Quit Worrying About Cloud Security?
Well, it is not THAT easy but at least there are people starting to claim that it is not as hard as it seems to be sometimes. I stumbled across the following article: Why you can quit worrying about cloud security (thank you Jim), which makes a lot of interesting statements on how the US Federal Government should look at the cloud and in a lot of cases, they are in line with what Doug Cavit and me wrote in the Cloud Computing Security Considerations:
“We must push the envelope,” said James Williams, CIO at NASA’s Ames Research Center, which is developing the Nebula infrastructure as a service offering for the entire agency. “It's not so much about making the cloud secure but about using the cloud to leverage best practices in security across an enterprise.”
Interesting! I recently had a discussion with our Chief Security Advisor in Australia and he told me how currently the Cloud comes into the play: Customers are not looking for a cloud solution but a way to improve their GRC processes. In parallel they have to reduce costs. Why not use the Cloud for this? Instead of trying to get ISO 27001 certified – we are. Instead of getting the ISO audit under SAS 70 Type II – we have. And the reason for that is fairly simple: We need to in order to help you to get compliant and then – it is our core business. Is running a datacenter in a compliant way yours?
So, the article above mentions four reasons, why you should stop worrying:
1. Sharing the cloud with strangers isn't always a deal breaker.
[…]
Those risks are real, but they shouldn’t be deal breakers if proper steps are taken, especially given the potential financial rewards of multitenancy services. “You make a mistake if, in order to get security, you avoid co-tenancy entirely,” Rasch said.
There are ways to make such environments safer. At the Treasury Department, for example, officials are choosy about what they send to the cloud.
[…]
But Williams warned that cloud customers need to look below the surface. “Serious attention must be paid to crypto-implementation for processing and storage,” he said. He advises administrators to investigate each provider’s encryption strategy to answer the ultimate question: “Do you trust the algorithm as implemented by the vendor?”
It has to be about understanding your data and the classification thereof. If you do not understand your data, you cannot take the decision as described above. It reflects the last point in our paper on Information Protection. Additionally, trust leads back to certification. The encryption has to be FIPS certified.
2. FedRAMP is good start, but only the beginning.
Federal officials are optimistic that the budding Federal Risk and Authorization Management Program will simplify cloud security, but agencies shouldn’t let their guards down. Even after it’s finalized, don’t expect FedRAMP to relieve you of all security burdens.
I cannot (and do not want to) comment on FedRAMP. But what I keep saying (and again wrote in the paper), whatever you do with the Cloud, compliance and risk management remains your responsibility!
However, the interesting thing is that as soon as money is involved the discussions starts, which are the right standards to build something like that upon… I will not comment that further.
3 Outsourcing to the cloud? Don't abdicate on security
Cloud computing increases the importance of a security best practice that every agency CIO might soon need to implement: continuous monitoring of IT resources and activities
See the point I made above. It is your responsibility. One thing is important to understand: If you are shooting for a public Cloud, you have to be aware of the fact, that this is a standard service, out of the box. The ability to customize it to your compliance needs is very, very limited as this is what the public Cloud is all about. You will have to trust the standards applied and the audits done by the Cloud provider. These audit reports have to be accessible to you if you are a customer (maybe under NDA). We are talking about economy of scale as you are looking for lower costs.
If you need tighter security, more controls etc. you might want to consider a private Cloud (on- or off-premise).
4. Off-the-shelf security terms are often negotiable.
Not all cloud security challenges are caused by still-evolving best practices and immature technologies. Some are the result of ongoing confusion about where a cloud service provider’s data management responsibilities end and the agency’s begin.
For example, don’t assume that the cloud provider will automatically back up data and store it on off-site tapes — a reasonable assumption under long-standing data protection practices. Similarly, a traditional intrusion detection system might not be included in a standard cloud contract.
“Those are services you can add, but if you don’t ask, you are not getting them oftentimes,” Cronin said.
Avoid unpleasant surprises and finger-pointing by diligently combing through cloud quotes to clearly understand what is being provided. And be ready to negotiate for anything that’s not spelled out in the document.
Therefore we ask customers to run a strong security and risk management team within their organizations. They need to be included in contract negotiations and I would definitely expect a Cloud provider to run the service in a professional way. At the end of the day, you have to be able to trust your provider.
And finally, there is a very interesting statement at the end:
“There is initially a belief that the cloud may not be as secure as [an agency’s] own infrastructure,” Cronin said. “But a cloud solution can be more secure than many federal systems that are on legacy infrastructures using legacy controls.”
If you are honest and try to get around your feelings: How good is your security? Really! Don’t get me wrong. I do not claim that security is bad everywhere and only Cloud providers know how to deal with it but I have seen a lot of very scary things, which cannot be changed internally because you are internal. If the best practices are applied by the provider you “have to” apply to these processes. This might be a great opportunity to increase your security.
And finally, there was an Australian KPMG report, which makes similar statements: Customer Experience: Security Can Improve in the Cloud
Roger