The Security Impact of Putting it in the Cloud

Sunday, February 19, 2012

Robb Reck


Security impact of putting it in the cloud

It seems you can’t make it through any IT related article or meeting these days without a discussion of “the cloud.” Every CEO wants to know how the cloud can improve innovation and productivity, and every CFO wants to know when we’re going to move to the cloud to dramatically cut the costs of doing business. Most CISOs are just scared to think about all that data sitting outside our firewalls.

In the security arena our job is to help identify and quantify the risks associated with such a move. The risks of an internally hosted application are well-understood, and more organizations have an established procedure to handle them. Information security controls such as firewalls, intrusion prevention systems (IPS), data loss protection (DLP), anti-virus, and vulnerability management programs are implemented to protect the organization and keep risk exposure at a certain level. A centralized authentication system (such as LDAP or Active Directory) is used to ensure users have access only to those systems to which they are authorized.

In an outsourced environment, the corporation loses control over the implementation of security controls. The outsourced vendor provides the security controls they deem appropriate, according to their own risk tolerance. Depending on the industry, this may or may not meet the needs of your organization.

Information security must not be the roadblock that prevents cloud adoption

While the scope of the security implications change based on the particular project, below is a list of questions to help you start evaluating the risk involved with moving your data outside the organization’s boundaries.

What kind of data will your vendor be hosting?

Look very closely at any associated regulation. HIPAA, PCI, GBLA and safe harbor can all be concerns for the data your vendor will store. Ensure not only that the vendor’s security is adequate, but that they can prove it for your regulators.

Who will have access to the data at the vendor’s facility? Are they renting space from a data center company?

If so that organization’s employees may have access to your data as well, requiring yet another level of due diligence.

How are your employees going to connect to the outsourced system?

Leased line VPN? VPN over the internet? Will the system be sitting on the public net? Each of these connection strategies has their own risks.

If a leased line is used for VPN connectivity care must be taken to understand the reliance on the ISP to provide access. If the circuit fails, access to the outsourced system will be unavailable and at the mercy of the ISP’s service department.

If a site-to-site VPN is utilized, care will need to be taken to ensure that the scope of access granted to the vendor it understood and accepted. Opening a VPN tunnel allows for the possibility of data and malware moving between the organizations. Restrict the access to the smallest scope possible.

Is the system created with appropriate application security in place? Are proper steps taken to reduce risk of issues like cross-site scripting, SQL injection, and cross-site forgery attempts?

These issues are especially critical if the application will be available over the internet. Factor in the cost of running (or contracting with a third party to run) penetration tests against the vendor’s environment if necessary.

How are user accounts created and disabled?

If the organization’s central authentication system is not used, how can you ensure that users are not able to access the data once they have been terminated? Many outsourced systems will contain data that would be damaging in the hands of a recently terminated employee.

The cloud offers tangible boosts to productivity, flexibility, and scalability and does so while providing the means to reduce IT spend. Information security must not be the roadblock that prevents the adoption of such technology. By thinking ahead about the kinds of risks that outsourcing our systems will involve, we can be ready to quickly and securely lead our organization into the cloud.  

Cross-posted from Enterprise InfoSec Blog from Robb Reck.

Possibly Related Articles:
Cloud Security
Service Provider
Compliance Cloud Security Access Control Vulnerabilities Managed Services VPN Controls Third Party DLP IDS/IPS Data Protection Robb Reck
Post Rating I Like this!
Don Turnblade Medical Cloud computing has a few more items. Do you realize that everyone with Administrative rights to servers has to be a signed Business Associate? So, it has to be a Community Cloud with common security requirements over every system and administrator. There is a bit more to this cloud business even while the cost might have some moments in the sun.
Robb Reck Hey Don,

You're absolutely right. There are significant compliance and security questions that need to be answered before we can make the choice to outsource systems holding sensitive data. One of the key requirements is getting to know our regulatory environment.

The biggest question for requirements around granular user access questions is what can the SaaS vendor support? Finding a hosting vendor who has both the flexibility to answer those types of questions, and the inclination to do so, is key in getting a good fit.

Don Turnblade Further, legal foundations for liability vary both by country and in the USA by state. If a Cloud cannot guarantee which states or countries the data actually resides in, a nasty legal fight stands waiting in the wings if a Privacy breach occurs.

Is the data governed by the state or Country where the cloud server was at the time of the breach? Is the data governed by the state or Country of the breached customer? Short legal answer, "Both".

So, can the cloud provider maintain an inventory of every state or country where the data and its backups have, will or presently reside? Can the cloud provider produce forensic data proving this without giving up accidental sensitive data to unrelated parties?

I hate to say this, but Cloud computing is kind of pre-paid entertainment for lawyers.

There are lots of questions that must be nailed down in Cloud computing contracts.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.