No matter if you believe in conspiratorial chem-trails or scientifically sound contrails, the ability to see where you have been and guess which direction you are potentially heading is paramount to data security in the clouds. Of course, data flying around the cloud does not leave a trail showing where it has been nor where it is heading so it becomes practically impossible to secure your “portion” of the cloud using traditional methods. What are security practitioners to do?
As we fly across the landscape gazing at the remains of former ISPs, ASPs and SAAS, we pass over clouds that potentially harness variable cost structures, dynamic redundancy, unicorns prance and butterflies flutter over streets paved with gold. But once we find ourselves on the onramp, we realize we are facing a tangled web of legal entities, legal liabilities, dedicated third parties, “drive by” third parties, ISPS, ASPs, SAAS, cross -jurisdictional and international data breach boundaries. As we entered the cloud, we were eager to land in Vegas to test our risk/reward theories, but our cloudy dreams of glitter and hitting it big just turned into a pit boss slapping us silly in attempt to snap us out of it. Dazed and confused, we try to determine how we got here.
In our mind, we try to trace the path that led us to our current cloudy situation. Our companies had little room for negotiation about using cloud. Heck, the CEO likes the buzzword and how it rolls off the lips; the CTO like the technology and the ability to use the buzzword with other CTOs; and the CIO already went out on a limb and over committed because they slipped the buzzword into a presentation. So security was immediately placed into a reactive mode. Of course, this is the reality of how most things get done with technology today, but as security practitioners, we seem to always be caught off guard. We try to console ourselves by mumbling we are always the last to officially know while sitting on the floor rocking back and forth.
So here we are again, dazed and confused in Vegas, not knowing which table to approach to place our bets (your data). A guy is behind us with a gun pointing at our head mumbles something about a trip to the desert if we mess this cloud thing up for the CEO…
Our mind quickly begins to rationalize our current situation. We know that there is nothing really new about cloud except the term and the emphasis on security this time. Thanks to the Pit Boss a few moments ago, we now realize that cloud computing is nothing more than ISPs, ASP and SAAS rolled into a big roulette wheel where your data becomes the ball and the cloud vendor/service contract is the dealer. Security gets to play the game, betting that the data may land on odd, even, red, black, etc. Yippee! If security wins, then we can be confident about the point in time reference until the wheel starts to spin again. If the house wins, that may be good or bad, but its based on the rules you required everyone to follow. You did make the dealer follow your rules, right?
But we need to get back to that guy with the gun…
So what can we do about cloud computing that will potentially increase our odds of winning? What rules should be thought about before gambling with your customer or company data?
Just remember I.R.S
I – Incident Response Notification
R- Right to Audit
S- Security Control Warranties
Here are a few detailed pointers in implementing the I.R.S methodology to make your data in Vegas enjoyable and safe:
- Make sure the cloud vendor is accountable for data confidentiality, integrity and availability. This accounting should not be a cursory exercise, but one that demonstrates complete detailed controllership and accountability at each point (and each vendor they use) within the cloud. Yes, this means during access, authentication, transmission, processing, storage, recovery and destruction.
- Specify how the cloud vendor will preserve and produce data for e-discovery requests. Depending on the compliance and legal objectives, this can extend to a few more layers (vendors) within the cloud and can impact systems that are shared with other cloud vendor clients.
- Ensure that your contract with the cloud vendor specifies all the security provisions your data requires. Since your cloud vendor is likely to represent other vendors behind the scenes, you will want to ensure that the master contract is enforced and adhered to wherever your data may go. Make sure that all referenced and required security controls stated or implied are listed in their warranty clause and that you maintain the exclusive right to audit at any time.
- Encryption is good and bad, so be mindful of its use. You should consider the geographical and logical location of its use, the minimum and maximum levels required, laws that may impact use, and if encryption will block your ability to monitor and track the data and threats.
- Ensure that a defined SLA is established that clearly stipulates how incident response will occur between all the parties. They work for you, so make sure to capture this process in the contract and enforce through an SLA.
- Make sure that no additional outsourcing or “drive by” third parties can access or process your data unless you receive proper notification and that appropriate time can be provided to conduct audits and assessments to understand risks. Be sure to require a process for mediating disagreement with potential outsourcing arrangements.
- Last, but not least, make sure that the cloud vendor has a crisis management process. You want to make sure that the cloud vendor will have the appropriate technical, organizational and procedural measures to deal with a crisis incident contractually. This can include financial crisis such as vendor bankruptcies, mergers, acquisitions along with traditional areas like weather, geological disruptions, epidemics, etc.
By simply mentioning the I.R.S, the guy behind us makes a mad dash to the door. We notice that our chips are turning into a small mountain on the table, and the Pit Boss is grinning in our direction. We managed to make our bosses happy and we can now potentially get a little shuteye until the next buzzword is released. Until then, implement the I.R.S methodology each time you set your course to fly through the clouds. You can make sure each trip to Vegas will be less risky by persuade the dealer (cloud vendor) to play by your rules. This will increase the odds of security winning more times than losing. This is exactly where security needs to be positioned in cloud (not face down in the desert)
By Rick Lawhorn CISSP, CISA, CHP, CHSS