What controls are in place to prevent data loss (i.e., a vendor insider downloading customer data on a USB drive)?
• What information is captured in audit/security event logs and is it available to the customer?

“When you are charged with the protecting organizational data, there needs to be several security measures in place including: strong authentication controls such as two-factor authentication and IP address restrictions to prevent a user from transmitting data from a non-company network; data encryption for data at rest, data transmission and backups; data segmentation, either physically or logically; and access control logs to show who accessed the data and when,” says Owen. “Always make sure you are comfortable with what the vendor provides.”

Cloud Definitions*

* as defined by the National Institute of Standards and Technology IT Lab

Private cloud: infrastructure is operated solely for an organization. It may be managed by the organization or a third party and may exist on premise or off premise.

Public cloud: infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services.

Hybrid cloud: infrastructure is a composition of two or more clouds (private, community or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load-balancing between clouds).