By Morten Dichmann Hansen - IT Security Architect at NNIT A/S - Security Advisory Services
Many companies worry about security and privacy when migrating to cloud services. The cloud providers often demonstrate compliance with a comprehensive list of standards and certification programs, but does that mean that you can relax and feel safe when migrating to cloud services?
I have talked with a number of decision makers about their concerns when migrating company data to cloud services. Fortunately most of the decision makers have a risk based approach. They understand the business criticality, data classifications, threats and risks – and they apply additional controls to mitigate the unacceptable risks.
Unfortunately some of the decision makers consider cloud services as ‘black boxes’ and believe that the cloud providers by default provide sufficient protection of their data in regards to security and privacy. Some wrongly believe that the cloud providers are obligated to protect customer data hosted in their cloud services.
I normally convince the last group of decision makers by referring to the International Organization for Standardization (ISO) standards for cloud computing. They explain very clearly that the cloud customers are accountable for protecting their data.
The key is the contract part that has to get much more attention and will require more time and new skills in the IT departments.
The International Organization for Standardization (ISO) organization develops worldwide and recognized standards for almost everything. More than 160 countries participate in the development of standards and 75% of the national bodies must approve new standards before they are going to be released.
Many companies have implemented the ISO27001 standard within their organization. The standard describes how to implement and operate an Information Security Management System (ISMS) controlling the risks to the company information assets. The standard includes five mandatory clauses and 114 optional controls. The ISO27002 standard provides best practice recommendations for implementation of the control set. Controls are only applied when mitigating an identified risk to the organization.
ISO has released the ISO27017 and ISO27018 standards related to cloud computing. The standards are intended to be used in conjunction with the ISO27002 standard. The standards describe specific implementation guides for certain of the existing ISO27002 controls, and provide a set of additional controls and guidance not addressed by the ISO27002 control set.
The ISO27017 standard for cloud computing provides guidelines for the implementation of information security controls. The standard states that “…the cloud customer should manage the use of the cloud service in such a way as to meet its information security requirements…” and that “…the cloud customer may need to implement additional controls of its own to mitigate risk”.
The ISO27018 standard provides guidelines for implementation of controls protecting Personal Identifiable Information (PII). Here the cloud customer’s responsibility with regards to own data is also underlined: “…the cloud customer has authority over the processing and use of the data. A cloud customer might be subject to a wider set of obligations governing the protecting personal identifiable information than the cloud provider”.
My conclusion after reading the standards is that the standards are very useful for implementing security and privacy controls. The standards are especially useful for the cloud providers, but cloud customers can also benefit by knowing that the cloud providers have implemented the basics.
In order to regain control of your data privacy in the cloud, consider including the following steps. The steps are partly covered by the ISO 270017/27018 standards.
It is important to agree on data ownership to prevent the cloud providers from using your data to other purposes than agreed in the contract, e.g. to data mining for marketing.
Data ownership is also important if you someday want to terminate the cloud service and migrate to another cloud provider or in-house hosting. Specify that data must be delivered in a commonly used format within an acceptable timeframe after termination.
Furthermore, ensure that your cloud providers are obligated to notify you in case of data breaches and disclosures, and that the cloud providers must reject any requests for data disclosure that are not legally binding.
Identify any Personal Identifiable Information (PII) or other sensitive data you may store, where these are physically located, who has access, and how the data is used. Logging of access to data might be recommended or required. Data protection and privacy legislation varies from country to country, and there might be restrictions for where data can be stored and accessed from.
The focus on data privacy is increasing further with the new EU General Data Protection Regulation (GDPR) and there is still uncertainty about the long term validity of the EU Privacy Shield and EU contract clauses.
Find out how your cloud providers restrict access to your data. Some cloud providers are mature and have implemented controls preventing the cloud operations staff (or subcontractors) from accessing your data without your knowledge and acceptance.
You might be able to mitigate this risk by encrypting sensitive data in transit, in use and at rest. Unfortunately it is not always possible to apply encryption sufficiently. Then you must log when data is being accessed by the cloud providers and ultimately trust the cloud providers.
Ensure that you have implemented sufficient access controls for the cloud service. The cloud service is often highly exposed on the network which might require a strong authentication process to mitigate the risk for unauthorized access. Consider to implement multi-factor authentication (one-time passwords, text-messages etc.) and location-aware authentication to strengthen the authentication process.
Ensure that your cloud providers have mature procedures for how to securely delete data media before being reused by the next customer. There have been examples of cloud providers just removing pointers to data and not securely shredding the data itself.
Cloud services are often designed as multi-tenant environments where multiple cloud customers share the same infrastructure and computing units. Technical bugs and faulty operation procedures constitute a risk to you data privacy.
Ensure rights to audit the cloud providers. Alternatively be satisfied with cloud providers compliance with one or more of the common audit and compliance frameworks. The Cloud Security Alliance (CSA) Star program is one of the most recognized programs providing security assurance.
This article is based on my professional experiences and personal view from working with IT for more than 20 years. Please share your thoughts if you find that I overlooked important things. I look forward to hearing about your views and experiences.
You are welcome to contact me at firstname.lastname@example.org and +45 3079 5368, if you want to know more about how NNIT can help you migrating to cloud services.