Information Security risks are constantly increasing in today’s society. In this setting, SMEs and large enterprises alike are facing a multitude of challenges. The reasons are manyfold; shortage of skilled workers, shortage of semiconductors, lack of planning, poor scope definition, lack of overview in management.
All organizations face the same problems; their individual and isolated solutions do not create a successful Information Security Strategy and they are labelled as “lone warriors”. It is, therefore, necessary to close ranks with the concentrated power of the global Information Security community. This world of cross-collaboration is enabled by the shift of well-known security concepts to the cloud, for example, to managed services. However, the topic of cloud and managed services is not new to Information Security, therefore a strong standardization and consolidation of the market has already taken place.
And yet, the security of information cannot be outsourced; it always remains a responsibility of the organization.
Risks
Each cloud strategy starts with a feasibility study and a risk assessment [1]. For the initial assessment and regularly during the continuous improvement of an Information Security Management System (ISMS), the following risks should be assessed [2]:
Accountability & Data Risk
When moving to the cloud, the information is not under complete (logically and physically) control of an organization anymore. This risk needs to be carefully considered and mitigated. The organization should ensure data recovery and backup within proper contractual solutions.
User Identity Federation
Organizations should always keep control over user identities when outsourcing services to different cloud providers to not end up with multiple islands of identities. Each user in the organization should be identifiable across all cloud providers. This enhances user experience and security at the same time.
Regulatory Compliance
Providing evidence for regulatory compliance becomes more complex when moving to the cloud as information that is properly secured in one jurisdiction may not be perceived secure in another.
BCM & Resiliency
Existing Business Continuity processes should be extended to the cloud to ensure that the business can be conducted in a disaster situation. Parts of this process (and parts of the responsibility) get delegated to the cloud provider and therefore requires proper contractual solutions and Service Level Agreements (SLA).
User Privacy & Seconday Usage of Data
Defining the use cases for cloud services is a central part of any cloud strategy. In many use cases, personal data gets stored in the cloud. A cloud provider should never be vague about how they handle personal data. Organizations should ensure what data can or cannot be used by cloud providers for secondary purposes.
Service & Data Integration
Organizations should ensure that their information is adequately protected as it is transferred to the cloud. The risk of intercepting data in transit increases for organizations utilizing a cloud service, especially if information is transferred over an insecure medium like the internet.
Multi-Tenancy & Physical Security
When using non-private cloud services, resources (infrastructure, platforms, applications) are usually shared among multiple clients. Logical segregation and other controls become essential to ensure that a user is not able to interfere with the security of other users.
Incident Analysis & Forensics
Existing Security Incident Management processes should be extended to the cloud. This might be a complex task as log files necessary for investigation may be distributed across multiple providers, hosts, data centers or even jurisdictions. Especially when log files store information from different customers, or log files from different customers are co-located on the same hardware or storage devices, forensic investigation possibilities might limited. This aspect should be addressed with proper contractual solutions.
Infrastructure Security
What is true for on-premises infrastructure also applies to the cloud. Infrastructure should be hardened and configured securely according to industry best practices. Tiers and security zones should be applied on application, system, and network level. Access should be role-based and limited to required users (with Need-to-Know principle applied), connections and protocols only. Existing Vulnerability and Patch Management Processes should be extended to the cloud as well.
Non-production Environment Exposure
In case an organization develops applications, they usually test their products during the Secure Software Development Life Cycle (SSDLC). When this process is extended to the cloud, test and development environments are often not secured to the same extent as a production environment. If an organization deploys non-production environments to the cloud, the risks of unauthorized access, information modification, and information theft increase.
Where to start? Select a trusted Provider for your cloud Service
When the cloud strategy is settled and services are defined, the risk assessment of cloud providers is a key due diligence aspect. Many of the risks mentioned above can be lowered by selecting the right provider. In order to make the right choice among the various cloud solution providers, it is worth taking a look at their certification. Several certifications exist in the EU [3] that indicate the maturity of a provider’s Information Security Management, for example:
- CSA Start Level 2 [4] (See all certified providers here)
- C5 [5] (Cloud Computing Compliance Criteria Catalogue)
- TÜV Rheinland Certified Cloud Service [6]
- EuroCloud Star Audit Certification [7]
Once a provider is selected, it is important to review contracts carefully and establish clear responsibilities and SLA’s around Information Security [8].
Use ITIL and SIAM to extend your Information Security Program to the Cloud
When moving to the cloud, all security concepts should be extended to also apply to these services. This is especially true for your information security controls, including maintaining, monitoring, testing and updating respective controls. Processes like Incident, Problem and Change Management or Vulnerability and Patch Management should not be reinvented but rather extended. Mastering this transition is a challenge, but it becomes easier when the IT Infrastructure Library (ITIL) framework is already established in an organization. As an addition, the Service Integration and Management (SIAM) framework can enable the alignment of these processes across multiple service providers.
Recommendation
Check if your cloud strategy is bulletproof:
- Are your on-premises and Cloud Assets managed by the same processes within your ISMS?
- Are all Interfaces, Service Descriptions and Accountabilities for the cloud services properly defined?
- Are risk assessments for the cloud strategy and the cloud providers regularly reviewed?
Need help with the cloud strategy of your organization? Contact us for more information.
Sources
- [1] Sichere Nutzung von Cloud-Diensten
- [2] OWASP TOP 10 Cloud Risks
- [3] enisa_cloud_certification_schema_listing.pdf
- [4] https://cloudsecurityalliance.org/
- [5] BSI – C5 criteria catalogue
- [6] Cloud Security | TÜV Rheinland
- [7] StarAudit | EuroCloud Europe
- [8] Six steps toward more secure cloud computing | Federal Trade Commission