The cloud is here to stay. The industry continues to strive for understanding of the myriad of security concerns and develop methodologies for evaluating the risks. Existing, mature, security frameworks continue to provide a strong basis for evaluating the risk but there are a small number of additional issues that should be evaluated when performing an assessment.
When making a decision about whether or not to use a specific cloud service for a specific purpose a risk assessment should be performed. Hopefully, when it comes time to make the evaluation the project has specified what types of data will be exposed to the cloud service. If a business already has mature data information classification and handling policies, it may be easy to determine if the cloud service meets the basic data handling requirements. For example, what encryption algorithms are supported, where does the data get encrypted during the data flow, and what are the transmission protocols.
However, when evaluating the security of a cloud service vendor many other factors must be considered. For example:
- What are the hiring and termination practices of the service provider?
- Are background checks performed?
- How quickly and thoroughly is employee access terminated when an employee departs the service provider?
It is also important to understand how the service provider manages physical security to its data centers. Many companies have used the ISO 27002 (Information technology – Security techniques – Code of practice for information security management) standard to evaluate the security of cloud service vendors before making a decision to use the service offering. This does provide an excellent basis for evaluating a cloud service provider. However there are some issues it does not address.
Many cloud storage / storage providers perform some data mining on customer data or metadata. This is one topic not covered by ISO 27002 but understanding what data may be collected, mined, and sold to third parties should be considered when evaluating the risk.
Another topic not addressed by ISO 27002 is that issues that may arise as the result of subpoenas and eDiscovery. In a traditional data center environment, the subpoenas will be served to the company that collected the data. That means the company will receive notice of the investigation and have a chance the challenge the order. However, when using a cloud service provider, the provider is more likely to receive the subpoena or administrative order. In many cases, the company that collected or created the data will not be performed, and the cloud service provider likely has little if any incentive to challenge the order. Some companies may actually consider this a positive aspect of using cloud services, while for others this may be a critical concern that prevents cloud adoption.
The Cloud Security Alliance (CSA) has also developed the Cloud Controls Matrix (CCM) as a means of evaluating the security of cloud service providers. It covers many of the same topics as ISO 27002, but it is written to specifically focus on cloud services. The CSA announced the most recent version (3.0.1) of CCM on July 16, 2014. The CSA also released version 3.0.1 of the Consensus Assessments Initiatives Questionnaire (CAIQ) on the same day. The CAIQ is a set of questions a cloud consumer and cloud auditor may wish to ask of a cloud provider. The questions are based off of security controls found in the CCM.
Paul Hill has worked with SystemExperts as a principal project consultant for more than twelve years assisting on a wide range of challenging projects across a variety of industries including higher education, legal, and financial services. He joined SystemExperts full time in March 2012 and coordinates the SMARTday practice.