When information and applications are designated as mission critical, this should immediately signal to the organization that these systems require the highest levels of protection and equally high investment to guard against malicious attacks.
When moving these applications to the cloud, system owners need to know how cloud service providers (CSPs) will deliver secure Infrastructure as a Service (IaaS), Platform as a Service (PaaS), or Software as a Service (SaaS) capable of maintaining a low-risk security posture.
While there is no simple way to gauge how CSPs manage risk, helpful strategies include:
- Evaluating the CSPs services against the organization’s current risk posture for critical information and applications
- Being prepared to invest in added protection against threats to valuable business information in any new cloud environment
- Seeking third-party verification of CSP security
In the commercial world, transparency into how a CSP continuously manages risk is not available readily across major players in the market. Additionally, CSPs may even limit the information they release through an evaluation or competitive review process.
Payment Card Industry Data Security Standard (PCI DSS), Health Information Trust Alliance (HITRUST), Cloud Security Alliance STAR program, Service Organization Control (SOC) 2 and International Organization for Standardization (ISO) are the most common assessments that organizations can use to understand how a cloud service can adequately protect mission-critical systems.
Performed on an annual or semi-annual basis, these assessments are useful for a point-in-time evaluation of risk. The main limitation of third-party assessments is that they do not provide insight into how a CSP manages risk from an architecture, process and reporting perspective. Due diligence on the part of the organization using the cloud services may give additional insight into the reach of cloud service risk protection.
The U.S. government’s Federal Risk Authorization and Management Program (FedRAMP) provides both third-party verification and validation of CSP security control implementation based on the National Institute of Standards and Technology (NIST) security framework. This information, available to federal, state and local agencies and tribal entities, provides significant disclosure into how CSPs operate and manage risk. The FedRAMP assessment process allows agencies to make informed risk decisions and determine layers of protection needed to further reduce risk.
A significant challenge when deciding to move mission-critical information and applications to the cloud is how much to invest when you don’t know how the CSP implements and maintains a low-risk security posture for the cloud services offered.
Consider the analogy of shopping for a place to store your possessions. Your local self-storage facility may provide sufficient protection for low-value possessions, such as furniture, with a building, fence, access control and video surveillance. As a precaution, you may add a lock to secure the storage space door. However, nothing can prevent alternative access routes to your storage space, such as a thief renting the adjacent storage unit and cutting a hole in the common wall, easily rifling through your possessions and stealing what looks valuable.
If your possessions have higher intrinsic value, such as gold doubloons, they need higher protection like a bank safety deposit box. Safety deposit boxes provide better physical security, authentication and access control than self-storage, and a separate key from the bank’s master key. Only when these keys are used together is access permitted. In this example, you are investing in security commensurate with the risk from loss.
Without the luxury of transparency into a CSP’s risk management process, additional investments are needed to ensure the right level of security. These extra layers provide assurances that cloud neighbors cannot tunnel through barriers and steal or compromise your mission-critical information.
Back to basics
So, what are the extra layers of cloud security needed?
Prudent security and compliance basics for mission-critical information and applications hosted in a commercial data center should be: access control, configuration management, continuous vulnerability scanning and patching, encryption, inventory, least privilege, log monitoring and multi-factor authentication.
Depending on the CSP’s delivery model—IaaS, PaaS or SaaS—these basics may not be offered. If they are, are they sufficient for the risk you will accept?
Migrating to the cloud should be an opportunity for organizations to reflect on how they are managing risk with mission-critical applications in a non-cloud environment. Are you using multi-factor authentication? Do you encrypt data at rest? How many users have administrative privileges? Is your incident response up to the challenge of a major breach? Do you have good situational awareness?
If you have not mastered these security and compliance basics, the transition to the cloud is an opportunity to get caught up. Shed the old legacy tools and processes, add new ones and consider third- party services. Invest in the safety deposit box, and forego the self-storage option.
Watch for our next blog on the topic of cloud security by my colleague John Evans on “best practices for verifying SaaS security” early next month.
*This content first appeared as a similar article in CIO Review.