Trusted Data Assurance in The Cloud

C H A P T E R T W O Cloud ControlMounting a Strong Defense with Information Security and Compliance
EVault Ebook
Trusted Data Assurance in the Cloud

By Felix A. Santos, CISA, CISM
Back to table of contents
Trusted Data Assurance in the Cloud 2011 i365, Inc. All Rights Reserved. This book is protected under the copyright laws of the United States of America, and other applicable international, federal, state, and local laws. No part of this document may be reproduced or transmitted in any form, by any means, without the prior written permission of i365 and the author. Nothing in this book is intended to replace legal or other professional services.
TA B L E O F C O N T E N T S
05 12 20
Chapter 01: Chapter 02: Chapter 03:
The Path to Trusted Data Assurance in the Cloud Cloud ControlMounting a Strong Defense with Information Security and Compliance Evaluating Trusted Cloud Providers
A B O U T T H E AU T H O R
Felix A. Santos, CISA, CISM is responsible for information security and compliance for i365 and EVault worldwide data centers. In this role, Felix
oversees all facets of IT governance including information security programs, policy enforcement, and data center security audits and compliance. Felix has direct reporting responsibility to the president and general manager of i365, and security reporting responsibility to the chief information security officer (CISO) at Seagate Technology. In his early career, Felix was a senior scientist for the U.S. Department of Energy at the National Laboratories and served as a technical advisor in Advanced Computing to the Office of Arms Control and Non-Proliferation. Since leaving federal service, Felix has served as chief security officer (CSO) and CISO in high-tech and financial industries in the Bay Area.
CHAPTER ONE
The Path to Trusted Data Assurance in the Cloud

Trusted data assurance can be achieved by adherence to best practices, but its going to take some work for both cloud consumers and cloud providers.
Cloud computing has been around since at least the 1990s. A number of early adopters were able to develop a basic framework of distributed computing services that evolved into the cloud concept by the late 1990s. These early services had to build in controls and features by client demand to demonstrate the same level of assurance that traditional on-premise software applications. An example of a successful cloud SaaS (Software as a Service) provider is salesforce.com. Today, consumers use these cloud services anywhere from contact management to post-sales customer engagement. Why? Salesforce.com offered the first cloud-based blue ocean strategyoffering pay-as-you-go, low-cost services and most importantly, garnering trust with consumers for cloud-based services. But many potential cloud consumerspeople or organizations that maintain a business relationship with, or use services from, cloud providersstruggle with the decision for adopting cloud-based services. As cloud services continue to mature, client requirements are raising the bar for cloud providers to give them a higher level of trusted data assurance. Today, key drivers continue pushing consumers toward cloud computing most notably, legal and regulatory drivers. In the 2011 Global Information Security Survey1, Mark Lobel, principal security professional for Pricewater-
CHAPTER ONE
About half of all mid-size companies are either pursuing cloud-based services as part of their business practices, or theyre in their near-term implementation. Why? Realized benefits are clear: reduced infrastructure costs, pay-as-you-go services, flexibility, agility, and significantly reduced IT management and oversight.
houseCoopers (PwC), says The risk environment has increased and elevated the role of information security. Cost-reduction efforts make achieving security a little more difficult. Clients are pushing harder for security, telling us that their companys product or service is put at a competitive disadvantage if security is not built in. Its all about the data. Increase the focus on protecting the data. Data protection methods have trusted standard frameworks available today. Unfortunately, key features of the data protection frameworks are obscured in a cloud environment. The basic concept of providing a high level of assurance within an open framework is defined by testing best practices against controls at the data service layer. This is the definition of Trusted Data Assurance (TDA). This high level of trusted data assurance can be achieved by adherence to best practices, but its going to take some work for both cloud consumers and cloud providers. To Cloud or Not to Cloud Whos clouding now? Forrester Research2, a technology and research firm, breaks down the top IT priorities for this year. About half of all mid-size companies are either pursuing cloud-based services as part of their business practices, or theyre in their near-term implementation. Why? Realized benefits are clear: reduced infrastructure costs, pay-as-you-go services, flexibility, agility, and significantly reduced IT management and oversight. Survey results conducted by the Ponemon Institute3, an independent research firm on data privacy, includes an interesting diversity of cloud deployment models in use today. Sixty-five percent of cloud providers deploy a variety of services for consumer use in public cloudsprimarily for handling static content, including email, collaboration, and community-based services. Eighteen percent of consumers have applications and private data they want to keep protected in private clouds and take the necessary steps to ensure reliance on trusted service providers. Another deployment model gaining momentum in the market is the hybrid model. Eighteen percent of consumers use a hybrid approach for maintaining business continuity combining on-premise and cloud-based capabilities in a single solution. But the outlook continues to be partly cloudy when it comes to data ownership, data privacy, data location, and cloud IT governance oversight. Potential business clients often ask me, Do I own my data in the cloud? Who is responsible for protecting my data? How can providers safeguard my data from ending up across the globe? And who is actually providing oversight? This is an area where data privacy and location become a top issue.
CHAPTER ONE
Security issues facing the cloud.
Eighteen percent of consumers have applications and private data they want to keep protected in private clouds and take the necessary steps to ensure reliance on trusted service providers.r
Data PrivacyYour Bill of Rights The bottom line is that consumers have information privacy rights regarding their data. Its the consumers bill of rights, so to speak, and well documented in federal privacy regulations and the Safe Harbor Act. Understanding data privacy rights will help regulated consumers define requirements for safeguarding personal health information, personal identifiable information, nonpublic information, and credit-card payment information. Federal data protection lawssuch as the Gramm-Leach-Bliley Act (GLBA), a privacy act for financial communitiesand a dozen or so federal laws require industries to protect information associated with data privacy laws. State regulations go even deeper. For example, in California, under SB 1386, service providers must notify customers as well as the state if privacy data is compromised. Furthermore, CA AB 1950 mandates service providers submit information showing they are using best practices to ensure protection of consumer information. Between U.S. and European Union (EU) overseas authorities, the Safe Harbor Actoperated and managed through the U.S. Department of Commerceassists U.S. companies with self-assessments and attestation, defining the minimum protection of privacy data they are safeguarding. And, if anything goes wrong, companies have to essentially prove theyre in compliance with established guidelines.
CHAPTER ONE
The bottom line is that consumers have information privacy rights regarding their data. Its the consumers bill of rights, so to speak, and well documented in federal privacy regulations and the Safe Harbor Act.
Overall, data stewardship is complexessentially affecting most areas of federal, state, and international laws and regulations. I suggest you become familiar with these laws and regulations. To do business with the EU, you will need to fill out the self-assessment. I will discuss more about the importance of data location and regulations later on. The big question to be answered: how do cloud providers give consumers trusted data assurance? Trusted Data Assurance Goals The only reasonable method for garnering assurances of trust is through a completed and updated audit report of your providers environment. You can always trust, but you also need to verify. Cloud consumers and cloud providers have an intimate partnership. Cloud consumers own their data, and expect their provider to act as a steward, maintaining the same level of protection they expect from themselves. To achieve trusted data assurance, third-party cloud auditors conduct controlled audits of cloud-provider data centers and issue a report on whether the provider has the proper controls in place and is following best practices to protect consumer information. There are a few different approaches for conducting cloud provider audits. The most common audit is the Statement on Auditing Standards 70 (SAS 70), developed by the American Institute of Certified Public Accountants (AICPA). Alternatives include BITS Agreed Upon Procedures (BITS.org consortium of financial services) for shared assessments, ISO 27001 certification, and Federal Information Security Management Act (FISMA) compliance certification. Traditionally, SAS 70 was used for auditing financial and reporting controls for state and public financial organizations. Until June 2011, SAS 70 was also the standard for auditing cloud providers. New Audit Standards Emerge for Service Organizations In June 2010, a more comprehensive auditing standard, Statement on Standards for Attestation Engagements No. 16 (SSAE 16), was developed by AICPA to target service organizations. Unlike SAS 70, which focuses on financial controls, SSAE 16 is systems-based with trust guidelines and principles encompassing trusted controls for data security, confidentiality, integrity, availability, and privacy. For cloud providers, these five controls will be analyzed to ensure the protection of consumer data.
CHAPTER ONE
SSAE 16 is systems-based with trust guidelines and principles encompassing trusted controls for data security, confidentiality, integrity, availability, and privacy. For cloud providers, these five controls will be analyzed to ensure the protection of consumer data. SSAE 16 audits now require attestationa written assertion by the cloud provider stating control objectives have been suitably met for SSAE 16 Type I and are operating effectively for SSAE 16 Type IIwith supporting information about risk factors. For more information about SSAE, download the free report, Service Organization Controls: Managing Risks by Obtaining a Service Auditors Report at aicpa.org.
SSAE 16 audits now require attestationa written assertion by the cloud provider stating control objectives have been suitably met for SSAE 16 Type I and are operating effectively for SSAE 16 Type IIwith supporting information about risk factors.
Service Organization Control 1 (SOC 1) reports are restricted to existing cloud providers with SAS 70 Type I and Type II compliance for effective periods beginning on or after June 15, 2011. SOC 2 audits are both a general- and restricted-use report describing tests, audit results, and the auditors opinion for compliance to trust services and guiding principles. SOC 3 audits are a general-use report containing minimum information. If one or more trust services are met, cloud providers are permitted to use an SOC 3 SysTrust seal on their website. Use this information about SSAE to establish a dialog with current or potential providers. Its an excellent way to get information about their SSAE migration plans over the next several months. For more information about SSAE, download the free report, Service Organization Controls: Managing Risks by Obtaining a Service Auditors Report at aicpa.org.
CHAPTER ONE
My best advice for cloud providers: If you can, make the transition now directly to SOC 2 to give consumers the most comprehensive audit controls for cloud data protection. It will also help you grow your services business. Cloud Services Standards Organizations The National Institute of Standards and Technology www. nist.gov is an agency of the U.S. Department of Commerce that makes measurements and sets standards by industry or government programs such as the Federal Information Security Management Act (FISMA). Cloud Security Alliance (CSA) promotes the use of best practices for providing security assurance within cloud computing. For more information, visit www.cloudsecurityalliance.org.
My advice for cloud providers using SAS 70 auditsthe fastest and easiest transition for the remainder of 2011is to move to SOC 1 since its essentially a SAS 70 Type I. Otherwise, regulated consumers will be forced to look elsewhere for services because they will fall out of compliance when their auditors pay a visit. My best advice for cloud providers: If you can, make the transition now directly to SOC 2 to give consumers the most comprehensive audit controls for cloud data protection. It will also help you grow your services business. For web-based cloud services, the SOC 3 with SysTrust Seal can be published on the website. The Rise of Cloud Standards In support of maturing cloud compliance and IT governance programs, federal standards under the National Institute of Standards and Technology (NIST)and Cloud Security Alliance (CSA) within the private sectorare bearing the burden of establishing new IT controls and best practices for cloud computing. NIST provides federal government and legal entities with a new roadmap for cloud computing standards, cloud nomenclature definitions, and basic cloud services and how they work. A new architecture reference model is now available with contributions from federal and private industries, ensuring that all facets associated with cloud computing are addressed. Theyve also released a synopsis of best-practices recommendations for cloud service providers with specific guidelines on how security and privacy is expected to be maintained in public cloud computing. Their nomenclature definitions alone will help ensure youre on the same page with your cloud providers. For more information, visit nist.gov. For organizations in the private sector, CSA focuses on detailing critical areas of cloud computing from services development to management of cloud-based services. CSA is an open alliance organization with memberships from corporations such as eBay, security vendors such as RSA from EMC and CA, and financial institutions such as American Express and Citibank, security associations such as ISACA and the Distributed Management Task Force (DMTF), and cloud providers such as salesforce.com and Google. All members collaborate and contribute to a common knowledgebase ensuring new cloud controls are well understood and documented.
10
The National Institute of Standards and Technology (NIST)and Cloud Security Alliance (CSA) within the private sectorare bearing the burden of establishing new IT controls and best practices for cloud computing.
Whats impressive about the folks from CSA and their affiliated community members is their shared definition of new, standard IT controls for cloud providers. In traditional on-premise environments, information security controls require organizations to define and classify their information assets. In contrast, when operating in a cloud environment, currently defined IT controls do not necessarily provide the level of coverage required by a cloud providers role as steward for data protection. New definitions require providers to look at consumer dataobjects containing data, and assignment of classification based on data type, jurisdiction of origin, jurisdiction domiciled, context, legal constraints, contractual constraints, value, sensitivity, criticality to the organization, and third-party obligation for retention and prevention of unauthorized disclosure or misuse. There are about a hundred of these new cloud-control objectives defined in version 1.2 of the new Cloud Controls Matrix (CCM). I encourage you to read the CCM version 1.2 to become familiar with the new cloud controls and to help guide conversations with current or potential cloud service providers. Download the spreadsheets from cloudsecurityalliance.org.
1 2011 Global Information Security Survey; Mark Lobel, PricewaterhouseCoopers, CSO Security Standard Conference; Brooklyn, New York, September 29, 2010 2 Business Continuity and Disaster Recovery Are Top IT Priorities for 2010 and 2011; Forrester Research, Inc., September 2, 2011 3 Security of Cloud Computing Providers Study, Ponemon Institute, April 2011
11
CHAPTER T WO
Cloud ControlMounting a Strong Defense with Information Security and Compliance

Trusted data assurance can be achieved by adherence to best practices, but its going to take some work for both cloud consumers and cloud providers.
Information Security (INFOSEC) basically protects everywhere data such as texts, instant messages, email, contracts, hard copies, transaction data, and verbal communications from unauthorized access, misuse, disclosure, disruption, modification, or destruction. The philosophy behind INFOSEC is to take a holistic approach that encompasses people, processes, and technology to protect data. This approach embodies the basic trust principals of security, confidentiality, integrity, availability, and privacy. I am always surprised by the number of people who view INFOSEC as a single focus on one or more components of technology. For example, perimeter security, such as firewalls or intrusion detection systems, provides the security solution, and some organizations dont have an incident response process to address critical breaches. And, some business owners think theyre secure because they trust their IT administrator; after all, thats who set up the firewall. But heres the reality: information security for achieving compliance is complexespecially in the cloud.
12
Sphere of Protection
Monitoring systems Redundancy Security planning (IR, DR, BC)
Patches and upgrades Host IDS Firewalls Network IDS Proxy servers Encryption Backups
Systems Networks Information People
Internet
Education and training
Access controls
Policy and law
Technology
People
An organizations security posture is characterized by the maturity, effectiveness, and completeness of riskadjusted IT controls.
An organizations security posture is characterized by the maturity, effectiveness, and completeness of risk-adjusted IT controls. The INFOSEC defense concept can be represented in the Sphere of Protection4 (above). Protection in depth is a layered process from the perimeter into the protected information core. It is implemented by people with defined processes and utilizes technology to put it into effect. IT controls are implemented in multiple layersfrom Internet and network security to applications, systems, and physical security. Access controls are intimately connected to people and technology to be properly secured and managed. Ultimately, you want to get to the point where you can say, I am properly protecting the environment because Im now measuring the confidentiality of systems and data information, maintaining its integrity, and making it available as well as protected from any attack. For security awareness and education programs, people will continually need education and training to understand applicable policies, laws, and regulations to help guide their behavior for protecting data.
13
To reduce maintenance costs for achieving regulatory compliance while significantly improving overall efficiencies, organizations eliminate redundant and overlapping regulatory controls by implementing standard frameworks that map across multiple regulations.
For cloud providers, a strict code of ethics, regulatory controls, and internal operational guidelines mandate the behavior of data center professionals. You wont find any external communications with the public in a controlled, data center environment. And social networking is absolutely prohibited. The highest level of protocols and procedures should be in place, and must be followed to protect both consumers and providers. INFOSEC plans provide detailed guidance on how to handle incident response, disaster recovery (DR), and business continuity (BC)and must be maintained and tested regularly to accommodate environmental and technological changes. From the left side of the sphere, many technology layers address protection of information located in the nucleus. Each layer may have a different series of components including access controls across all layers, implementation of best practices, change management, and periodic testing of IT controls. INFOSEC Standards for Regulatory Compliance Regulatory compliance can be complex. To reduce maintenance costs for achieving regulatory compliance while significantly improving overall efficiencies, organizations eliminate redundant and overlapping regulatory controls by implementing standard frameworks that map across multiple regulations. To demonstrate this methodology, Ill use three examples of key regulations. Sarbanes-Oxley (SOX) targets compliance for all public entities. SarbanesOxley mandates assurances by demonstrating the appropriate level of controls to protect financial information, and reporting to the Security and Exchange Commission. However, Sarbanes-Oxley doesnt provide the how of achieving such assurances. Since the Control Objectives for IT (CoBIT) standards framework was developed in support of SOX, you can see in the example, below a one-to-one mapping across most domains for both SOX and CoBIT. Privacy protection is addressed in CoBIT version 5.
For health care providers, the Health Insurance Portability and Account ability Act (HIPAA) regulates protection of public health information. ISO
14
Sarbanes-Oxley mandates assurances by demonstrating the appropriate level of controls to protect financial information, and reporting to the Security and Exchange Commission. However, Sarbanes-Oxley doesnt provide the how of achieving such assurances. For health care providers, the Health Insurance Portability and Account ability Act (HIPAA) regulates protection of public health information. ISO 27001 standards map across all domains to ensure privacy protection is accounted for and controlled. My best-practices recommendations for cloud consumers is to look at cloud providers that offer trusted data assurance and understand all facets of regulatory requirements, and to implement ISO 27000, CoBIT, or new cloud IT control standards to help you make an informed decision.
ISO 27001 standards map across all domains to ensure privacy protection is accounted for and controlled. And last, the Gramm-Leach-Bliley Act protects nonpublic information for financial services. Both ISO and CoBIT standards, for the most part, support GLBA mandates. CoBIT version 5 is currently in early adoption. My best-practices recommendations for cloud consumers is to look at cloud providers that offer trusted data assurance and understand all facets of regulatory requirements, and to implement ISO 27000, CoBIT, or new cloud IT control standards to help you make an informed decision. You may even want to consult your auditor for recommendations. Preparing for the CloudYour Roles and Responsibilities To help prepare you for data protection in the cloud, there are specific elements that cloud consumers own that are included in the cloud controls matrix from CSA. Heres the bottom line: You cant just give cloud services to a cloud provider. There are some simple, free best practices that you need to do. Following are some key activities and valuable information you need for making the right decisions for your organization. Write an INFOSEC Policy A written INFOSEC policy is a simple document thats necessary for engaging with a cloud provider. It should include the information being protected, how the security environment will be monitored, who will be held accountable for the security environment, who is authorized to engage in INFOSEC activities, and basic policies and procedures that should be well understoodacross the company. This is where security awareness programs become paramount for helping organizations understand their INFOSEC policy, and for executives to conduct a concerted arrangement when bad things occur. Information security policies serve as the communication platform for cloud providers and, most important, they help to quickly determine whether a cloud provider can meet your defined objectives.
15
Heres the bottom line: You cant just give cloud services to a cloud provider. There are some simple, free best practices that you need to do. Trust your cloud provider to be a steward of your data, but only if the provider fully understands data location requirements and can prevent your data from going somewhere it shouldnt. Garner that trusted data assurance through an updated audit report. And define your requirements and regulations associated with each data set as well as specific data location requirements.
There are plenty of websites that offer information security policy templates for download. ISO 27001 is a good program standard for defining information security programs. In addition, for specific details, download actual security policiesthen you can simply fill in the blanksfrom the SANS Institute at sans.org. You will find that following my best-practices recommendations will put you in the best position for safeguarding your company. Classify Information Assets Once youve written your information security policy, the next crucial step is defining your assets. Determine all locations of critical data and the protection levels for safeguarding each data set. By taking the time to define where sensitive and critical information is locatedand who and what applications need access to each data setyoure well on your way to the cloud. Data location is of primary importance for business consumers concerned about outsourcing data to a cloud provider. As mentioned before, cloud consumers are ultimately responsible for their data. Trust your cloud provider to be a steward of your data, but only if the provider fully understands data location requirements and can prevent your data from going somewhere it shouldnt. Garner that trusted data assurance through an updated audit report. And define your requirements and regulations associated with each data set as well as specific data location requirements. One example I often share with clients regards customers with encrypted logical information or intellectual property. Encrypted information or intellectual property falls under the federal regulations of controlling encrypted material under export controls. You run into a boundary of places to which you can actually export this type of data. And if your data is sitting in the cloud, you have to verify its not going to end up in a pariah country. This is one of the reasons why data classification is crucial for data protection in the cloud. Trust but verifyits that simple. Data location requirements can sometimes conflict with regulatory controls. One regulation that can conflict with data location boundaries is Basel II. In the EU theres a disaster recovery requirement for financial organizations. To replicate their data, organizations must place it in a different geographical risk zone. But there are privacy information controls mandating that data cant leave the country. In these cases, cloud providers need to be able to tell you how theyre going to effectively deal with international issues to ensure your data is protected. If you dont have policies in place to address data regulatory controls, you cant hold your cloud provider accountable if something goes wrong. Policy and prosecution go hand in hand in both domestic and internationally controlled environments.
16
If you dont have policies in place to address data regulatory controls, you cant hold your cloud provider accountable if something goes wrong. Policy and prosecution go hand in hand in both domestic and internationally controlled environments.
Asset management is by far the most important subcomponent of an INFOSEC policy. Data classification includes rating your data based on public, private, confidential, top-secret, sensitivity, integrity, availability, location, and regulatory requirements. Assess your data center, office, laptops, servers, and so on, and classify data sets based on your requirements. One of the most comprehensive schemes is the Federal Information Processing Standards (FIPS) 199. Other simplified schemes use some components of this federal standard. Keep it simple by using appropriate standards for your regulated industry. Last, define how soon your data needs to come back in cases of loss or disaster. Define objective points based on availability. Objectives commonly used for data sets that require operations to remain resilient are Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO). Determine which sets are not affected by outages and prioritize them accordingly. Cloud providers will need to ensure they can meet both defined and written criteria. Define Backup, Recovery, Disaster Recovery, and Business Continuity Policies Whether or not youre considering outsourcing some of your data sets to the cloud, you need to define backup, recovery, disaster recovery, and business continuity policies. Its a crucial element of the risk-assessment process. Write down backup and recovery policies and procedures with an inventory of data that resides on critical systemsincluding executive laptops! Determine how long you can wait before your data is recovered. Use several disaster scenarios in your policy. For example, before hurricane season arrives everyone needs to be conscious about the next potential flood, its location, and whether or not your data storage is actually going to be protected during this event. If these scenarios ever present themselves, you actually have a documented plan in placeand you have a cloud provider to help you test scenarios to demonstrate you are actually implementing best practices. Painful as it may seem, DR plans require testingeven if its a small portion of your environment. If you dont test it, you have no idea if your backup tapes you sent to a vault somewhere in Kentucky are actually going to be recoverable. Its crucial that you document your data protection plan. Use it to serve up the service-level agreement (SLA) with your cloud provider. And if things go wrong, your service provider can be held accountable. If you have different types of outsourcing initiativesand your backups are on tapelook at having an electronic replication with another service
17
Determining risk is a business practice that sits at the highest level of the company. Without executive support, youre most likely placing the company at risk. Its worthwhile to make sure executives know the service providers youre using and how they are protecting company information, and that these service providers will be held accountable if something goes wrong. Make sure assessments are well documented.
provider for safeguarding the backup to your backup. You should always keep alternatives. If one provider doesnt work, go to a second provider. Cloud-based disaster recovery services are key services contracted todayespecially with businesses that have already been affected by natural disasters. Consider developing a cloud DR and BC plan to maintain your continuity of operations in cases of data loss or natural disaster. Its absolutely worth its weight in goldwithout the costs of rebuilding this crucial component of your business. Perform a Risk Assessment The final step to help you prepare for cloud adoption is to conduct an internal risk assessment. Determine the business practices you need to continue to operate. Look for items that could potentially threaten your organizations data. If your budget allows, you may need to consult a third party to assist you with writing guidelines on how to define your risk assessmentand to actually perform the assessment. If you perform the assessment internally to save costs, make sure you do it regularly so youre prepared for any new threats that may pop up. Determining risk is a business practice that sits at the highest level of the company. Without executive support, youre most likely placing the company at risk. Its worthwhile to make sure executives know the service providers youre using and how they are protecting company information, and that these service providers will be held accountable if something goes wrong. Make sure assessments are well documented. My guidance applies to the budget-minded consumer as well. I understand the needs of small and mid-size organizations that cant afford to outsource a risk assessment. There are many free consortiums on the Internet that provide guidelines for performing your own risk assessment. When you present your assessment to a cloud provider, make sure you also present your information security and data protection plans outlined above. Next up: When things dont always go as planned. Incident e-Discovery and Investigation One of the less-palatable activities in cloud data protection is when bad things happensuch as litigation, or when law enforcement officers show up on your doorstep asking questions.
18
Agencies may wish to fasttrack the e-discovery process by requesting your cloud provider essentially dump all data that you own, but they should actually start with you, not the provider. Providers dont hold your encryption keysyou do. Its as simple as that.
One of the key control methods used to protect clients from data exposure or leakage is data encryption and key managementespecially when data leaves the company. Consumers should be in complete control of all encryption keys. Losing access to encryption keys can actually expose consumers to potential, unknown threats. In the event of litigation, lack of encryption management does not hold up well in a court of law. When a significant breach occurs within the consumers domain, e-discovery typically begins when the judicial system warrants the discovery process and law enforcement agencies are engaged. In these cases, e-discovery should begin at the site of the cloud consumer. Agencies may wish to fast-track the e-discovery process by requesting your cloud provider to essentially dump all data that you own. But they should actually start with you, not the provider. Providers dont hold your encryption keysyou do. Its as simple as that. To exemplify what consumer data looks like in a multitenant cloud environment, I will use EVault as an example. Cloud consumer data is deduplicated and encryptedfrom its original sourceand remains encrypted throughout its lifetime in one or more vaults. If someone looks at the data, it is just a series of data blocks of ones and zerosonly to be decrypted by consumer access to the encryption keys. Essentially, EVault can provide law enforcement with the data blocks and vault informationbut only in its file form as a copy. We do not have access to actually assist with further e-discovery activities. Im often asked by our cloud consumer customers what would happen if they suddenly had an issue with law enforcement during an incident of breach, or when law enforcement agencies are just looking for a copy of their backups. The answer is that we are required by federal law to protect all consumer information in our data centers. It is crucial that physical access is limited. Agencies should exhaust all avenues of investigation at the consumer siteor else possibly suffer federal consequences, imposing e-discovery on cloud providers without an arguable due cause. Because mistakes in the past have caused agencies to shut down cloud providers during their maturation phase, legal agencies should be cognizant of cloud consumer data protection laws, and help enforce consumer data protection assurances in the cloud.
4 Business Risk of Software in the Cloud; Deloitte Development LLC, AndrewMurren, March 2, 2011
19
CHAPTER THREE
Evaluating Trusted Cloud Providers

The BITS Standard Information Gathering (SIG) questionnaire is a standard set of shared audit procedures. Questions have been mapped tightly to the ISO domains, resulting in a cloud provider standard request for information. Use either the BITS full or lite questionnaire to evaluate cloud providers. You can find the BITS questionnaires by visiting sharedassessments.org.
To put together your cloud-provider short list, you first need to question its IT controls. The BITS Standard Information Gathering (SIG) questionnaire is a standard set of shared audit procedures. Questions have been mapped tightly to the ISO domains, resulting in a cloud provider standard request for information. Use either the BITS full or lite questionnaire to evaluate cloud providers. You can find the BITS questionnaires by visiting sharedassessments.org. Once you have your SIG questionnaire, youre ready to match vendor service delivery models with your business and security objectives. Whos Who in the Cloud Not all cloud providers should be treated equally. The simplified Cloud Computing Stratosphere (see next page) illustrates three service delivery models and key vendors. Communications and Social Applications reside above the three service delivery models or layers, since they are quite pervasive on top of, and through, some of these layers. A great example is Twitter.
20
C H A P T E R T H R E E Evaluating Trusted Cloud Providers
It is important to understand that security responsibilities of cloud providers and cloud consumers differ among service delivery models.
Software as a Service (SaaS) SaaS is the capability for cloud consumers to use applications and resources from a cloud provider. And cloud application resources are typically accessible from a web browser. SaaS is crowded with providers bringing in online services from initial email servicesfrom Google, Microsoft, and Yahooto expanded services such as office and collaborative applications, marketing, and data protection services including backup, disaster recovery, and replication services. Platform as a Service (PaaS) PaaS is aimed at cloud developers that want to use the providers cloud operating environment, development tools, and programming languages Windows, .NET, Linux, and J2EE to create SaaS-based applications for use by cloud consumers. Infrastructure as a Service (IaaS) IaaS is the capability for cloud providers to provision fundamental computing resources such as storage, networks, and processing power to cloud consumers. The consumer can often be other cloud providers. For example, EVault services use Microsoft Azure cloud services for provisioning storage and endpoint protection services to consumers. And the company partners with other cloud providers, managed service providers, and resellers that want to host data-protection and other value-added services to their consumers powered by the EVault infrastructure and partner SaaS-based service offerings. These types of partner services are typically coined as downstream or aggregator services. Down the StackCloud Provider Security Responsibilities As mentioned in Chapter One, new trends in consumer requirements are pushing providers to implement better IT controls over their data centers to gain parity with traditional on-premise solutions. This stems from the abstraction of infrastructure and lack of visibility and capability to integrate many familiar security controlsespecially at the network and virtualization layers.
The Cloud Computing Stratosphere, Horn Group, www.horngroup.com
It is important to understand that security responsibilities of cloud providers and cloud consumers differ among service delivery models. For example, Amazons EC2 infrastructure is responsible for security up to the hypervisor level to include physical, environmental, and virtualization security. Cloud consumers are responsible for systems, applications, and data security. For cloud providers offering services that span the entire stack (IaaS, PaaS, SaaS), security becomes the responsibility of the provider including
21
It certainly can be a scary place for potential consumers that havent yet made that leap. If you do your homeworkand you select the right, trusted cloud provideryou will enjoy low-cost services with trusted data assurances to help you focus on your core business and maintain profitability.
physical, environmental, infrastructure, applications, and data security. For example, my company is responsible for all levels of security since our infrastructure and cloud services cut across all three service-delivery layers. Trusted Data Assurance from EVault Directly distributed EVault data centers are located throughout the United States and Canada, with a presence in the European Union. Since 1997, EVault security programs have been founded on ISO standards and best practices that have been updated and maintained. EVault meets the ISO 27001:2005 Information Security Program Standard and self-attestation for PCI DSS v.2 compliance. Since my firm is a wholly owned subsidiary of the publicly held company Seagate Technology (NASDAQ: STX), we fulfill Seagate internal audit activities and controls for data privacy, PCI compliance, and general controls practices. Weve maintained yearly audits for SAS 70 Type II, and were currently in our SSAE 16 audit for SOC 2, expecting our SSAE 16 attestation to be completed by December 2011. We continue raising the bar on trusted data assurance. Summary Cloud-based services are here to stay. Costly maintenance of meeting regulatory requirements is driving consumers to ultimately shift to the cloudespecially for those organizations lacking the budget, or for organizations that can no longer enjoy information security and compliance budgets from the past. But it certainly can be a scary place for potential consumers that havent yet made that leap. If you do your homeworkand you select the right, trusted cloud provideryou will enjoy low-cost services with trusted data assurances to help you focus on your core business and maintain profitability. Hopefully, Ive dispelled some of the myths about data privacy and protection. You own your data and you have federal privacy laws that protect your rights. Your service provider is there to steward and safeguard your data, and ensure your privacy rights are protected, with the right people, process, and technology. As the cloud services industry matures, new cloud definitions and initiatives are there for public-sector and federal consumers to ensure cloud providers follow shared best practices. And new and long overdue SSAE audit standards now provide systems-based and trusted data controls for auditing service organizationsgiving consumers that verification of trusted data assurance. After all, a little TDA does go a long way!
22
When it comes to information security and compliance, always account for change. Maintaining a state of compliance is not a static process. It is a continuous process of improvement. Trusted cloud providers will continue to improve governance of their IT infrastructure and show you evidence that theyre actually doing it. Make sure you receive that trusted data assurance from your cloud provider. And remember, you can trustbut always verify.
List of Resources 1. American Institute of Public Accountants, aicpa.org 2. Control Objectives for IT, isaca.org 3. BITS Agreed Upon Procedures, bits.org 4. BITS SIG, sharedassessments.org 5. Cloud Security Alliance, cloudsecurityalliance.org 6. 2011 Global Information Security Survey; Mark Lobel, Pricewaterhouse Coopers, CSO Security Standard Conference; Brooklyn, New York, September 29, 2010 csoonline.com 7. National Institute of Standards and Technology, nist.gov 8. Security of Cloud Computing Providers Study, Ponemon Institute LLC, April 2011, ponemon.org 9. The SANS Institute, sans.org
23
Headquarters | 3101 Jay Street, Suite 110 | Santa Clara, CA 95054 | 877.901.DATA (3282) | www.i365.com France | +33 (0) 1 55 27 35 24 Germany | +49 (0) 89 28890 434 Netherlands | +31 (0) 73 648 1400 UK | +44 (0) 1932 445 370
EVault, the EVault logo, i365, the i365 logo, and other i365 marks are either trademarks or registered trademarks of i365 Inc. or one of its affiliated companies in
24
the United States and/or other countries. All other trademarks or registered trademarks are the property of their respective owners.

Trusted Data Assurance in The Cloud

Загружено:

Сведения о документе

Исходное описание:

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Trusted Data Assurance in The Cloud

Загружено:

Авторское право:

Доступные форматы

C H A P T E R T W O Cloud ControlMounting a Strong Defense with Information Security and Compliance