THE CLOUD OFFERS COMPANIES and individuals access to vast amounts of computing power at economies of scale only made possible by distributed architectures. However, those same distributed architectures can bring a unique set of risks and legal challenges to companies due to the geographic distribution of services the cloud provides. The cloud, powered by the Internet, flows freely across the borders of countries as information is stored in data centers worldwide and travels the globe. Determining what laws apply to cloud computing environments is an ongoing challenge, as in many situations, the company may be based in one country, host services in another, and be serving customers across the globe. In addition, the convenience and scalability offered by the cloud necessitates the acceptance of additional risks introduced by the reliance on a third-party provider.
One indisputable fact that has arisen with cloud computing is that the legal and compliance efforts of computing have become more complex and time-consuming. With data and compute power spread across countries and continents, international disputes have dramatically increased. Hardly a day goes by without a news story about a conflict relating to violations of intellectual property, copyright infringements, and data breaches. These types of disputes existed well before the ascendence of cloud computing, but they have definitely become more commonplace and costly. It is in many ways the simplicity of cloud computing to have services span jurisdictions that has led to the marked increase in complexity of compliance. To prepare for these challenges, a cloud security professional must be aware of the legal requirements and unique risks presented by cloud computing architectures.
With cloud technologies comes the inherent power to distribute computing across countries and continents. Though it is certainly possible to use the cloud on a local or regional scale through configuration or policy, many cloud customers use cloud services across regions and jurisdictions to provide redundancy and closer service delivery across the crowded Internet. So how do companies address the fact that their servers, customers, and physical locations may in fact be governed by completely separate sets of laws? It is a constant challenge that requires cloud security practitioners to be familiar with multiple sets of laws and when they might apply. Take, for instance, the law of the land in the European Union (the EU, a group of 27 European countries that share a common set of laws and economic policies). The EU is governed by data privacy laws known as the General Data Protection Regulations (GDPR) that we will cover later in the chapter. Do these laws apply to U.S.-based companies doing business in the EU or with EU citizens? What about in situations where EU laws conflict with state and federal laws in the United States? Because of the international nature of cloud offerings and customers, cloud practitioners must be aware of multiple sets of laws and regulations and the risks introduced by conflicting legislation across jurisdictions. These conflicts may include the following:
Craig Mundie, the former chief of Microsoft's research and strategy divisions, explained it in these terms:
People still talk about the geopolitics of oil. But now we have to talk about the geopolitics of technology. Technology is creating a new type of interaction of a geopolitical scale and importance… . We are trying to retrofit a governance structure which was derived from geographic borders. But we live in a borderless world.
In simple terms, a cloud security practitioner must be familiar with a number of legal arenas when evaluating risks associated with a cloud computing environment. The simplicity and inexpensive effort of configuring computing and storage capabilities across multiple countries and legal domains has led to a vast increase in the complexity of legal and compliance issues.
The cloud offers delivery and disaster recovery possibilities unheard of a few decades ago. Cloud service providers can offer content delivery options to host data within a few hundred miles of almost any human being on Earth. Customers are not limited by political borders when accessing services from cloud providers. However, the ability to scale across the Internet to hundreds of locations brings a new set of risks to companies taking advantage of these services. Storing data in multiple foreign countries introduces legal and regulatory challenges. Cloud computing customers may be impacted by one or more of the following legislative items:
Cloud security practitioners should be keenly aware of a number of legal frameworks that may affect the cloud computing environments they maintain. The following frameworks are the products of multinational organizations working together to identify key priorities in the security of information systems and data privacy.
The Organization for Economic Cooperation and Development (OECD) guidelines lay out privacy and security guidelines. (See www.oecd.org/sti/ieconomy/privacy-guidelines.htm
.) The OECD guidelines are echoed in European privacy law in many instances. The basic principles of privacy in the OECD include the following:
In addition to the basic principles of privacy, there are two overarching themes reflected in the OECD: first, a focus on using risk management to approach privacy protection, and second, the concept that privacy has a global dimension that must be addressed by international cooperation and interoperability. The OECD council adopted guidelines in September 2015, which provide guidance in the following:
The Asia Pacific Economic Cooperation Privacy Framework (APEC) is an intergovernmental forum consisting of 21 member economies in the Pacific Rim. (See www.aicpa.org/content/dam/aicpa/interestareas/informationtechnology/resources/privacy/downloadabledocuments/10252-346-records-management-pro.pdf
.) The goal of this framework is to promote a consistency of approach to information privacy protection. This framework is based on nine principles.
The General Data Protect Regulation (GDPR) is perhaps the most far-reaching and comprehensive set of laws ever written to protect data privacy. (See gdpr.eu/what-is-gdpr
.) In the EU, the GDPR mandates privacy for individuals, defines companies' duties to protect personal data, and prescribes punishments for companies violating these laws. GDRP fines for violating personal privacy can be massive at 20 million Euros or 4 percent of global revenue (whichever is greater). For this reason alone, a CCSP should be familiar with these laws and the effects that they have on any company operating within, housing data in, or doing business with citizens of these countries in the 27-nation bloc. GDPR became the law of the land in May 2018, and incorporated many of the same principles of the former EU Data Protection Directive.
GDPR identifies formally the role of the data subject, controller, and processor. The data subject is defined as an “identified or identifiable natural person,” or, more simply, a person. The GDPR draws a distinction between a data controller and a data processor to formally recognize that not all organizations involved in the use and processing of personal data have the same degree of responsibility.
In cloud environments, this is often separate companies, where a company may be providing services (the data controller) on a cloud provider (the data processor).
The GDPR is a massive set of regulations that covers almost 90 pages of details and is a daunting challenge to many organizations. A CCSP should be familiar with the broad areas of the law, but ultimately organizations should consult an attorney to ensure that operations are compliant. GDRP encompasses the following main areas:
The cloud service provider has also significantly complicated the legal landscape when it comes to legal controls. The provider of the infrastructure, platform, or software as a service must be evaluated as an additional party when considering compliance. If a cloud provider is responsible for a violation of a legal control, the company can still be responsible for the legal ramifications. This applies to legal and contractual controls such as the following:
The cloud represents a dynamic and changing environment, and monitoring/reviewing legal requirements is essential to staying compliant. All contractual obligations and acceptance of requirements by contractors, partners, legal teams, and third parties should be subject to periodic review. When it comes to compliance, words have real meaning. You (and Microsoft Word's thesaurus) might think that the terms law and regulation are interchangeable, but when it comes to data privacy issues, they can have starkly different outcomes if they are not satisfied. Understanding the type of compliance that your company is subject to is vital to a CCSP. The outcome of noncompliance can vary greatly, including imprisonment, fines, litigation, loss of a contract, or a combination of these. To understand this landscape, a CCSP must first recognize the difference between data protected by legal regulations and data protected by contract.
It is vital to consider the legal and contractual issues that apply to how a company collects, stores, processes, and ultimately deletes data. Few companies or entities have the luxury of not considering the important national and international laws that must be complied with to do business. Perhaps not surprisingly, company officers have a vested interest in complying with these laws. Laws and regulations are specific in who is responsible for the protection of information. Federal laws like HIPAA spell out that senior officers within a company are responsible for (and liable for) the protection of data. International regulations like GDPR and state regulations such as NYCRR 500 identify the role of a data protection officer or chief information security officer and outline their culpability for any data loss incident.
If you are using cloud infrastructure from a cloud provider, you the customer must impose all legal, regulatory, and contractual obligations that are imposed on you by relevant legislation onto your cloud provider. No matter who is hosting your data or services, you the customer are accountable for compliance of effective security controls and data security.
When a crime is committed, law enforcement or other agencies may perform eDiscovery using forensic practices to gather evidence about the crime that has been committed and to prosecute the guilty parties. eDiscovery is defined as any process in which electronic data is pursued, located, secured, and searched with the intent of using it as evidence in a civil or criminal legal case. In a typical eDiscovery case, computing data might be reviewed offline (with the equipment powered off or viewed with a static image) or online (with the equipment on and accessible). In the cloud environment, almost all eDiscovery cases will be done online due to the nature of distributed computing and the difficulty in taking those systems offline.
Forensics, especially cloud forensics, is a highly specialized field that relies on expert technicians to perform the detailed investigations required to adequately perform discovery while not compromising the potential evidence and chain of custody. In any forensic investigation, a CCSP can typically expect to work with an expert outside consultant or law enforcement personnel.
For a security professional, the challenges of eDiscovery are greatly increased by the use of cloud technologies. If you received a call from an outside law enforcement agency (never a phone call that anyone likes to receive) about criminal activities on one of your servers in your on-premise data centers, you might immediately take that server offline in order to image it, always having the data firmly in your possession. Now imagine if the same service was hosted in a SaaS model in the cloud distributed across 100 countries using your content delivery network. Could you get the same data easily? Could you maintain possession, custody, or control of the electronically stored information? Who has jurisdiction in any investigation? Can a law enforcement agency compel you to provide data housed in another country? All of these questions make cloud eDiscovery a distinct challenge.
When you’re considering a cloud vendor, eDiscovery should be considered during any contract negotiation phase. If you think about your cloud providers today, can you recall how many conversations you might have had with their support teams? Would you know who to contact if an investigation was needed?
To pose another question, do you actually know where the data is physically housed? Many companies make use of the incredible replication and fail-over technologies of the modern cloud, but that means data may be in different time zones, countries, or continents when an investigation is launched. As we have outlined, laws in one country or state may in fact clash or break with laws of another. It is the duty of the cloud security profession to exercise due care and due diligence in documenting and understanding to the best of their ability the relevant laws and statutes pertaining to an investigation prior to it commencing.
In some cases, proactive architectural decisions can simplify issues down the road. For example, if a company chooses to house customer data within their legally defined jurisdiction (for example, EU citizen data is always housed on cloud servers within the EU), it can simplify any potential investigations or jurisdictional arguments that might arise.
Where there is a problem in technology, there is usually a solution, and the marketplace for eDiscovery tools has grown commensurately with the explosion in the use of cloud service providers. There are a healthy number of vendors that specialize in this area. For a CCSP, it is important to learn about eDiscovery actors when evaluating contracts and service level agreements (SLAs) to determine what forms of eDiscovery are permissible. These are the main types of investigatory methods:
As you can see, the forensic and eDiscovery requirements for many legal controls are greatly complicated by the cloud environment. Unlike on-premises systems, it can be difficult or impossible to perform physical search and seizure of cloud resources such as storage or hard drives. Standards from bodies such as the International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) and the Cloud Security Alliance (CSA) provide guidance to cloud security practitioners on best practices for collecting digital evidence and conducting forensics investigations in cloud environments. CCSPs should be familiar with the following standards:
The Internet age has brought with it an unprecedented amount of information flow. Knowledge (and cat videos) is shared by billions of Internet-connected humans at the speed of light around the world every day. The flow of information is two-way, however, and corporations and governments work hard to analyze how you interact with the Internet, both from your web activity as well as from your phone habits. Billions of consumers have installed listening devices in their homes (think Google Home and Amazon Alexa) and carry a sophisticated tracking device willingly on their person each and every day (the smart phone). All of this data allows better marketing investments as well as more customized recommendations for consumers.
With the advent of cloud computing, the facilities and servers used to store and process all of that user data can be located anywhere on the globe. To ensure availability and recoverability, it is good practice to ensure that data is available or at least backed up in multiple geographic zones to prevent loss due to widespread natural disasters such as an earthquake or hurricane. Indeed, in certain countries (like the tiny nation of Singapore at under 300 square miles), it would be impossible to protect from natural disasters without sending data to additional countries (and therefore legal jurisdictions).
In any cloud computing environment, the legal responsibility for data privacy and protection rests with the cloud consumer, who may enlist the services of a cloud service provider (CSP) to gather, store, and process that data. If your company uses Amazon Web Services (AWS) to host your website that gathers customer data, the responsibility for that data rests with you. You as the data controller are responsible for ensuring that the requirements for protection and compliance are met and that your contracts with the cloud service provider stipulate what requirements must be met by the CSP.
There are a number of terms that describe data that might be regulated or contractually protected. Personally identifiable information (PII) is a widely recognized classification of data that is almost universally regulated. PII is defined by the NIST standard 800-122 as “any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.” (See nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-122.pdf
.)
Protected health information (PHI) was codified under the HIPAA statutes in 1996. Any data that might relate to a patient's health, treatment, or billing that could identify a patient is PHI. When this data is electronically stored, it must be secured using best practices, such as unique user accounts for every user, strong passwords and MFA, principles of least privilege for accessing PHI data, and auditing all access and changes to a patient's PHI data.
Table 6.1 outlines types of regulated private data and how they differ.
TABLE 6.1 Types of Regulated Data
DATA TYPE | DEFINITION |
---|---|
Personally identifiable information (PII) | Personally identifiable information is information that, when used alone or with other relevant data, can identify an individual. PII may contain direct identifiers (such as SSN numbers) that can identify a person uniquely, or quasi-identifiers (such as race) that can be combined with other quasi-identifiers (such as date of birth) to successfully recognize an individual. |
Protected health information (PHI) | Protected health information, also referred to as personal health information, generally refers to demographic information, medical histories, test and laboratory results, mental health conditions, insurance information, and other data that a healthcare professional collects to identify an individual and determine appropriate care. |
Payment data | Bank and credit card data used by payment processors in order to conduct point-of-sale transactions. |
There are two main types of regulated private data that we will discuss in further detail.
When your organization collects, processes, transmits, or stores private data as part of normal business processes, the information must be protected according to relevant laws and regulations. If an organization outsources any of those functions to a third party such as a cloud service provider, the contracts must specify what the applicable rules and requirements are and what laws that the cloud service provider must adhere to.
For example, if a company is handling PHI that must be processed within the United States, any contracts with a CSP must clearly specify that fact. It is the obligation of the data owner to make all terms and conditions clear and transparent for the outsourcing contract.
The biggest differentiator between contractual and regulated data is that regulated data must be protected under legal and statutory requirements, while contractual data is protected by legal agreements between private parties. Both PII and PHI data are subject to regulation, and the disclosure, loss, or altering of these data can subject a company (and individuals) to statutory penalties including fines and imprisonment. In the United States, protection of PHI data is required by HIPAA, which provides requirements and penalties for failing to meet obligations.
Regulations are put into place by governments and government-empowered agencies to protect entities and individuals from risks. In addition, they force providers and processors to take appropriate measures to ensure protections are in place while identifying penalties for lapses in procedures and processes.
One of the major differentiators between contracted and regulated privacy data is in breach reporting. A data breach of regulated data (or unintentional loss of confidentiality of data through theft or negligence) is covered by myriad state and federal laws in the United States. There are now data privacy laws covering PII in all 50 states, with legislative changes happening every year. Some states have financial penalties of as little as $500 for data privacy violations, while others have fines in the hundreds of thousands of dollars as well as prison time for company officers. The largest state fine for a data privacy breach was handed to Uber for a 2016 breach and totaled over $148 million dollars in fines to the state of California.
As we have detailed, the outsourcing of services to a cloud service provider in no way outsources the risk to the company as the data owner. A CCSP must be familiar with key concepts when contracting with cloud service providers to ensure that both parties understand the scope and provisions when private data is concerned. Key contract areas include the following:
If by now you're sensing a theme that data privacy is a complicated problem, it's about to get reinforced. An individual's right to privacy (and therefore their right to have their data handled in a secure and confidential way) varies widely by country and culture. As a result, the statutory and regulatory obligations around data privacy are vastly different depending on the citizenship of a data subject, the location of data being stored, the jurisdiction of the data processor, and even multinational agreements in place that may require data disclosure to government entities upon request.
There are many different attitudes and expectations of privacy in countries around the world. In some more authoritarian regimes, the data privacy rights of the individual are almost nonexistent. In other societies, data privacy is considered a fundamental right. Let's take a look around the world to examine some of the differences in data privacy around the globe.
The 27-member EU serves as the bellwether for personal privacy in the developed world. The right to personal and data privacy is relatively heavily regulated and actively enforced in Europe, and it is enshrined into European law in many ways. In Article 8 of the European Convention on Human Rights (ECHR), a person has a right to a “private and family life, his home and his correspondence,” with some exceptions. Some additional types of private data under the GDPR include information such as race or ethnic origin, political affiliations or opinions, religious or philosophical beliefs, and information regarding a person's sex life or sexual orientation.
In the European Union, PII covers both facts and opinions about an individual. Individuals are guaranteed certain privacy rights as data subjects. Significant areas of Chapter 3 of the GDPR (see gdpr.eu/tag/chapter-3
) include the following on data subject privacy rights:
Australian privacy law was revamped in 2014, with an increased focus on the international transfer of PII. (See www.oaic.gov.au/privacy/australian-privacy-principles
.)
Current law in Australia, under the Australian Privacy Act, allows for the offshoring of data but requires the transferring entity (the data processor) to ensure that the receiver of the data holds and processes it in accordance with the principles of Australian privacy law. As discussed in the previous section, this is commonly achieved through contracts that require recipients to maintain or exceed privacy standards. An important consequence under Australian privacy law is that the entity transferring the data out of Australia remains responsible for any data breaches by or on behalf of the recipient entities, meaning significant potential liability for any company doing business in Australia under current rules.
Data privacy laws in the United States generally date back to fair information practice guidelines that were developed by the precursor to the Department of Health & Human Services (HHS). (See Ware, Willis H. (1973, August). “Records, Computers and the Rights of Citizens,” Rand. Retrieved from www.rand.org/content/dam/rand/pubs/papers/2008/P5077.pdf
.) These principles include the following concepts:
Perhaps the defining feature of U.S. data privacy law is its fragmentation. There is no overarching law regulating data protection in the United States. In fact, the word privacy is not included in the U.S. Constitution. However, there are now data privacy laws in each of the 50 states as well as U.S. territories.
There are few restrictions on the transfer of PII or PHI out of the United States, a fact that makes it relatively easy for companies to engage cloud providers and store data in other countries. The Federal Trade Commission (FTC) and other regulatory bodies do hold companies accountable to U.S. laws and regulations for data after it leaves the physical jurisdiction of the United States. U.S.-regulated companies are liable for the following:
Several important international agreements and U.S. federal statutes deal with PII. The Privacy Shield agreement is a framework that regulates the transatlantic movement of PII for commercial purposes between the United States and the European Union. Federal laws worth review include HIPAA, GLBA, SOX, and the Stored Communications Act, all of which impact how the United States regulates privacy and data. At the state level, it is worth reviewing the California Consumer Protection Act (CCPA), the strongest state privacy law in the nation.
Unlike the GDPR, which is a set of regulations that affect companies doing business in the EU or with citizens of the EU, Privacy Shield is an international agreement between the United States and the European Union that allows the transfer of personal data from the European Economic Area (EEA) to the United States by US-based companies. (See www.impact-advisors.com/security/eu-us-privacy-shield-framework/
and iapp.org/media/pdf/resource:center/Comparison-of-Privacy-Shield-and-the-Controller-Processor-Model.pdf
.) This agreement replaced the previous safe harbor agreements, which were invalidated by the European court of justice in October 2015. The Privacy Shield agreement is currently facing legal challenge in European Union courts as of July 2020. Adherence to Privacy Shield does not make U.S. companies GDPR-compliant. Rather, it allows the company to transfer personal data out of the EEA into infrastructure hosted in the United States.
To transfer data from the EEA, U.S. organizations can self-certify to the Department of Commerce and publicly commit to comply with the seven principles of the agreement. Those seven principles are as follows:
The HIPAA legislation of 1996 defined what comprises personal health information, mandated national standards for electronic health record keeping, and established national identifiers for providers, insurers, and employers. Under HIPAA, PHI may be stored by cloud service providers provided that the data is protected in adequate ways.
This U.S. federal law requires financial institutions to explain how they share and protect their customers' private information. GLBA is widely considered one of the most robust federal information privacy and security laws. This act consists of three main sections:
The act also requires financial institutions to give customers written privacy notices that explain their information-sharing practices. GLBA explicitly identifies security measures such as access controls, encryption, segmentation of duties, monitoring, training, and testing of security controls.
The Stored Communication Act (SCA), as enacted as Title II of the Electronic Communication Privacy Act, created privacy protection for electronic communications (such as email or other digital communications) stored on the Internet. In many ways, this act extends the Fourth Amendment of the U.S. Constitution—the people's right, to be “secure in their persons, houses, papers, and effects, against unreasonable searches and seizures”—to the electronic landscape. It outlines that private data is protected from unauthorized access or interception (by private parties or the government).
It may seem odd to talk about a state privacy law in the context of international privacy protection, but the California Consumer Privacy Act (CCPA) is at present the strongest data privacy law in the United States. The act is intended to protect within state law the rights of a California citizen to the following:
The CCPA outlines what entities need to comply with the law, the responsibility and accountability of the law's provisions, and the sanctions and fines that may be levied for violations of the law. Those fines can vary between $100 to $750 per consumer per data incident (or actual damages, whichever is greater), which makes the CCPA the most stringent privacy law in the United States.
As you have seen, this small review of different locations, jurisdictions, and legal requirements for the protection of private data demonstrates the challenge of maintaining compliance while using global cloud computing resources. Different laws and regulations may apply depending on the location of the data subject, the data collector, the cloud service provider, subcontractors processing data, and the company headquarters of any of the entities involved. A CCSP should always be aware of the issues in these areas and consult with legal professionals during the construction of any cloud-based services contract.
Legal concerns can prevent the utilization of a cloud services provider, add to costs and time to market, and significantly complicate the technical architectures required to deliver services. Nevertheless, it is vital to never replace compliance with convenience when evaluating services. In 2020, the video conferencing service Zoom was found to be engaged in the practice of routing video calls through servers in China in instances when no call participants were based there. This revelation caused an uproar throughout the user community and led to the abandonment of the platform by many customers out of privacy concerns. (See www.theguardian.com/uk-news/2020/apr/24/uk-government-told-not-to-use-zoom-because-of-china-fears
.) In this example, customers abandoned the platform in large numbers because their data would certainly not enjoy the same privacy protections within China as would be expected in most liberal democracies.
With so many concerns and potential harm from privacy violations, entrusting data to any cloud provider can be daunting for many companies. Fortunately, there are industry standards in place that address the privacy aspects of cloud computing for customers. International organizations such as ISO/IEC have codified privacy controls for the cloud. ISO 27018 was published in July 2014, as a component of the ISO 27001 standard and was most recently updated in 2019. A CCSP can use the certification of ISO 27000 compliance as assurance of adherence to key privacy principles. Major cloud service providers such as Microsoft, Google, and Amazon maintain ISO 27000 compliance, which include the following key principles:
Privacy requirements outlined by ISO 27018 enable cloud customers to trust their providers. A CCSP should look for ISO 27018 compliance in any potential provider of cloud services.
Generally Accepted Privacy Principles (GAPP) consists of 10 principles for privacy from the American Institute of Certified Public Accountants (AICPA). (See www.aicpa.org/content/dam/aicpa/interestareas/informationtechnology/resources/privacy/downloadabledocuments/10252-346-records-management-pro.pdf
.) The GAPP is a strong set of standards for the appropriate protection and management of personal data. The 10 main privacy principle groups consist of the following:
In the EU, the GDPR codifies specific rights of the data subject that must be adhered to by any collector or processor of data. These rights are outlined in Chapter 3 of the GDPR (Rights of the Data Subject) and consist of 12 articles detailing those rights:
The complete language for the GDPR data subject rights can be found at gdpr.eu/tag/chapter-3
.
The word audit can strike a nerve of terror in many IT professionals (and in the context of the IRS, most taxpayers as well). Even in simple IT architectures, the audit process can consist of rigorous, time-consuming efforts that must be followed exactly. Auditing in a cloud environment presents some additional challenges when compared to traditional on-premises requirements. This section will detail some of the controls, impacts, reports, and planning processes for a cloud environment.
It is important for cloud professionals to work in concert with other key areas of the business to successfully navigate the journey to and in cloud computing. Since the cloud can be utilized and affect so many departments within an organization, it is vital to coordinate efforts with legal counsel, compliance, finance, and executive leadership.
One key resource for navigating the challenges of cloud compliance that all CCSPs should be familiar with is the Cloud Controls Matrix (CCM) provided by the Cloud Security Alliance (CSA). As of this writing, version 4.0 of the CCM (updated August 2019) provides some of the latest guidance in the form of a “Rosetta Stone” mapping control domains to dozens of relevant compliance specifications, including HIPAA, GAPP, FERPA, FedRAMP, ISO 27001, ITAR, NIST, and many others. This free resource gives cloud practitioners a comprehensive list of control domains, best-practice guidance in control specifications, relevant architectures, delivery models, and supplier relationships, as well as direct mappings to each of the compliance specifications. CCSPs should make use of this resource whenever they’re conducting an assessment of a cloud service provider or designing a compliant architecture in the cloud.
Internal audit and compliance have a key role in helping to manage and assess risk for both a cloud customer and provider. An organization may choose to keep internal audit functions within the company or outsource this function to a consultant or outside party.
Internal audit is an important line of defense for an organization. Many times, audits uncover issues with security or governance practices that can be corrected before more serious issues arise.
An internal auditor acts as a “trusted advisor” as an organization takes on new risks. In general, this role works with IT to offer a proactive approach with a balance of consultative and assurance services. An internal auditor can engage with relevant stakeholders to educate the customer to cloud computing risks (such as security, privacy, contractual clarity, Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP) compliance with legal and jurisdictional issues). An internal audit also helps mitigate risk by examining cloud architectures to provide insights into an organization's cloud governance, data classifications, identity and access management effectiveness, regulatory compliance, privacy compliance, and cyber threats to a cloud environment.
It is desirable for an internal auditor to maintain independence from both the cloud customer and the cloud provider. The auditor is not “part of the team” but rather an independent entity who can provide facts without fear of reprisals or political blowback. An addition to the advisory role, an internal auditor will generally perform audits in the traditional sense, making sure the cloud systems meet contractual and regulatory requirements and that security and privacy efforts are effective.
Security controls may also be evaluated by external auditors. An external auditor definition does not work for the firm being audited. An external audit can be required by various pieces of financial legislation as well as information security standards such as ISO 27001. An external auditor is focused on ensuring compliance and therefore does not take on the role of a “trusted advisor” but rather more of regulator with punitive capability.
The requirement to conduct audits can have a large procedural and financial impact on a company. In a cloud computing context, the types of audit required are impacted largely by a company's business sector, the types of data being collected and processed, and the variety of laws and regulations that these business activities subject a company to. Some entities operate in heavily regulated industries subject to numerous auditing requirements (such as banks or chemical companies). Others may be brokers of data from international data subjects (such as big tech companies like Facebook, Google, and Microsoft).
Due to the changing nature of the cloud environment, auditors must rethink some traditional methods that have been used to collect evidence to support an audit. Consider the problems of data storage, virtualization, and dynamic failover.
The cloud is fundamentally based in virtualization technologies. Abstracting the physical servers that power the cloud from the virtual servers that provide cloud services allows for the necessary dynamic environments that make cloud computing so powerful. Furthermore, the underlying virtualization technologies that power the cloud are changing rapidly. Even a seasoned systems administrator that has worked with VMware or Microsoft's Hyper-V may struggle with understanding the inherent complexity of mass scalable platforms such as AWS, Google, or Azure cloud.
Identity assurance in a computing context is the ability to determine with a level of certainty that the electronic credential representing an entity (whether that be a human or a server) can be trusted to actually belong to that person. As Peter Steiner famously captured in The New Yorker, “On the internet, nobody knows that you're a dog.” Bots and cyber criminals make identity assurance for end users much more difficult. The cloud greatly increases the difficulty of assurance for machines.
Depending on the cloud architecture employed, a cloud security professional must now perform multiple layers of auditing (of both the hypervisor and the virtual machines themselves) to obtain assurance. It is vital for any cloud security to understand the architecture that a cloud provider is using for virtualization and ensure that both hypervisors and virtual host systems are hardened and up-to-date. Change logs are especially important in a cloud environment to create an audit trail as well as an alerting mechanism for identifying when systems may have been altered in inappropriate ways by accidental or intentional manners.
Any audit, whether internal or external, will produce a report focused either on the organization or on the organization's relationship with an outside entity or entities. In a cloud relationship, oftentimes the ownership of security controls designed to reduce risk resides with a cloud service provider. An audit of the cloud service provider can identify if there are any gaps between what is contractually specified and what controls the provider has in place.
The American Institute of CPAs (AICPA) provides a suite of offerings that may be used to report on services provided by a service organization that customers can use to address risks associated with an outsourced service. See Table 6.2.
TABLE 6.2 AICPA Service Organization Control Reports
Table source: www.aicpa.org
REPORT | USERS | CONCERNS | DETAILS REQUIRED |
---|---|---|---|
SOC 1 | User entities and the CPAs that audit their financial statements | Effect of the controls at the service organization on the user entities' financial statements | Systems, controls, and tests performed by the service auditor and results of tests. |
SOC 2 | Broad range of users that need detailed information and assurance about controls | Security, availability, and processing integrity of the systems the service organization uses to process users' data and the confidentiality and privacy of the information processed by these systems | Systems, controls, and tests performed by the service auditor and results of tests. |
SOC 3 | Broad range of users that need detailed information and assurance about controls but do not have the need for or knowledge to make effective use of SOC 2 reports | Security, availability, and processing integrity of the systems the service organization uses to process users' data and the confidentiality and privacy of the information processed by these systems | Referred to as a “Trust Services Report,” SOC 3 reports are general used and can be freely distributed. |
The differences between the SOC reports are as follows:
There are two types of reports for these engagements:
AICPA definitions of SOC controls can be found at the following locations:
www.aicpa.org/interestareas/frc/assuranceadvisoryservices/aicpasoc1report.html
www.aicpa.org/interestareas/frc/assuranceadvisoryservices/aicpasoc2report.html
www.aicpa.org/interestareas/frc/assuranceadvisoryservices/aicpasoc3report.html
The Statement on Standards for Attestation Engagements (SSAE) is a set of standards defined by the AICPA to be used when creating SOC reports. The most current version (SSAE 18) was made effective in May 2017, and added additional sections and controls to further enhance the content and quality of SOC reports.
The international counterpart of the AICPA, the International Auditing and Assurance Standards Board, issues the International Standard on Assurance Engagements (ISAE). There are a number of differences between the two standards, and a security professional should always consult the relevant business departments to determine which audit report(s) will be used when assessing cloud systems.
The Cloud Security Alliance (CSA) offers a Security Trust Assurance and Risk (STAR) certification that can be used by cloud service providers, cloud customers, or auditors and consultants to ensure compliance to a desired level of assurance. (See downloads.cloudsecurityalliance.org/assets/research/security-guidance/security-guidance-v4-FINAL.pdf
.) STAR consists of three levels of certification:
Audits are a fact of life to ensure compliance and prevent sometimes catastrophic effects of security failures. Though no employee relishes the thought of undergoing an audit, they are somewhat of a necessary evil to ensure that risks are adequately controlled and compliance is met. Any audit must be appropriately scoped to ensure that both the client and the auditor understand what is in the audit space and what is not. This is almost always driven by the type of report being prepared. An audit scope statement would generally include the following:
Any audit must have parameters set to ensure the efforts are focused on relevant areas that can be effectively audited. Setting these parameters for an audit is commonly known as the audit scope restrictions. Why limit the scope of an audit? Audits are expensive endeavors that can engage highly trained (and highly paid) content experts. In addition, the auditing of systems can affect system performance and, in some cases, require the downtime of production systems.
Scope restrictions can be of particular importance to security professionals. They can spell out the operational components of an audit, such as the acceptable times and time periods (for example, days and hours of the week) as well as the types of testing that can be conducted against which systems. Carefully crafting scope restrictions can ensure that production systems are not impacted adversely by an auditor's activity. Additionally, audit scope statements can be used to clearly define what systems are subject to audit. For example, an audit on HIPAA compliance would only include systems that process and store PHI.
As a precursor to a formal audit process, a company may engage in a gap analysis to help identify potential trouble areas to focus on. A gap analysis is the comparison of a company's practices against a specified framework and identifies any “gaps” between the two. These types of analysis are almost always done by external parties or third parties to ensure that they are performed objectively without potential bias. Some industry compliance standards (such as HIPAA or PCI) may require an outside entity to perform such an analysis. The reasoning is that an outside consultant can often catch gaps that would not be obvious to personnel working in the area every day.
If a gap analysis is being performed against a business function, the first step is to identify a relevant industry-standard framework to compare business activities against. In information security, this usually means comparison against a standard such as ISO/IEC 27002 (best-practice recommendations for information security management). Another common comparison framework used as a cybersecurity benchmark is the NIST cybersecurity framework.
A gap analysis can be conducted against almost any business function, from strategy and staffing to information security. The common steps generally consist of the following:
Since a gap analysis provides measurable deficiencies and, in some cases, needs to be signed off by senior leadership, it can be a powerful tool for an organization to identify weaknesses in their efforts for compliance.
Any audit, whether related to financial reporting, compliance, or cloud computing, must be carefully planned and organized to ensure that the results of the audit are relevant to the objectives. Audits genevrally consist of four phases, outlined in Figure 6.1.
The four phases of an audit consist of the following:
In many organizations, audit is a continuous process. This is often structured into business activities to provide an ongoing view into how an organization is meeting compliance and regulatory goals. As a cloud security professional, audit is a powerful tool to ensure that your organization is not in the news for the wrong reasons.
An information security management system (ISMS) is a systematic approach to information security consisting of processes, technology, and people designed to help protect and manage an organization's information. These systems are designed to strengthen the three aspects of the CIA triad: confidentiality, availability, and integrity. An ISMS is a powerful risk management tool in place at most medium and large organizations, and having one gives stakeholders additional confidence in the security measures in place at the company.
The most effective ISMSs are aligned with standards, most importantly ISO 27001, the international standard that provides the specifications for a best-practice ISMS and details the compliance requirements.
Though the function of an ISMS can vary from industry to industry, there are a number of benefits to implementation that hold true across all industries.
As with any major organizational element, an ISMS requires buy-in from company leadership to be effective. In the cloud computing environment, an ISMS is extremely valuable in requiring detailed documentation on cloud provider environments and change logging.
As we have detailed a number of times in this section, the International Standards Organization (ISO) provides an invaluable resource to security professionals in its ISO 27001:2013 information security standards. (See www.iso.org/obp/ui/#iso:std:iso-iec:27001:ed-2:v1:en
.) Cloud security professionals should be intimately familiar with ISO 27001 controls, which can be mapped to address requirements for audit, ISMS, or other compliance measures. The 14 control sets of Annex A of ISO 27001 are as follows:
In addition, cloud security professionals in the United States should be familiar with the National Institute of Standards (NIST) cybersecurity framework (v1.1). This framework identifies controls in these five broad areas:
A common mnemonic used to remember the NIST CSF control areas is “In Public, Drink Reasonably Responsibly.” See the following site for complete details: www.nist.gov/cyberframework/online-learning/five-functions
.
Policies are a key part of any data security strategy. Without a policy in place, it is impossible to enforce requirements in any systematic way. Policies ensure that employees and management are aware of what is expected of them and where their responsibilities lie. Policies are an important piece of standardizing practices in an organization.
From a cloud computing perspective, policies can be an important tool in preventing isolation of activities (for treating data stored in one cloud provider in a completely different way than others). Policies also provide a way for leadership to specify appropriate uses of cloud services to ensure the organization realizes business benefits without also taking on additional business risk.
Companies use policies and procedures to outline rules as well as outline courses of action to deal with problems. Organizations use policies to make employees understand the organization's views and values on specific issues, and what actions will occur if they are not followed. At the organizational level, policies are used to reduce the chances of the following:
A functional policy is a set of standardized definitions for employees that describe how they are to make use of systems or data. Functional policies typically guide specific activities crucial to the organization, such as appropriate handling of data, vulnerability management, and so on. These are generally codified in an operation ISMS and can consist of the following (not an exhaustive list):
Employee provisioned cloud services may present significant data management risks and may be subject to changes in risk with or without notice. Almost all cloud services require individual users to accept click-through agreements (which are rarely if ever read carefully). Agreements do not allow users to negotiate or clarify terms, often provide vague descriptions of services and safeguards, and often are subject to change without notice.
Cloud services should not be exempt from organizational policy application. These policies will define the requirements that users must adhere to in order to make use of the services. Because of the ease of provisioning cloud services, many organizations have specific policies in place that discourage or prohibit the use of cloud services by individuals outside of central IT oversight.
When pursuing cloud services, a security professional should pay close attention to the following:
In some instances, a cloud service provider cannot meet a company's requirements when it comes to adhering to a specific policy. If this happens, it is important to consider the risks of using the provider, and any deviations from policy should be carefully documented.
One key challenge in the provisioning of cloud computing resources is the identification of all company stakeholders that need to be involved in the decision process. Oftentimes, this process is complicated by the need to fully understand the business processes that will be taking advantage of cloud computing services. This is not an easy task and requires visibility on what services are provided, how they are delivered, and what the current architecture looks like. This generally means that there will be stakeholders outside of IT, which necessitates coordination across multiple business functions. Once stakeholders are identified, it is important to document who should be involved in the decision process, because omitting key stakeholders can lead to a haphazard approach to the implementation of cloud services.
To identify stakeholders, some key challenges that a cloud security professional may face include the following:
In addition to identifying stakeholders, cloud security professionals should be prepared to deal with governance challenges when moving to a cloud environment, including the following:
The benefits of the cloud can quickly and easily move beyond just the financial for many companies. The prevalence of distributed workforces, reliability and scalability, worldwide delivery of services, and backup and recovery possibilities are just a few benefits that have driven cloud adoption across countless industries. For those reasons, the emphasis and appetite to move to cloud computing may come from many different areas within a company. It is important to coordinate communication across the many departments that may be affected by cloud projects.
As we have detailed numerous times in this reference book, the responsibility for compliance to any relevant regulations ultimately rests with the company (not the cloud service provider). This is true for companies that fall under additional regulation (such as HIPAA for healthcare providers, PCI for credit card processors, GLBA for public financial companies, and North American Electric Reliability Corporation Critical Infrastructure Protection [NERC/CIP] for critical infrastructure providers such as power or water utilities). In some cases, these specialized requirements will make leveraging the cloud more difficult. Companies should always identify any geographic or jurisdiction-specific regulations (such as HIPAA, which might require PHI to be physically kept within the United States) and factor them into any cloud computing evaluation. Additionally, special scrutiny should be applied to cloud service providers when regulations demand levels of reliability above and beyond typical industry standards.
Distributed information technology (IT) models are become increasingly common as interconnected services are more easily provided from global suppliers. One example of a distributed model is the outsourcing of services such as network operation centers to third parties across the globe. In many ways, cloud computing makes distributed IT much simpler, as the cloud can provide services to IT across countries and continents without costly on-premises data center connections and associated hardware and personnel.
A cloud security professional should be aware of common issues caused by distributed IT models and how to mitigate them.
In a traditional IT model, teams are generally familiar with what roles and functions are filled by different personnel. Depending on the company, they may be on a first-name basis (and might play on the company softball team together). Distributed IT means that these roles and functions may be separated geographically and all correspondence takes place via technology.
In some cases, less formal processes (for example, “I call Jim in networks when I need to have a Client Access License [CAL] added to the system”) move to more structured interactions using standardized processes (for example, “I submitted a ticket in service now for a new CAL to be provisioned”).
From a security perspective, this is considered an improvement, despite the potential business impacts caused by increased effort to get IT functions accomplished quickly. Using formalized ticketing systems and processes means that changes are far more likely to be recorded, adding to the overall adherence to change management controls.
Technology project management is a key component to the success of any IT department. Successful PMs oversee the implementation of hardware and software projects using project management methods and expertise that is a key skillset within any company, especially in an IT organization.
The specialized nature of distributed IT models (and cloud services offerings) makes it less likely that an organization will have personnel in house with the specialized knowledge required to successfully implement projects. For this reason, it is important to consider bringing in outside experts for implementation projects. This common practice gives the distinct advantage of having subject-matter experts involved in the rollout or deployment of a new service or offering. In addition, this relieves some of the burden on an organization's IT team in learning, coordinating, and provisioning new systems that they may be completely unfamiliar with. Consultant agreements generally allow a provider to deliver service to a customer's requirements with sufficient accountability and oversight from company representatives.
Effective governance can require additional steps in a distributed IT environment. When IT functions are dispersed across providers, countries, or continents, additional efforts may be needed to pull together information for program management, risk management, audit, compliance, and legal functions. Additionally, the distribution of these IT functions across jurisdictions where different statutory and regulatory issues may apply may increase the overall efforts needed to ensure effective governance.
Selecting IT service providers that are effective and responsive in communication is key to establishing repeatable governance models. Many vendors specialize in the automation of information collection for governance purposes, which can help streamline the collection of information from distributed providers.
Distributed IT models mean that effective governance will require the collection of information from multiple sources. Coordinating those efforts should include the up-front identification of how these processes will be managed to achieve the common goals of the organization.
If you compare how IT services were provisioned two decades ago to how they are done today, you would see a completely different landscape. In the dot-com era, provisioning systems took experts days or weeks to build out hardware, operating systems, and applications. Companies spent millions of dollars on physical hardware to support their computing efforts, wide area networks, and data centers. Today, anyone with a credit card (or even without one on free services) can provision a multitier web application in a few minutes. Services are spun up in seconds in some cases.
This shift in how IT services is provisioned is not insignificant to organizational risk. In the past, the thought of “accidentally” provisioning a server in another country or legal jurisdiction was unthinkable (and most likely impossible). Today, it takes a few errant clicks from a cloud administrator to expose an organization to risks unthinkable two decades ago.
It is vital that both the cloud customer and the cloud service provider understand risk and what strategies can be employed for risk mitigation. Risk must be accounted for in any migration to a cloud-based environment, and in some cases, the methods that a company has traditionally used to manage risk may need to evolve to reflect the realities of the cloud. In any case, it is vital for the cloud customer and the cloud provider to be aligned in policies and procedures as closely as possible in order to share the burden of risk management between them.
Prior to establishing a relationship with a cloud provider, a cloud customer needs to analyze the risks associated with the adoption of a cloud-based solution for a particular system and plan a strategy to mitigate and control those risks. There are several steps that a cloud customer should perform to assess the risk management capabilities (controls, methodologies, and practices) of any cloud service provider (see Figure 6.2). Those steps are outlined in NIST special publication 800-37 Revision 2 (csrc.nist.gov/publications/detail/sp/800-37/rev-2/final
) and include the following:
Cloud service providers by definition provide services to a wide variety of customers and industries. The architectures, service offerings, and security and privacy controls are therefore generally configured to meet the requirements of a large number of customers. Certification programs such as the Cloud Security Alliance's STAR program can give cloud customers a baseline on which to assess a given provider's controls, methodologies, and practices. Additionally, a cloud customer should apply a risk management framework as a standardized approach when vetting a cloud service. Several methods can be employed to assess a provider's risk management program. These can include reviewing the CSP's audit reports or conducting an independent risk assessment as an outside party.
A key concept for cloud security professionals to understand is the shared responsibility model of cloud computing. Depending on the delivery model of services, a cloud service provider takes responsibility for “security of the cloud”—protecting the infrastructure of the hardware, software, networking, and facilities that run the cloud services. The cloud customer takes responsibility for “security in the cloud,” which varies depending on the cloud services and architectures implemented. The level of responsibility (and therefore risk) assumed by the customer can vary widely. When a company is evaluating a CSP for potential service, the methods used for evaluation are generally dictated by the company's risk profile and risk appetite.
A company's risk profile generally comprises two factors. The first is a quantitative measure of the types of threats that an organization faces. This can vary widely by company and business sector, as a financial company can face very different risks than a landscaping provider. The second factor is the company's willingness to accept risk (risk tolerance). In mature companies, this can be represented as a numerical value to help quantify the calculations. Combining these with potential costs associated with the occurrence of each risk can provide a nonsubjective profile of risk.
A risk profile can help a company identify the level of risks that it is willing to accept. This profile is developed collaboratively with numerous stakeholders throughout the organization, such as business leaders, data owners, enterprise risk management, internal and external audit, legal, and compliance officers.
Risk appetite is just what it sounds like: the appetite a company has to accept risk. Every company is different in this arena, and it is directly affected by regulations and statutory requirements in a particular industry. The risk appetite of a company may be significantly larger if their success depends largely on time-to-market. They may be willing to accept larger risks in the cloud computing arena to achieve scalability or utilize cloud technologies to reach consumers in more geographic areas.
An important distinction in data is the difference between the data owner (data controller) and the data custodian (data processor). Let's start with some definitions:
For example, let's say a company that sells avocados takes personal data online to fulfill orders. They use cloud service provider AWS to host their website, and online payment vendor PayPal to process their transactions. In this case, any customer is the data subject, the avocado company is the data controller, and both AWS and PayPal are data processors (as they both process personal data on behalf of the avocado company).
The distinctions are important for regulatory and legal reasons. Data processors are responsible for the safe and private custody, transport, and storage of data according to business agreements. Data owners are legally responsible (and liable) for the safety and privacy of the data under most international laws.
A cloud security professional should be aware of the transparency requirements imposed on data controllers by various regulations in the United States and internationally. The following is a short (and inexhaustive) description of some of the transparency requirements companies should consider as data owners.
As detailed earlier in this section, notification of data breaches is required by all 50 states, several federal statutes, and numerous international laws. In practice, nearly every human on the planet is familiar with these laws because they have been notified by numerous companies about the loss of their private data. In all cases (including cloud computing environments), the data controller is responsible under the law for notifying the appropriate authorities as well as the data subject of the loss of their personal data. Many states and international laws have timely notification requirements that companies must fulfill when personal data is lost.
If a company is publicly traded in the United States, they are subject to transparency requirements under the Sarbanes-Oxley Act (SOX) of 2002. Specifically, as data owners, these companies should consider the following:
SOX compliance is often an issue with both data breaches and ransomware incidents at publicly traded companies. The loss of data related to compliance due to external actors does not protect a company from legal obligations.
For companies doing business in the European Union or with citizens of the EU, transparency requirements under the GDPR are laid out in Article 12 (see gdpr-info.eu/art-12-gdpr
). The exact language states that a data controller (data owner) “must be able to demonstrate that personal data are processed in a manner transparent to the data subject.” The obligations for transparency begin at the data collection stage and apply “throughout the life cycle of processing.”
The GDPR stipulates that communication to data subjects must be “concise, transparent, intelligible and easily accessible, and use clear and plain language.” The methods of communication are also clearly defined. Information must be provided to the data subjects “in writing, or by electronic means” or orally upon request. All of this information must be provided free of charge and not be conditional upon the purchase of a service or the surrender of information.
In practical terms, this means that plain language must be used to explain why data is being collected and what it is being used for. Similar language is included in some current (CCPA) and forthcoming state regulations.
According to its definition, risk treatment is “the process of selecting and implementing of measures to modify risk.” Risk treatment measures can include avoiding, modifying, sharing, or retaining risk. The risk treatment measures can be selected out of security controls that are used within a company's information security management system (ISMS).
Mitigation of risks will reduce either the potential exposure to a risk or the impact of a risk. If a risk is avoided, an organisation outside the EU may choose to stop, postpone, or cancel activities that present that risk. For example, a company can avoid the risk of a GDPR prosecution by not processing personal data of subjects who are in the EU. If a risk is modified, a company may work to reduce the effect that risk would have on a company (for example, defense-in-depth strategies to protect against data loss) or the likelihood of it occurring. Sharing a risk is the classic use case of insurance. By purchasing cyber-breach insurance, a company is sharing the risk with all of the customers facing the same risk. Retaining a risk is accepting the risk as part of the process of doing business.
Many of the strategies detailed in this chapter (such as controls, audits, compliance, etc.) are at their core about risk treatment. Cloud security, like all information security, is essentially about managing risk. In no scenario will risk treatment reduce a company's risks to zero. There is inherent risk in any business activity, and the risks retained by a company are referred to as residual risk.
There are a number of risk frameworks that a company may use to help manage risk in their organization. Risk management is a business process that can affect all aspects of an enterprise. In the cloud computing arena, a cloud security professional should be familiar with the ISO 31000:2018 guidance standard, the European Network and Information Security Agency (ENISA)'s cloud computing risk assessment tool, and NIST standards such as 800-146 (cloud computing synopsis and recommendation) and 800-37 (risk management framework for information systems).
ISO 31000, “Risk management - Guidelines,” was first published in 2009 and majorly revised in 2018. (See www.iso.org/obp/ui/#iso:std:iso:31000:ed-2:v1:en
.) This ISO standard provides generic recommendations for the design, implementation, and review of risk management processes within an organization. The 2018 update provides more strategic guidance as well as redefines risk from the concept of a “probability of loss” to a more holistic view of risk as the “effect of uncertainty of objectives,” recasting risk as either a negative or positive effect. ISO 31000 recommends the following steps in planning for risk:
ISO 31000 is a detailed framework, but is not designed to be used in certification (there is no such thing as “ISO 31000 certified”). Adopting this framework will require extensive management conformity to accountability standards as well as strategic policy implementation, communication, and review practices.
European Network and Information Security Agency (ENISA) produces a number of useful resources, and the “Cloud Computing Risk Assessment (2009)” is one of them (www.enisa.europa.eu/publications/cloud-computing-risk-assessment
). This guide identifies 35 types of risk for companies to consider in the areas of policy and organizational, technical, legal, and risks not specific to the cloud. In addition, ENISA spells out 53 types of vulnerabilities that companies should be aware of and a top-eight security risk list based on the impact and likeliness of occurrence. This free resource is certainly worth review by any cloud security professional. The top eight security risks include the following:
National Institute of Standards and Technology (NIST) makes the list of excellent standards once again with 800-146, “Cloud Computing Synopsis and Recommendations” (see csrc.nist.gov/publications/detail/sp/800-146/final
). This risk framework was published in 2012, and is a comprehensive guide to the benefits and risks associated with SaaS, PaaS, and IaaS cloud environments. The guide also makes recommendations on management, data governance, security and reliability, and virtual machines, as well as software and applications. Another handy reference (albeit written specifically for U.S. federal government) is NIST 800-37, a generalized risk management framework for information systems that has well documented methods for controlling risk in IT environments.
There are some key cybersecurity metrics that companies can track to present measurable data to company stakeholders. An incomplete list of some of these metrics is as follows:
A good method for communicating risks in a way that is easy to digest and understand is the risk register. As you have seen, a risk can be quantitatively expressed by multiplying a threat likelihood by the magnitude of impact.
RISK = Threat Likelihood × Magnitude of Impact
A risk register is a critical part of any incident response plan and provides a clear, visual way to see risks and their potential impacts. A risk register may contain the following (see Figure 6.3):
Risk is not an exact science, and calculating/categorizing risk is a difficult exercise that must be revisited often. A risk register can be an important tool for decision-makers to have a clear picture of what risks can be avoided, modified, shared, or retained.
As the cloud becomes more and more of a critical operating component for many companies, identifying and understanding the risks posed by a cloud service provider is vital for any company that’s using cloud services. Cloud providers are subject to change of business models, acquisition, and even bankruptcy and shutdown. It is important to consider a number of questions when considering a cloud service, vendor, or infrastructure provider.
And on and on. It can be a daunting challenge for any cloud customer to perform due diligence on their provider. But because the company maintains all legal and regulatory obligations as the data controller, it is an important part of any vendor selection. Fortunately, there are some industry certifications than can help companies make informed selections and mitigate risk.
The Common Criteria for Information Technology Security Evaluation is an international standard for information security certification. The evaluation process is designed to establish a level of confidence in a product or platform's security features through a quality assurance process. This is done through testing laboratories where the product of platform is evaluated.
Most cloud service providers do not have common criteria evaluations, but many cloud-based products do. One common example relevant to CCSPs are security tools designed to be deployed in virtual environments.
Does Common Criteria evaluation mean that a product is secure? Not necessarily. Though Windows operating systems have received certification under the program, they have later been found to have major security flaws. In addition, CC does not include any study of the administrative or business processes of a company that produced a product or platform; it is merely an evaluation of the technical merits of the platform itself. An up-to-date list of certified products can be found at www.commoncriteriaportal.org/products
.
It is worth revisiting the Security, Trust, and Assurance Registry (STAR) provided by the CSA (cloudsecurityalliance.org/star/levels
) as a valuable tool in displaying transparency and assurance for cloud service providers. CSA STAR makes use of the cloud control matrix version 4.0. STAR consists of three levels of certification.
Since the registry of certified providers is publicly available, the STAR program makes it easy for a company to assess the relative risk of a provider and should certainly be consulted when assessing any new CSP.
ENISA has provided another resource that can be used by cloud security professionals to assess the relative risk of a cloud service provider. (See resilience.enisa.europa.eu/cloud-computing-certification
.) The Cloud Certification Schemes List (CCSL) provides an up-to-date summary of existing certification schemes that could be relevant for cloud computing. The list as of 2020 is as follows:
ENISA describe the Cloud Certification Schemes Metaframework (CCSM) as an extension of CCSL. (See Figure 6.4.) It is a metaframework of cloud certification schemes. The goal of the metaframework is to provide a neutral high-level mapping from the customer's network and information security requirements to security objectives in existing cloud certification schemes, which facilitates the use of existing certification schemes during procurement. The agency also provides an online tool where it is possible to select from 27 different security objectives to see how the relative certifications compare.
Outsourcing is defined as “the business practice of hiring a party outside a company to perform services and create goods that traditionally were performed in-house by the company's own employees and staff.” (See www.investopedia.com/terms/o/outsourcing.asp
.) Outsourcing was traditionally a practice undertaken by companies as a cost-cutting measure or to make use of outside expertise or specialization. As the practice gained favor, it affected a wide range of jobs, ranging from customer support to manufacturing to the back office.
So, what is cloud computing but outsourcing? Companies are taking advantage of specialized skills and lower costs to improve their business models. And they are doing it in a multibillion-dollar way that is growing year over year. Cloud security professionals are well served by understanding key contractual provisions that can make sure their companies can do business with cloud providers with their data and wallets intact.
Before entering into a contract with a cloud service provider, it is important for any business to fully understand their own business needs and how they will be met. The evolution of the cloud means that more and more IT functions can use cloud technologies every year. Once a business has made the decision that a function is cloud ready and can codify the needs required of the system, a negotiation can take place with a cloud service provider. In legal terms, a cloud customer and a cloud service provider enter into a master service agreement (MSA), defined as any contract that two or more parties enter into as a service agreement.
But what exactly should be in a contract with a cloud service provider? The Cloud Standards Customer Council (CSCC) provides a good starting point for any contract in its “Practical Guide to Cloud Service Agreements.” (See www.omg.org/cloud/deliverables/CSCC-Practical-Guide-to-Cloud-Service-Agreements.pdf
.) This document provides a reference to help enterprise information technology and business decision-makers analyze cloud service agreements from different cloud service providers. They break cloud contracts down into three major areas:
Service level agreements can be a key factor in avoiding potential issues once a contract is in place. Service metrics, such as uptime or quality of service, can be included in this section of a contract. An uptime of 99 percent may seem adequate, but that level of allowed downtime would be equal to 87.6 hours a year! Service level agreements often include sections on the following:
The migration to the cloud relieves an IT department and IT executives of the duties of maintaining internal technology stacks in many ways. This has shifted the role that IT professionals play in vendor management, from primarily a point-in-time acquisition process (purchasing hardware or software) to an ongoing management relationship with a cloud vendor. This redefined relationship requires a great deal of trust and communication with vendors. Cloud professionals need strong project and people management skills. Managing cloud vendor relationships should focus on a number of areas.
The management of cloud contracts is a core business activity that is central to any ongoing relationship with a cloud service provider. A company must employ adequate governance structures to monitor contract terms and performance and be aware of outages and any violations of stated agreements. The CSCC provides a prescriptive series of steps that should be taken by cloud customers to evaluate their cloud contracts to compare multiple cloud providers or to monitor and evaluate a contract with a selected provider. The following steps are important to discuss in detail (www.omg.org/cloud/deliverables/CSCC-Practical-Guide-to-Cloud-Service-Agreements.pdf
):
Cyber risk insurance is designed to help an organization modify risk by sharing the risk of a cyber incident with others via a policy that might offset costs involved with recovery after a cyber-related security incident such as a breach. This is a growing field, and many more companies are choosing to indemnify against the threats of harm from incidents. Cyber risk insurance usually covers costs associated with the following:
Imagine if you would that you are a highly successful CEO of a major American corporation overseeing your sixth year of growth. Your compensation package is in the tens of millions of dollars. Now imagine being forced out of your role because of lacking security controls at your company's HVAC vendor, which led to one of the largest breaches of private data in history (at the time). This is the story of Target CEO Gregg Steinhafel in 2014, after the holiday 2013 POS attacks at the department store.
This is just one high-profile example of how the weakest link in a security chain can lead to disastrous consequences. The cloud can either increase or reduce the risks posed to a company depending on how a company implements a cloud strategy. In any cloud strategy, it is important to understand the extent of the organization's reliance to a cloud service provider as well as the third parties that power and enable the CSP itself.
The supply chain should always be considered in any business continuity or disaster recovery planning. The same concepts of understanding dependencies, identifying single points of failure, and prioritizing services for restoration are important to apply to the entire supply chain. This includes the cloud services a company may employ to deliver their services and the associated third parties that enable that cloud provider. With a complete view of the potential risks posed by a CSP supply chain, a company can choose to avoid, modify, share, or retain the risks in a similar evaluation to other risks as discussed earlier.
As we have seen with previous standards, the ISO provides a framework to allow for the evaluation and treatment of information risks involved in the acquisition of goods and services from suppliers. (See www.iso.org/obp/ui/#iso:std:iso-iec:27036:-4:ed-1:v1:en
.) This is a four-part standard, part four (2016) of which “Guidelines for security of cloud services” provided excellent guidance for understanding and mitigating the risk of the cloud supply chain. According to ISO, the application of this standard should result in the following:
ISO 27036 is not yet available for free but provides a strong reference for understanding supply chain risk in the cloud context. Additional resources worth review include the draft NISTIR 8276 (Key Practices in Cyber Supply Chain Risk Management: Observations from Industry), NIST SP800-161 (Supply Chain Risk Management Practices for Federal Information Systems and Organizations), and the 2015 ENISA publication on supply chain integrity.
A cloud security professional must be constantly aware of the legal and compliance issues in migrating and maintaining systems in the cloud. Understanding the legal requirements, privacy issues, audit challenges, and how these relate to risk and contracts with cloud providers is a must for any company taking advantage of cloud services. A cloud security professional must also be well versed in the frameworks provided by professional organizations such as ENISA, NIST, ISO, and the CSA. All information security is essentially a business risk, and understanding and mitigating the risks faced by a company is critical to any business strategy. Any cloud security professional should understand the role that IT plays in this larger picture and have the communication and people skills to involve the appropriate business, legal, and risk decision-makers within a company.
18.216.190.167