CHAPTER 15
Information Governance for Cloud Computing*

By Monica Crocker and Robert Smallwood

Cloud computing represents one of the most significant paradigm shifts in information technology (IT) history. It may have evolved as an extension of sharing an application-hosting provider, which has been around for a half century and was common in highly regulated vertical industries, such as banks and healthcare institutions. But cloud computing is a very different computing resource, utilizing advances in IT architecture, system software, improved hardware speeds, and lower storage costs.

The impetus behind cloud computing is that it provides economies of scale by spreading costs across many client organizations and pooling computing resources while matching client computing needs to consumption in a flexible, (nearly) real-time way. Cloud computing can be treated as a utility that is vastly scalable and can be readily modulated, just as the temperature control on your furnace regulates your energy consumption. This approach has great potential, promising on-demand computing power, off-site backups, strong security, and “innovations we cannot yet imagine.”1

When executives hear of the potential cost savings and elimination of capital outlays associated with cloud computing, their ears perk up. Cloud deployments can give users some autonomy and independence from their IT department, and IT departments are enthused to have instant resources at their disposal and to shed some of the responsibilities for infrastructure so they can focus on business applications. Most of all, they are excited by the agility offered by the on-demand provisioning of computing and the ability to align IT with business strategies more nimbly and readily.

But for all the hoopla and excitement, there are also grave concerns about security risks and loss of direct IT control, which call for strict information governance (IG) policies and processes. Managers and IT leaders who are customers of cloud computing services are ultimately responsible for IT performance. A number of critical IG challenges associated with cloud computing must be addressed. These include privacy and security issues, records management (RM) issues, and compliance issues, such as the ability to respond to legal discovery orders. In addition, there are metadata management and custody challenges to consider. An investigation and analysis of how the cloud services provider(s) will deliver RM capability is crucial to supporting IG functions, such as archiving and e-discovery, and meeting IG policy requirements.

Organizations need to understand the security risks of cloud computing, and they must have IG policies and controls in place for leveraging cloud technology to manage electronic information before moving forward with a cloud computing strategy.

Defining Cloud Computing

The definition of cloud computing is, rather, well, cloudy, if you will. The flurry of developments in cloud computing makes it difficult for managers and policy makers to define it clearly and succinctly, and to evaluate available options. Many misconceptions and vagaries surround cloud computing. Some misconceptions and questions include:

  • “That hosting thing is like SaaS.”
  • “Cloud, SaaS, all the same, we don't own anything.”
  • “OnDemand is Cloud Computing.”
  • “ASP, Hosting, SaaS seems all the same.”
  • “It all costs the same, so what does it matter to me?”
  • “Why should I care if it's multitenant or not?”
  • “What's this private cloud versus public cloud?”2

Cloud computing is a shared resource that provides dynamic access to computing services that may range from raw computing power, to basic infrastructure, to fully operational and supported applications.

It is a set of newer information technologies that provides for on-demand, modulated, shared use of computing services remotely. This is accomplished by telecommunications via the Internet or a virtual private network (which may provide more security). It eliminates the need to purchase server hardware and deploy IT infrastructure to support computing resources and gives users access to applications, data, and storage within their own business unit environments or networks.3 Perhaps the best feature of all is that services can be turned on or off, increased or decreased, depending on user needs.

There are a range of interpretations and definitions of cloud computing, some of which are not completely accurate. Some merely define it as renting storage space or applications on a host organization's servers; others center definitions around Web-based applications like social media and hosted application services.

Someone has to be the official referee, especially in the public sector. The National Institute of Standards and Technology (NIST) is the official federal arbiter of definitions, standards, and guidelines for cloud computing. NIST defines cloud computing as:

a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.4

NIST has offered its official definition, but “the problem is that (as with Web 2.0) everyone seems to have a different definition.”5 The phrase “the cloud” has entered the mainstream—it is promoted on prime-time TV—but its meaning and description are in flux: that is, if you ask 10 different people to define it, you will likely get 10 different answers. According to Eric Knorr and Galen Gruman in InfoWorld, it's really just “a metaphor for the Internet,” but when you throw in “computing” alongside it, “the meaning gets bigger and fuzzier.” Cloud computing provides “a way to increase capacity [e.g. computing power, network connections, storage] or add capabilities dynamically on the fly without investing in new infrastructure, training new personnel, or licensing new software. Cloud computing encompasses any subscription-based or pay-per-use service that, in (near) real time over the Internet, extends IT's existing capabilities.”6

Given the changing nature of IT, especially for newer developments, NIST has stated that the definition of cloud computing “is evolving.” People looking for the latest official definition should consult the most current definition available from NIST's Web site at www.nist.gov (and other resources).

Key Characteristics of Cloud Computing

NIST also identifies five essential characteristics of cloud computing:

  1. On-demand self-service. A [computing] consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service's provider.
  2. Broad network access. Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g. mobile phones, laptops, and PDAs [personal digital assistants]).
  3. Resource pooling. The [hosting] provider's computing resources are pooled to serve multiple consumers using a multitenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g. country, state, or datacenter). Examples of resources include storage, processing, memory, network bandwidth, and virtual machines.
  4. Rapid elasticity. Capabilities can be rapidly and elastically provisioned, in some cases automatically, to quickly scale out and rapidly released to quickly scale in. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be purchased in any quantity at any time.
  5. Measured service. Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g. storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported providing transparency for both the provider and consumer of the utilized service.7

What Cloud Computing Really Means

Cloud computing growth is expected to continue to climb dramatically. A recent Gartner study shows that the United States is the leader in adopting cloud computing, and the market is expanding rapidly.8 The cloud computing market is expected to grow 21% annually from 2012 to 2016, exceeding $16 billion in 2014 and growing to over $22 billion in 2016.9

The use of service-oriented architecture—which separates infrastructure, applications, and data into layers—permeates enterprise applications, and the idea of loosely coupled services running on an agile, scalable infrastructure may eventually “make every enterprise a node in the cloud.” That is the direction the trend is headed. “It's a long-running trend with a far-out horizon. But among big metatrends, cloud computing is the hardest one to argue with in the long term”10 (emphasis added).

A common misconception is that an organization “moves to the cloud.” In reality, the organization may decide to transition some specific business applications to the cloud. Those specific business applications are selected because a cloud architecture may offer crucial functions that the internally hosted solution does not or because the internal solution is burdensome to maintain. Some examples of business applications that frequently are moved to the cloud include advertising, collaboration, e-mail, office productivity applications, sales support solutions, customer response systems, file storage, and system backups.

Another common misconception is that if your organization does not decide to migrate to a cloud solution, you are protected from all the dangers of cloud computing. The hard facts are that, for the vast majority of organizations, users are already putting information in the cloud. They are simply using cloud solutions to compensate for limitations of the current environment. They may be using Box to get at information when working remotely or Dropbox to share information with an outside business partner. Or they are using OneDrive to get to documents from their iPad. They may not even realize they just posted company information to a cloud environment, so they do not realize they violated any policy against doing that. To complicate matters, they probably also left a copy of the information within your organization's firewall. Internal users might not realize they are not using the current version, and your records manager does not know another copy is floating around out there. This is completely ungoverned information in the cloud. The best defense against it is to deliver solutions for those business needs so that users do not have to find their own.

Cloud Deployment Models

Depending on user needs and other considerations, cloud computing services typically are deployed using one of four models, as defined by NIST:

  1. Private cloud. This is dedicated to and operated by a single enterprise. This is a particularly prudent approach when privacy and security are key issues, such as in the health care and financial services industries and also for sensitive government or military applications and data. A private cloud may be managed by the organization or a third party and may exist on or off premises.
  2. Community cloud. Think co-ops, nonprofit organizations, and nongovernmental organizations. In this deployment, the cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g. mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party and may exist on or off premises.
  3. Public cloud. Open to the public, this cloud can be maintained by a user group or even a fan club. In this case, “the cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services.”
  4. Hybrid cloud. This utilizes a combined approach, using parts of the aforementioned deployment models: private, community, and/or public. The cloud infrastructure is a “composition of two or more clouds, (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g. cloud bursting for load-balancing between clouds)” (emphasis added).11

Benefits of the Cloud

The risks and security vulnerabilities of cloud computing have been reviewed in this chapter—so much so that perhaps some readers wonder whether cloud computing is truly worth it. The answer is a qualified yes—it can be, based on your organization's business needs and computing resource capabilities. Besides the obvious benefit of getting your company out of the IT infrastructure business and back to focusing on its real business goals, there are many benefits to be gained from cloud computing solutions.

Some of the specific benefits offered by cloud computing solution are listed next:

  • Cloud computing solutions provide a means to support bring-your-own-device (BYOD) initiatives. As long as users have an Internet browser and Internet connectivity, they can use any device to access an application deployed in the cloud.
  • Your workers need to be able to access corporate information via a mobile device. Some cloud solutions allow them to access information stored in a secure location that only requires a smart phone and a login. Some of these solutions can even ensure that the information is not actually stored on the device itself. Entire applications, such as expense reporting, can be deployed this way and incorporate mobile capture technology as well.
  • Cloud computing solutions provide a mechanism to support collaboration with external business partners. You need to exchange information with an outside business partner in a manner that e-mail just will not support. For instance, you want to create one copy of the information that anyone on your team or on a business partner's team can access and that reflects any updates or changes on an ongoing basis. Or you need to exchange files that are large or in a format that is prohibited by your e-mail servers. And you do not want to grant partners access to information within your firewall and they do not want to grant you access to information within theirs. A third-party cloud-based file-sharing solution may provide the answer. You can post files there, partners can access them, you can update them as necessary, and everyone always has access to the most current version of the information without compromising security to your network.
  • A cloud file storage solution provides a better alternative to remote information access than having users copy information to unsecured removable media or send an e-mail to their personal e-mail account. Again, it prevents duplication of information, provides access to the most current version of information, and stores information in an environment that only authenticated users can access.
  • Cloud computing solutions also can form a key part of your organization's disaster recovery/business continuity strategy. If your data center is rendered inoperable, users still can access applications and information hosted by cloud providers. Most cloud providers have redundant data centers so that, even if one of their data centers was affected by the same incident that rendered your data center inaccessible, all your information is available. Many organizations deploy solutions to back up their in-house applications to a cloud-based storage provider for just this reason. It is a way to provide geographic diversification.

The business benefits of cloud computing may largely outweigh the security threats for the vast majority of enterprises, so long as they are anticipated and the preventive actions described are taken.

Security Threats with Cloud Computing

Cloud computing comes with serious security risks—some of which have not yet been uncovered. In planning your cloud deployment, these risks must be borne in mind and dealt with through controls and countermeasures. Controls must be tested and audited, and the actual enforcement must be carried out by management. Key cloud computing security threats are discussed next, along with specific examples and remedial measures that can be taken (fixes). The majority of this information and quotations are from the Cloud Security Alliance.12

Information Loss

When information is deleted or altered without a backup, it may be lost forever. Information also can be lost by unlinking it from its indices, deleting its identifying metadata, or losing its encoding key, which may render it unrecoverable. Another way data/document loss can occur is by storing it on unreliable media. And as with any architecture—not just cloud computing—unauthorized parties must be prevented from hacking into the system and gaining access to sensitive data. In general, providers of cloud services have more resources at their disposal than their individual clients typically have.

Examples

  • Basic operational failures, such as server or disk drive crashes.
  • Data center reliability, backup, and disaster recovery/business continuity issues.
  • Implementation of information purging without your approval (e.g. purging all data over three years old without regard to your retention schedule or existing legal holds).

The Fixes

  • Agreement by cloud provider to follow standard operating procedures for data backup, archiving, and retention.
  • Standard procedures for information purges that require your sign-off before they are completed.
  • Check your insurance coverage. Are you covered for the costs or liability associated with a breach or loss of information that is stored in the cloud?
  • Clear delineation of the process for notifying the client of a security breach or data loss.

Information Breaches

Many times damage to information is malicious, while other times damage is unintentional. Lack of training and awareness, for example, can cause an information user to accidentally compromise sensitive data. Organizations must have proactive IG policies that combat either type of breach. The loss of data, documents, and records is always a threat and can occur whether cloud computing is utilized or not.

But the threat of data compromise inherently increases when using cloud computing, due to “the number of and interactions between risks and challenges which are either unique to cloud, or more dangerous because of the architectural or operational characteristics of the cloud environment.”

Examples

  • Lack of document life cycle security (DLS) technologies, such as data loss prevention (DLP) and information rights management (IRM) technologies.
  • Insufficient authentication, authorization, and audit (AAA) controls to govern login access.
  • Ineffective encryption and software keys, including lost keys or inconsistent encryption.
  • Security challenges related to persistent data or ineffective disposal methods.
  • Inability to verify disposal at the end of information life cycle.

The Fixes

  • DLS implementation where needed to protect information from creation to their final disposition.
  • Strong encryption to protect sensitive data at rest, in use, and in transit.
  • IG policies for data and document security during the software application design phase as well as testing and auditing the controls for those policies during live operation.
  • Secure storage, management, and document destruction practices.
  • Contractual agreement by cloud service providers to completely delete data before storage media are reused by other clients.
  • Check your insurance coverage. Are you covered for the costs or liability associated with a breach or loss of information that is stored in the cloud?
  • Clear delineation of the process for notifying the client of a security breach or data loss.

The Enemy Within: Insider Threats

Since the advent of the National Security Agency controversy and the slew of examples in the corporate world, the threat of the malicious insider is well known. “This threat is amplified for consumers of cloud services by the convergence of IT services and customers under a single management domain, combined with a general lack of transparency into provider process and procedure” (emphasis added). It is important to understand your cloud provider's security procedures for its employees: How are they screened? Are background checks performed? How is physical access to the building and data center granted and monitored? What are its remedial procedures for noncompliance?

When these security, privacy, and support issues are not fully investigated, it creates an opportunity for identity thieves, industrial spies, and even “nation-state sponsored intrusion. The level of access granted could enable such an adversary to harvest confidential data or gain complete control over the cloud services with little or no risk of detection.”

Examples

  • A cloud provider's employee steals information to give or sell to one of your company's competitors.
  • Inadequate screening processes (by your company or a cloud provider) can result in the hiring of people with criminal records, granting them access to sensitive information.
  • A cloud provider's subcontractor steals information to give or sell to one of your company's competitors.
  • A cloud provider's employee allows unauthorized access to data that your company believes is secure in the cloud.
  • The physical cloud storage facility lacks security, so anyone can enter the building and access information.

The Fixes

  • Implementation of DLP and IRM technologies and related technology sets at all stages of DLS.
  • Assessment of suppliers’ practices and complete supply chain, especially those services that are subcontracted.
  • Screening and hiring requirements (e.g. background checks) for employees as part of contract with cloud provider.
  • Transparent policies regarding information security, data management, compliance, and reporting, as approved by the client.
  • Clear delineation of the process for notifying the client of a security breach or data loss.

Hacking and Rogue Intrusions

Although cloud computing providers, as a rule, invest heavily in security, they also can be the target of attacks, and those attacks can affect many client enterprises. Providers of cloud infrastructure service (e.g. network management, computing power, databases, storage) offer their customers the illusion of unlimited infrastructure expansion in the form of computing, network resources, and storage capacity. Often this is coupled with a very easy sign-up process, free trials (even for anonymous users), and simple activation with a credit card. This is a boon to hackers who can assume multiple identities. Using these anonymous accounts to their advantage, hackers and spammers can engage in criminal operations while remaining elusive.

Examples

  • Cloud services providers have often unknowingly hosted malicious code, including Trojan horses, keystroke loggers, bot applications, and other programs that facilitate data theft. Recent examples include the Zeus botnet and InfoStealer.
  • Malware can masquerade as downloads for Microsoft Office, Adobe PDFs, or other innocuous files.
  • Botnets can infect a cloud provider to gain access to a wide range of data, while leveraging the cloud provider's control capabilities.
  • Spam is a perennial problem—each new countermeasure is met with new ways to sneak spam through filters to phish for sensitive data.

The Fixes

  • IG policies and monitoring controls must require tighter initial registration and thorough user verification processes.
  • IG policies and technologies to combat credit card fraud.
  • Total network monitoring, including deep content inspection.
  • Requirement that the cloud provider regularly monitor public blacklists to check for exploitation.

Insecure Points of Cloud Connection

By their very nature, cloud computing solutions involve the movement of information. Information moves from a workstation in your network to the cloud, from the cloud to a mobile device user, from an external partner to the cloud and then to one of your workstations, and so on. Further, information may be moved automatically from an application in the cloud to an application you host internally and vice versa. The movement of information complicates the process of securing it, as it now must be protected at the point of origin, the point of receipt, on the device that transmits it, on the device that receives it, and at all times when it is in transit.

An application programming interface (API) is a way of standardizing the connection between two software applications. APIs are essentially standard hooks that an application uses to connect to another software application—in this case, a system in the cloud. System actions like provisioning, management, orchestration, and monitoring can be performed using these API interfaces.

It comes down to this: a chain is only as strong as its weakest link, so APIs must be thoroughly tested to ensure that all connections abide by established policy. Doing this will thwart hackers seeking work-arounds for ill intent as well as valid users who have made a mistake. It is possible for third parties to piggyback value-added services on APIs, resulting in a layered interface that is more vulnerable to security breaches.

Examples

  • Anonymous logins and reusable passwords can undermine the security of an entire cloud community.
  • Unencrypted transmission or storage and unencrypted verification allow successful man-in-the-middle data theft.
  • Rigid basic access controls or false authorizations pose a threat.
  • Poor management, monitoring, and recording of cloud logins and activity make it difficult to detect malicious behavior.
  • Weak APIs provide opportunities for data compromise.
  • Dependency on unregulated API interfaces, especially third-party add-ons, can allow critical information to be stolen as necessary connections are made.

The Fixes

  • Utilization of multiple logon authentication steps and strong access controls.
  • Encryption of sensitive data during transmission.
  • More robust and secure API access control.
  • An understanding of the security model of cloud provider APIs and interfaces, including any third-party or organization-created dependencies.
  • Understanding how the API impacts associated cloud usage.

Issues with Multitenancy and Technology Sharing

Basic cloud infrastructure is designed to leverage scale through the sharing of components. Despite this, many component manufacturers have not designed their products to function in a multitenant system. Newer architectures will evolve to address this issue.

In the meantime, virtual computing is often used, allowing for multiple instances of an operating system (OS) (and applications) to be walled off from others that are running on the same computer. Essentially, each instance of the OS runs independently, as if it were the only one on the computer. A “virtualization hypervisor mediates access between guest operating systems and the physical compute resources” (like central processing unit processing power). Yet flaws have been found in these hypervisors “that have enabled guest operating systems to gain inappropriate levels of control or influence on the underlying platform”—and therefore indirectly impact the other guest OSs running on the machine. To combat this, “security enforcement and monitoring” of all shared computing resources must be employed. Solid partitions between the guest OSs—known as compartmentalization—should be employed to ensure that one client's activities do not interfere with others running on the same cloud provider. Customers should never have access to any other tenant's “actual or residual data, network traffic” or other proprietary data.

Examples

  • Joanna Rutkowska's Blue Pill root technique, which describes how an unauthorized user could intercept data by using virtual hardware called a hypervisor. The Blue Pill would be undetectable as long as the host system was functioning properly. Rutkowska also developed a Red Pill, which could detect a Blue Pill hypervisor, allowing the owner to eliminate it.
  • Kostya Kortchinksy's CloudBurst is another example of hypervisor exploitation.

The Fixes

  • Security IG that leverages best practices for installation, configuration, monitoring, testing, and auditing of cloud computing resources.
  • Requirements for monitoring the computing environment for any rogue intrusions or misuse of cloud resources.
  • Control and verify access. Promote a more secure two-factor authentication procedure.
  • Enforceable service-level agreements (SLAs) for patching software bugs, addressing data breaches, and fixing vulnerabilities.
  • An IG policy that requires regular audits and evaluations to detect weaknesses in cloud security and configuration.

Hacking, Hijacking, and Unauthorized Access

Hacking into accounts to assume the identity of an authorized user has been happening almost since personal e-mail existed. It can be as simple as stealing passwords with a keystroke logger. Attack methods such as social engineering (e.g. phishing), fraud by identity theft, and exploitation of software vulnerabilities are still effective at compromising systems. Most people recycle a few passwords and reuse them for multiple accounts, so once one is breached, criminals can gain access to additional accounts. If login credentials are compromised, a hacker can monitor nearly everything your organization is doing: a less passive hacker might alter or destroy sensitive documents, create false information, or replace your links with fraudulent ones that direct users to sites harboring malware or phishing scams. Once they have control, it can look like your organization is the origin of the malicious downloads or information capture. From here, the attackers can assume the good name and reputation of an organization to further their attacks.

Examples

  • Examples are widespread in the general population; however, no clear instances of this occurring with cloud services providers are known (as this book goes to press).

The Fixes

  • IG policies should clearly state that users and providers should never reveal their account information to anyone.
  • An IG policy should require more secure two-factor authentication techniques to verify login identity, where possible.
  • Require your cloud services provider to actively monitor and log all activity in order to quickly identify users engaging in fraudulent actions or those that otherwise fail to comply with the client's IG policy.
  • Understand, analyze, and evaluate the cloud provider's contract, especially regarding security protocols. Negotiate improved terms in SLAs to improve or enhance security and privacy.

Who Are Your Neighbors?

Knowing your neighbors—those who are sharing the same infrastructure with you—is also important, and, as we all know, good fences make good neighbors. If the cloud services provider will not or cannot be forthcoming about who else is sharing its infrastructure services with your organization and this becomes a significant issue, you may want to insert contract language that forbids any direct competitor from sharing your servers. These types of terms are always difficult to verify and enforce, so moving to a private cloud architecture may be the best option.

Examples

  • The Internal Revenue Service (IRS) utilized Amazon's Elastic Compute Cloud service. When the IRS asked Amazon for a certification and accreditation (C&A) report, Amazon declined. (Note: The C&A process was developed to help ensure compliance with NIST standards and mandated by the Office of Management and Budget, which oversees Federal Information Security Management Act of 2002 compliance.)
  • Heartland, a payment processing corporation, suffered a data breach in 2008. Hackers stole account details for over 100 million credit and debit cards. This data was stored on Heartland's network, which the hackers broke into using information (pertaining to employees, corporate structure, company networks, and related systems) it had stolen in the weeks leading up to the major breach.

The Fixes

  • An IG policy that requires full disclosure of activity and usage logs, and related information. Audit the policy for compliance.
  • Investigate the architecture of your cloud services provider (e.g. version levels, network OSs, firewalls, etc.).
  • Robust and vigilant supervision, logs, and reporting of all system activity, particularly that requesting expansive and detailed reports on the handling of sensitive information.

Additional IG Threats and Concerns

A primary selling point of cloud computing is that enterprises are freed up to focus on their core business rather than being focused on providing IT services. Modulating computer hardware and software resources without making capital expenditures is another key advantage. Both of these business benefits allow companies to invest more heavily in line-of-business activities and focus on their core products, services, and operations. However, the security risks must be weighed against the financial and operational advantages. Further complicating things is the fact that cloud deployments often are enthusiastically driven by advocates who focus inordinately on potential benefits and do not factor in risk and security issues. Additional examples of IG concerns are listed next:

  • Lack of clarity about who owns the information (and if that changes at any point).
  • Risk of association with any larger failures of the cloud provider.
  • Inability of the cloud services provider to manage records at the file level.
  • Inability to closely follow the user's retention schedule and produce certificates of destruction at the end of the information life cycle. This may result in information that is held for too long and ends up costing the client unnecessary expense if it is deemed to be responsive to litigation or other legal action.
  • Lack of RM functionality in many cloud-based applications. This problem is not unique to cloud platforms, but the key difference is that internal storage resource systems may have functionality that supports integration with a RM solution. It is unlikely that a cloud provider will provide the option of integrating your in-house RM system with its system. Too many potential security, access control, and performance issues may result.
  • Inability to implement legal holds when litigation is pending or anticipated.
  • Poor response time—inability to deliver files quickly and in line with user expectations.
  • Limited ability to ensure that your cloud provider meets your duties to follow regulations related to the governance of your information.
  • Jurisdiction and political issues that may arise due to the fact that the cloud provider resides outside of the client's geographic region.
  • Storage of personally identifiable information (PII) on servers in Europe or other locales that prohibit or restrict the release of PII back to the United States (or home country of the cloud services client organization).13

An analysis of an organization's exposure to risk must include checking on software versions and revision levels, overall security design, and general IG practices. This includes updating software, tools, and policy, as needed.

Finally, for each of these challenges, “IG policies and controls to secure information assets” and “IG policies and controls to protect the most sensitive documents and data” are a key part of the solution.

New CIS Controls for Mobile Guide14

Consistent Security Is the Goal

In March 2019, the Center for Internet Security (CIS) released the Mobile Companion Guide to help organizations map the CIS controls and their implementation in mobile environments.15 In the companion guide, the focus is on a consistent approach to applying the security recommendations in both Google Android and Apple iOS environments. Factors such as who owns the data and who owns the device affect how the device should be secured. The Mobile Companion Guide explores bring-your-own device (BYOD), corporate-owned, personallyenabled (COPE), fully managed, and unmanaged devices.

  • BYOD (bring your own device): Devices are owned by the end user but occasionally are used for work purposes. Access from BYOD devices to organizational resources should be strictly controlled and limited.
  • COPE (corporate-owned, personally enabled): COPE devices work in a fashion similar to BYOD. Restrictions will be applied to the device, but generally don't prevent most of what the user intends to do with the device.
  • Fully managed: Devices within this deployment scenario are typically locked down and only permitted to perform business functions. This means that employees have a second device for personal use.
  • Unmanaged: A popular model for small companies and startups, this is the most dangerous scenario to the enterprise and should be avoided, if possible.

The Guide also looks at systems that administer and monitor devices, such as enterprise mobility management (EMM), mobile device management (MDM), mobile application vetting (MAV), and mobile threat defense (MTD). The CIS Mobile Companion Guide includes this checklist to track implementation of the 20 controls on mobile devices.

All organizations operate mobile devices and need to adopt a security mindset and harden the devices to protect against the unique challenges of on-the-go mobile computing environments. The CIS Mobility Guide provides an excellent overview of how to address this challenge. The complete guide can be downloaded from https://www.cisecurity.org/blog/new-release-cis-controls-mobile-companion-guide/.

CIS Controls TM v7 Mobile Companion Checklist
CIS ControlsTMv7 Mobile Companion Checklist

Managing Documents and Records in the Cloud

The National Archives and Records Administration has established guidelines for creating standards and policies for managing an organization's e-documents records that are created, used, or stored in cloud computing environments.

  1. Include the Chief Records Management Officer and/or lead RM staff in the planning, development, deployment, and use of cloud computing solutions.
  2. Define which copy of records will be declared as the organization's record copy and manage these in accordance with information governance policies and regulations…. Remember, the value of records in the cloud may be greater than the value of any other set because of indexing or other reasons. In such instances, this added value may require designation of the copies as records.
  3. Include instructions for determining if records in a cloud environment are covered under an existing records retention schedule.
  4. Include instructions on how all records will be captured, managed, retained, made available to authorized users, and retention periods applied.
  5. Include instructions on conducting a records analysis, developing and submitting records retention schedules to an organization's central records department for unscheduled records in a cloud environment. These instructions should include scheduling system documentation, metadata, and related records.
  6. Include instructions to periodically test transfers of records to other environments, including departmental servers, to ensure the records remain portable.
  7. Include instructions on how data will be migrated to new formats, operating systems, and so on, so that records are readable throughout their entire life cycles. Include in your migration planning provisions for transferring permanent records in the cloud to central records.
  8. Resolve portability and accessibility issues through good records management policies and other data governance practices. Data governance typically addresses interoperability of computing systems, portability of data (able to move from one system to another), and information security and access. However, such policies by themselves will not address an organization's compliance and information governance demands and requirements.16

IG Guidelines for Cloud Computing Solutions

A set of guidelines aimed at helping you leverage cloud computing in a way that meets your business objectives without compromising your IG profile is presented next:

  1. As with any technology implementation, it is critical that you define your business objectives first, then select the provider that best meets your business objectives—provided, of course, it can meet your IG requirements. This is consistent with applying a proven IT project management methodology to the initiative. Even though the solution may reside outside your environment, the same basic phases for your project approach still apply, especially for those tasks related to documentation.
  2. As part of the project documentation, make sure to identify roles and responsibilities related to the system in at least the same level of detail you do for internally supported systems (preferably in more detail).
  3. The biggest deviation from your standard approach is the need to incorporate the investigation and application of the appropriate fixes described in the “Security Threats with Cloud Computing” section into your project plan. Again, as with any service contract, it is helpful to involve a good contract negotiator. The contract negotiation phase is when you have the most influence with your provider. Therefore, you have the greatest chance of mitigating potential risks and optimizing the benefits if you can incorporate specific requirements into the contract language.
  4. If the cloud computing paradigm is relatively new to your organization, try to figure out approaches to issues and high-level processes that can be reused in subsequent cloud computing projects. For instance, during the course of your project, you need to figure out:
    • How to migrate information including metadata to the cloud solution.
    • How to get your information including metadata back if you quit using that solution.
    • How to implement a legal hold.

Utilizing cloud computing resources provides an economic way to scale IT resources which allows more focus on core business operations. It can render significant business benefits but its risks must be carefully weighed, and specific threats must be countered, in the context of a long-range cloud deployment plan.

IG for SharePoint and Office365

By Robert Bogue

Information Governance on SharePoint and Office 365 requires awareness of the capabilities offered by the platform itself and a basic understanding of the layers underlying the platform. In this section, we'll first cover the capabilities of SharePoint on-premises deployments, then the Office 365 infrastructure, and finally information governance in Office 365.

SharePoint IG Features

SharePoint as a product family has been available since late 2000. In that time many things have changed, including the underlying development technologies and platforms. During the changes the product developed a set of rich capabilities to support information governance. From a basic information management perspective SharePoint supports file versions, approvals, metadata, workflows, and a host of other expected capabilities. Since 2010, SharePoint has supported not just records but also basic eDiscovery capabilities including holds. SharePoint 2016 introduced data loss prevention support as well.

SharePoint's most basic unit of control is a content type. The content type wraps up a set of properties and behaviors including what metadata columns are allowed and which ones are required, retention policies, available workflows, retention policies, and more. Content types are not defined at a farm (installation) level. Nor are they defined at a web application level (fully qualified name). Instead, content types are defined at a site collection level or a site level. A site collection is—as the name suggests—a collection of sites. The fact that content types are defined at such a low level reduces the consistency across different areas of the business.

SharePoint does offer a content type hub which can publish content types to every site collection—minimizing the potential impact of having multiple definitions for the same type of content; however, the out-of-the-box functionality leaves opportunities for third parties to come in to offer a complete solution that can audit when individual site collection owners have modified the corporate published types.

Storage in SharePoint exists in either a list or a library which itself is located in a site. A list is simply a collection of rows which can have attachments and support versioning. A library is a collection of files and folders. Both lists and libraries use the same content type approach and therefore each item can have its own workflows, retention policies, can be declared as a record, and so on. While most of the considerations for information governance occur at a content type level, versioning is implemented in either the list or library.

Some options for information governance can be applied to a list or library. Most of the time the functions are under-the-covers being implemented as information governance controls on the default content type rather than on the list or library itself.

Lists and libraries support two different mechanisms for records management. The first method declares a record by sending it to a records center. Each implementation can have one or more records centers. Once the record is sent to a records center it can be removed from the originating location, replaced with a link to the location in the records center, or left intact. Records can be declared manually or through the use of workflows.

The second records management implementation is referred to as in-place records management and the declaration of a record marks the information so that even users with permission to the item can't take prohibited actions, such as deleting the record. In-place records management resolves some of the concerns with findability of records. However, in-place records management does expose a large retention problem.

SharePoint, out-of-the-box, provides no mechanism for site or site collection lifecycle management. The result is that when an entire site should be destroyed because it's reached its expiration the process must be done manually or via an automated mechanism not built into SharePoint. This is particularly problematic when the records inside the site have different retention schedules where some should be deleted at one interval and others at another interval. Managing this process is left to third parties or organizations to solve themselves.

In addition to records management, SharePoint supports in-place holds. The holds can be triggered through the eDiscovery mechanisms or done manually. Starting with SharePoint 2013, a document on-hold can be modified, though the version that was placed on hold may not be destroyed. Management of holds is performed through an eDiscovery center. eDiscovery in SharePoint is SharePoint only-scoped and therefore represents one more repository to be managed when responding to a request.

Office 365 Infrastructure

It's important to understand that Office 365 is built on top of the Microsoft Azure services and is delivered from Microsoft Azure datacenters. Microsoft maintains numerous certifications for overall compliance and specific compliance with various industry regulations. This means that the physical and data security of the Microsoft data centers which service Office 365 have been thoroughly evaluated.

Additionally, Office 365 is built on top of the Azure Active Directory service, which allows for corporations to synchronize their internally managed active directories to an Azure hosted replica. This replica can be used only as a directory or, with password synchronization, for authentication. Passwords synchronized to Azure Active Directory go through an additional SHA128 hashing process to ensure their safety.

Microsoft offers a variety of authentication security options—some of which are not included in all Office 365 licenses—that allow for multifactor authentication as well as other limitations and controls including rules based on where the login attempt is coming from. For organizations that do not want to accept Microsoft's safeguards for authentication or have additional requirements, authentication can be performed through a federated authentication provider including third parties or organization hosted Active Directory Federation Services (ADFS) which is an included part of your Windows server license. ADFS servers allow for even more fine-grained control of who can login at what times from what locations and what they must do to prove their identity.

Office 365 IG

IG in Office 365 starts with all of the features in SharePoint for SharePoint and OneDrive content and all of the features and capabilities conveyed by nature of the base infrastructure as well as additional capabilities that are unique to Office 365. Features like customer key allows organizations to bring their own encryption keys so that Microsoft isn't able to provide decrypted information even if they're required by a court or government to turn over customer information. Though organizations would presumably be required to provide their keys to lawful authorities, having the request go directly to the organization allows them to exercise their legal rights to appeal the request.

More broadly, Office 365 has a security and compliance center which provides a platform view of many information governance concerns. Data governance and data loss prevention are both across-service features that apply to Exchange and SharePoint. This provides a single approach that functions across the service regardless of whether the data is stored or transmitted. These features are, at the time of this writing, integrating Azure information protection labels and experiences in Outlook and SharePoint including mobile clients.

While these information governance capabilities do not use the historical SharePoint approaches for data loss prevention nor records management, the fact that they can be applied across the entire offering make them a compelling solution for addressing the multiple repository problem that plagues all large organizations. While the scope extends only to the Microsoft offerings, this can represent a substantial portion of an organization's information governance needs.

Notes

  1. 1.   Cloud Security Alliance, “Top Threats to Cloud Computing V1.0,” March 2010, https://cloudsecurity-alliance.org/topthreats/csathreats.v1.0.pdf, p. 6.
  2. 2.   R. “Ray” Wang, “Tuesday's Tip: Understanding the Many Flavors of Cloud Computing and SaaS,” March 22, 2010, http://blog.softwareinsider.org/2010/03/22/tuesdays-tip-understanding-the-many-flavors-of-cloud-computing-and-saas/.
  3. 3.   NARA Bulletin 2010-05, “Guidance on Managing Records in Cloud Computing Environments,” September 8, 2010, www.archives.gov/records-mgmt/bulletins/2010/2010-05.html.
  4. 4.   Peter Mell and Tim Grance, “NIST Definition of Cloud Computing,” Version 15, 10-07-09, http://www.nist.gov/itl/cloud/upload/cloud-def-v15.pdf (accessed December 12, 2013).
  5. 5.   Eric Knorr and Galen Gruman, “What Cloud Computing Really Means,” New York Times, April 7, 2008.
  6. 6.   Ibid.
  7. 7.   Peter Mell and Tim Grance, “NIST Definition of Cloud Computing,” Version 15, October 7, 2009, www.nist.gov/itl/cloud/upload/cloud-def-v15.pdf.
  8. 8.   Gartner Press Release, “Gartner Says Worldwide Public Cloud Services Market to Total $131 Billion,” February 28, 2013, www.gartner.com/newsroom/id/2352816.
  9. 9.   This and the next quotes in this section are from Louis Columbus, “451 Research: Cloud-Enabling Technologies Revenue Will Reach $22.6B by 2016,” September 26, 2013, http://softwarestrategiesblog.com/2013/09/26/451-research-cloud-enabling-technologies-revenue-will-reach-22-6b-by-2016/.
  10. 10. Ibid.
  11. 11. All definitions are from Mell and Grance, “NIST Definition of Cloud Computing.”
  12. 12. Cloud Security Alliance, “Top Threats to Cloud Computing V1.0.”
  13. 13. Gordon E. J. Hoke, CRM, e-mail to author, June 10, 2012.
  14. 14. Source: https://www.cisecurity.org.
  15. 15https://www.cisecurity.org/blog/new-release-cis-controls-mobile-companion-guide/.
  16. 16. NARA Bulletin 2010-05, “Guidance on Managing Records in Cloud Computing Environments.”
  17. *   Portions of this chapter are adapted from Chapter 12, Robert F. Smallwood, Managing Electronic Records: Methods, Best Practices, and Technologies, © John Wiley & Sons, Inc., 2013. Reproduced with permission of John Wiley & Sons, Inc.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.134.118.95