CHAPTER 5: MITIGATING SECURITY RISKS IN THE CLOUD

Effectively mitigating security risks requires a range of measures to be implemented together and used in combination, in order to provide the end-toend security discussed in the previous chapter. This pocket guide will not give a detailed description of the technical measures available, and readers with more technical expertise may well be aware of other measures that are perhaps more appropriate for their situation.

Security – like other aspects of data protection – is not something that should be added as an afterthought. Security should be built into an organisation’s infrastructure and become part of how the organisation does business in every respect. Moving to the Cloud does not solve the problem if an organisation’s existing security architecture and infrastructure is not up to standard – it just adds another element that must be addressed.

Most Cloud providers are acutely aware that security must be a high priority, both for them and their customers. They typically stress the degree to which they take security seriously, and many claim that their security is likely to be considerably better than in most small organisations and some larger ones. This is possibly true, but Cloud providers may also be a more tempting target, and breaches leading to unauthorised access, as we have seen, undoubtedly do occur. This should not be too surprising, as any organisation could be breached, given enough attempts and resources.

Cloud security must cover all risks addressed in Article 32 of the GDPR – not just preventing unauthorised access, but also preventing accidental or unlawful destruction, loss and alteration of personal data. Many Cloud providers offer indications of the level of service they aim to provide – and may historically have provided – but few are likely to offer unequivocal guarantees. The risk of service non-availability and its potential consequences,¹² as well as the options for mitigating any damage, must therefore be determined and evaluated.

Given that most Cloud providers are likely to be data processors, Recital 81 of the GDPR must be taken into account. This states that:

Although physical inspection of a Cloud provider’s “technical and organisational measures” is unlikely to be practical, all reasonable steps must be taken to verify that the provider’s security measures are at least sufficient. This should be done by someone with an appropriate level of technical expertise, who is able to ask the right questions and understand the implications of the answers. Without that, it is much more likely that the data controller would be penalised should a breach occur.

If the Cloud provider already has some form of external certification, such as ISO 27001, this would make checking significantly easier. If the provider claims to have ISO 27001 certification, you could simply ask to see the certificate and the Statement of Applicability (SoA), which would allow you to verify the controls in place; in particular, you could check if the provider took note of Cloud-specific standards and guidance (discussed in more detail later in this chapter).

Areas to assess include:

Although the security offered by providers is, of course, crucial, security of Cloud-based systems must start at the customer or data controller end. The controller should first get internal matters in order, after which it should carry out due diligence on the security provisions made by the Cloud provider.

In the Cloud, security must be managed differently. On an internal server it may be possible to rely heavily on perimeter defences. However, many security products cannot be deployed in a shared environment, and other organisations may use less secure applications within the perimeter of the Cloud service and endanger valuable data. Application-level and ‘instance’ security should therefore be considered. This could include:

Where data is stored partly in the Cloud and partly in-house, proper classification of data is vitally important to determine what can safely be stored where, in accordance with legislation, standards, security concerns and the value of the asset.

Cyber Essentials

As discussed earlier, the most ideal situation would be for the Cloud provider to conform to an external scheme. One such example is the UK government’s Cyber Essentials scheme, introduced in June 2014.¹³ Although a good scheme, it may be of limited value in a Cloud provider’s context, as it is only proof of a basic level of security, and – crucially – doesn’t adequately address Cloud-specific risks.

Cyber Essentials sets out the basic controls that all organisations of any size should implement to counter the most common Internet-based security threats. It concentrates on five key areas:

Many organisations will, of course, have already identified some or all of these as necessary and taken steps to address them. None of them are new or surprising issues, so there is no real excuse for failing to implement appropriate measures. What the Cyber Essentials scheme does offer is a means of proving that the necessary steps have been taken, through external assessment.

The scheme is intended to be affordable, even for small organisations. There are two levels of assessment. The basic certificate involves completing a questionnaire, which is externally reviewed before the certificate is awarded. The more advanced Cyber Essentials Plus is based on more costly external and internal testing. In each case, the certificate – which must be renewed annually – entitles the organisation to display a logo.

Access controls

It is worth reiterating that Article 32 of the GDPR requires “technical and organisational” security measures. Although many basic controls are at the technical end, access control clearly has a large organisational component.

Access controls must apply both to the systems that allow users to access Cloud applications and to the Cloud applications themselves. Article 32 of the GDPR requires protection against unauthorised access. There are many ways of authorising access, but the allocation of logon credentials that then determine the information the user can view or manipulate has to be a key element. Access privileges should be carefully considered so that users see no more information than they need to, and do not have access to functions that are not relevant to them.

This is especially true in the Cloud, where each user’s location may be less well controlled. It is often worth considering additional precautions – such as two-factor authentication (2FA) – that require strong authentication for password recovery or modification, and impose restrictions on the IP addresses from which the application may be accessed, and/or restrictions on the times of day at which any given user is permitted to log in.

Good segmentation of the data in the Cloud system so that users are restricted in what they can view or modify – and especially in what they can download, print or export – also helps to mitigate risks. Access to administrative functions must, of course, receive particular attention, and you should also consider monitoring activity live, in order to flag up any unusual behaviour before it is too late.

Controlling access via personal devices, through a BYOD policy, is particularly important if there is any possibility that confidential or sensitive personal data may be taken from the Cloud and stored on the device. This could be, for example, in the form of emails or information in attachments. Spreadsheets used as informal small databases are a particular hazard. Strict access controls to the device are also essential if the Cloud application requires a logon that can be ‘remembered’ by the device. A BYOD policy should prohibit access to such Cloud services by any personal devices that are not secured by the most appropriate access controls available. The data controller should also reserve the right to verify the presence of access controls at reasonable opportunities.

This is not just a hypothetical risk. A survey¹⁴ in June 2014 found that 75% of consumers who use social media on mobile devices are automatically logged in to their accounts, and even 23% of mobile banking users are automatically logged in. These risks may be acceptable for individuals to choose to take with their own data, but the figures emphasise that employers cannot assume that individuals have taken an appropriate approach to the security of personal devices on which corporate data may be held or accessed.

It is likely that personal devices may occasionally, or regularly, be used by others with the permission of the owner. In this case, it is essential that these additional users are unable to access any data derived from or held by Cloud applications. Ideally, the device should provide for individual logons and allow only authorised users to access confidential data and associated applications. Again, reservation of the right to verify that these conditions are met may be a reasonable condition of permitting access from the device to corporate Cloud data.

Other guidance and recommendations

There are, of course, many sources of security guidance. One of the main ones is ISO/IEC 27001:2013, but the Open Web Application Security Project (OWASP) can also provide valuable guidance on common vulnerabilities.

The OWASP Top 10 is an analysis, updated every three years, of the current most important vulnerabilities in web-based systems and the measures that should be taken to prevent them. The 2017 Top 10 are¹⁵:

It is worth taking a broad view, rather than relying on just one source to identify the security areas that should be given attention; for instance, a number of these points are relevant to the Cyber Essentials controls.

You should consider regular independent vulnerability assessments and penetration testing to ensure that applications are protected from, at the very least, well-documented threats.

ISO 27001 – information security

The key international standard on information security is the ISO 27000 series, of which ISO 27001 is the overall framework laying out the specifications for a best-practice information security management system (ISMS).¹⁶

Organisations can be externally audited and certified against the Standard, providing solid evidence that their security measures are effective.

Annex A in ISO 27001 sets out a reference control set covering the key security areas for any organisation. Many are directly relevant to Cloud computing, including:

On top of Annex A, ISO 27017 may be of use: this standard provides expanded guidance for the Annex A controls in ISO 27001 to make the guidance more applicable to Cloud service providers.¹⁷

Where ISO 27017 mainly focuses on practices and takes a more general approach, the Cloud Security Alliance Cloud Controls Matrix (CSA CCM) is much more specific to the technologies typically used by Cloud providers.¹⁸ As a control set, the CSA CCM also integrates well with ISO 27001.

ISO 27001 accreditation is available both to the data controller and any Cloud suppliers it may use.

Many suppliers claim to be ISO 27001-conformant, but it is important to check:

Data ‘in transit’

Data is almost inevitably more at risk when it is ‘in transit’ rather than ‘at rest’, which is why information transfer merits a specific control in ISO 27001. Many of the ICO’s monetary penalties have involved data going astray in transit (in a range of situations, not always in the context of Cloud computing).

When considering a Cloud provider’s security claims, it is important to check whether these apply equally to data at rest (i.e. while stored on the provider’s servers) and data in transit, both between the customer and the Cloud provider, and between the Cloud provider and any subcontractors that may provide part of the service.

European Secure Cloud (ESCloud) Label

The German Federal Office for Information Security (BSI) and French Agence nationale de la sécurité des systèmes d’information (ANSSI) collaborated to develop the ESCloud Label.

National frameworks are of limited use to Cloud providers, because Cloud services tend to be offered across borders. Equally, national cyber security authorities are limited in authority to their own country. The ESCloud Label is meant to provide a solution, as “the national safety certificates are combined under one roof and made comparable”, taking into account key requirements of multiple Member States.¹⁹ With time, the BSI and ANSSI hope to include members from more countries, making the framework more relevant from an international perspective. This would also be good news for Cloud users, as it provides assurance that the Cloud provider in question has security measures that meet more than just local standards.

Some other countries have localised schemes that Cloud providers can use; for instance, both the BSI and ANSSI have also developed or are developing their own standards. The BSI has its Cloud Computing Compliance Controls Catalogue (C5),²⁰ while the ANSSI is close to releasing its SecNumCloud.

Government agencies, or organisations that have close dealings with government, may want to review the Cloud provider’s offering against relevant frameworks. For instance, the UK government uses its G-Cloud framework on its ‘Digital Marketplace’.²¹

COBIT^®

COBIT is another framework for information technology management and governance. It is seen as a way to fulfil the requirements of regulatory regimes (such as the US Sarbanes-Oxley Act) for risk mitigation, monitoring and control. COBIT 5 was released in June 2012. It is published by ISACA^® (originally the Information Systems Audit and Control Association) and its components include:

Additional BYOD considerations

The data controller will not usually be able to control which other applications are installed on personal devices. As such, there is a risk of malicious or ill-behaved applications introducing security vulnerabilities. Strict data and application segregation can mitigate these risks.

If data can be downloaded from the Cloud to the device, it will be vulnerable to access by other users – with or without permission. Unwise behaviour by the device owner could result, for example, in the device being disposed of while still containing recoverable confidential information. It is also less likely that information updated on the device will be reliably backed up.

It is commonplace for devices – especially smartphones, which are particularly vulnerable to loss or theft – to allow remote locking and wiping of all data. A device owner may be reluctant to provide the data controller with the codes necessary to carry out these operations, or to inform the data controller as soon as the device’s whereabouts are unknown. This is especially true if data is not segregated, meaning that the owner’s personal information would be wiped at the same time.

For these reasons, it would be best to provide employees with company-issued phones wherever possible. An alternative is to require the device to use an application that ringfences data acquired from the organisation’s systems, preventing it from being stored on the device, exported from it, or interfered with by other applications on the device. However, again, human factors must be taken into account. For example, a user who finds it onerous to enter a PIN or other security requirement each time they access the device, may be inclined to disengage the access controls after they have been authorised to use the device for accessing their employer’s data.

 

¹² Note that this is a risk the NIS Directive attempts to mitigate.

¹³ Information on this is available at: www.cyberessentials.ncsc.gov.uk.

¹⁴ Commissioned by the software company Intercede.

¹⁵ The 2017 OWASP Top 10 can be found at: www.owasp.org/index.php/Top_10-2017_Top_10

¹⁶ Available at: www.itgovernance.co.uk/shop/Product/isoiec-27001-2013-iso-27001-standard-isms-requirements.

¹⁷ Available at: www.itgovernance.co.uk/shop/product/iso-27017-2015-information-security-controls-for-cloud-services.

¹⁸ Available at: https://cloudsecurityalliance.org/group/cloud-controls-matrix.

¹⁹ BSI, “European Secure Cloud Label (ESCloud Label)”, www.bsi.bund.de/EN/Topics/CloudComputing/ESCloudLabel/ESCloudLabel_node.html.

²⁰ Available at: www.bsi.bund.de/EN/Topics/CloudComputing/Compliance_Controls_Catalogue/Compliance_Controls_Catalogue_node.html.

²¹ At the time of writing, the latest version is G-Cloud 10 (updated in 2018), available at www.gov.uk/guidance/g-cloud-templates-and-legal-documents.