Is Cloud Computing Really Secure? A Pragmatic Approach
Considering Cloud Computing?
So, you are making plans to move into cloud computing and are considering your options offered by the plethora of providers out there but you have questions and concerns. Congratulations! The bottom line up front is yes, cloud computing can be very secure. You just need to cover your bases and your assets first.
We will review some of the critical concerns you should have and hopefully guide you to a successful end result with this article. The best thing you are doing at this point is to be cautious so our task here now is to help you look before you leap. Your organization’s survival may well depend on it.
When contracting with a cloud service provider, such as a data center (Platform as a Service (PaaS), Infrastructure as a Service (IaaS)), it is important for companies to ensure that their provider possesses the cyber security-related certifications and compliance standards that are applicable to the company’s industry. Data centers, as well as service providers (Software as a Service (SaaS), Platform as a Service (PaaS)) who contract with data centers, all play a part in this cloud ecosystem and ultimately may make-or-break your business so taking a pragmatic and well-informed approach to cloud cyber security is essential.
Black Hat Marketing
You may see a wide variety of hosting certifications listed on a service providers set of credentials and assurances to its current and prospective customers that are indicators the company is taking privacy, security, confidentiality, integrity and availability seriously.
For example, some service providers who use SSAE 16-compliant data centers imply that they are, somehow, SSAE 16 compliant by proxy. This is not the case; just because you use a provider who is SSAE 16 compliant does not mean that your company is SSAE compliant, and to imply such is black-hat marketing.
This is of course also true of all other third-party attestation reports and certifications which may include any combination of SOC 1, SOC 2, SOC 3, FedRAMP, PCI DSS, ISO 27001 and others. The bottom line here when evaluating a service provider is to request a copy of their report and review it.
Third Party Attestations
Be concerned if the vendor you are evaluating conducted the assessment and issued the report themselves. They may not be qualified or properly trained which makes the report meaningless. Remember that their breach may become your breach and about 60% of all SMB businesses are out of business post-breach.
There are some assessments such as the PCI SAQ payment card industry self-assessment frameworks that allow for third-party entities to conduct self-assessments however, like we say in technical circles, garbage in, garbage out. If you are evaluating this third-party vendor you should look at this aspect of your evaluation very closely.
If you are unsure of how to evaluate the risks associated with your vendors, enlist the assistance of a professional proactive cyber security firm with a specialization in risk assessments. These assessments are not expensive and when considering the alternative of the costs associated with a breach which averages 5.9 Million USD, it’s just prudent planning.
Anything is possible in contract law
My big lesson learned in law school was that in contracts, all things are possible! As you’d expect, service providers intend on engaging your organization in a way that is contractually advantageous to their business interests and not yours. The important thing to remember is that contracts are negotiated instruments and you should look for a few key elements when considering entrusting a cloud provider with your business.
SLA legal implications
Before you engage that service provider officially in contract, there are a number of privacy, security, confidentiality, integrity and availability aspects to look for or negotiate in if they are absent. In my experience, in most cases they are missing so it’s incumbent upon you to make sure your interests are protected and represented in contract.
Right to test
Most service providers prohibit vulnerability assessment and penetration testing activities by default. Because all compliance frameworks include security testing it is impossible for these providers to be competitive without providing a means for some form of notification and approval process allowing customers to assess their hosted environments however this almost never occurs with hosted platforms such as SaaS applications.
You should either include the right to test the platform you are considering or require that the third-party provider conduct these assessments with a reasonable frequency to be meaningful such as on a monthly basis and make the results available to you. Assurances could be as simple as an official management statement verifying successful vulnerability assessment or penetration tests results on up to the raw data from these same assessments.
Security testing pitfalls
It should be important to note that the assessment frequency is not uniformly adopted across the industry assessment frameworks. For example, the SSAE 16 only requires that quarterly based vulnerability assessments be conducted but do not require penetration testing. The PCI DSS standard requires quarterly vulnerability assessments, annual penetration testing and vulnerability testing after production environment changes occur.
While software vendors are patching vulnerabilities regularly, hackers are creating system exploits every day, the industry’s lackadaisical approach to vulnerability assessments and penetration testing should be reevaluated. It is highly advisable for organizations to take matters into their own hands and approach risk assessments more aggressively.
Right to be notified
A typical exclusion from service agreements you may not really think about but one that is vital to your own business continuity and disaster recovery is concerned with your right to be notified in the event a potential or actual security incident occurs to the third part provider. By definition, a breach is the unlawful and unauthorized acquisition of personal information that compromises the security, confidentiality, or integrity of personal information.
I strongly recommend that you include in your contract negotiations with your third party service provider a 24 hour notification clause to your organization in the event that the provider suspects or is certain of a breach, incident, mishandling, leak or exposure of your data. Do not overlook those business relationships your vendor may have with other providers. It is unfortunately quite common for a cascading impact to emerge when one provider is compromised leading to collateral damage that could be ultimately detrimental to your business.
While outsourcing your operations to a service provider may make a lot of business sense to you, it does not eliminate the possibility that you would be required to notify your customers, employees, shareholders or the board in the event a security breach or incident occurs.
While you do get to transfer or share some of your business risks to that third party provider, you are not absolved from the damage to your business completely and that risk potential could be catastrophic to your business. Catastrophic meaning your business may not survive. The majority of companies within the small to medium size (SMB) space do not survive six (6) months beyond a breach.
Right to access
It is not common for customers to have access to forensic information related to a security breach or data exposure on the service provider’s side however, as I’ve previously stated that in contracts, all things are possible. You should introduce contract language that stipulates that once a breach or incident has been confirmed, you be entitled to forensic information which you will need to address your internal requirements involving business continuity, disaster recovery and incident response.
It is typical for service providers to keep customers in the dark and sometimes this lack of transparency involving your data may persist upwards of ninety (90) days which when you are answering to the board, insurance providers, law enforcement and executive management will seem like an unreasonable amount of time and you’d be quite justified in feeling that way.
The bottom line here is that if you do not have it in contract language, it is not enforceable and it does not exist. Companies, like people, behaviorally transform when under duress which is generally not a good thing.
Vendor risk assessment
A vital part of vetting any third party provider relationship is the risk assessment. This is an aspect of a business relationship that organizations on average failed to perform more than 60% of the time. The company’s executive leadership within your organization may be interested in outsourcing or displacing risk to a third-party provider however, the ultimate responsibility for the privacy, security, confidentiality, integrity and availability of your data and business continuity ultimately falls with the home team.
A bona fide vendor risk assessment should be streamlined enough to not be an unreasonable burden to the prospective vendor yet provide your organization with a reasonable comfort level that the fundamentals of cyber security be present. There are several best practice standards available to model your vendor risk assessments on such as the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-30 and the International Organization for Standardization (ISO) 27001.
You will want to collect and consider from the perspective vendor any third party assessment reports and certifications they may possess that would go a long way to assuaging concerns you may have during the vendor risk assessment process. Depending on the business relationship and the data at risk, you should look for reports concentrating on SOC 1, SOC 2, SOC 3, FedRAMP, PCI DSS and ISO 27001. There are of course other attestations and compliance reports, so consider those on a case-by-case basis.
Keep in mind the potential quality difference that may exist between a self-certified report versus an independent attestation report or certification. If reviewing these reports or conducting risk assessments is not a strong core competency within your organization, there are of course proactive cyber security companies out there who will be able to assist you.
Outsourcing may have certain business advantages but we should not forget the exponential increase in risks associated with third-party business relationships.
It’s natural to assume that data ownership would not be in question given the fact that …. it’s our data! There are several aspects to relying on third-party provider to become the custodian of your organization’s information. Depending on the nature of the third-party business relationship the lines between those points of ownership may be blurry.
You should try to establish clear territorial boundaries within your service contracts to avoid any unnecessary surprises or risks. Keep in mind that even obscure operational aspects such as data storage media replacement may pose a risk of data leakage to your organization if that media is mishandled by the third-party provider. Another example where data leakage risks are increased comes from software as a service (SaaS) providers that do not offer a truly independent instance for hosting your information. The hosting provider may actually mine your data and usage statistics for their own business purposes. Additionally, remember that in these cloud ecosystems (in the event of a breach or other significant incident) what happens to one may happen to all which would include you.
Third party access and implications
I’ve already mentioned that the risks for data leakage are present in any cloud environment but exponentially more in shared environments. Data leakage risks are typically within the software as a service (SaaS) realm, but not limited to it. This rabbit hole runs deeper than you may realize. If you have not considered the implication that your potential third-party service provider may be using third-party provider resources themselves, you’d be overlooking an aspect of the vendor relationship that comes with its own challenges.
There are many documented cases where an organization is breached and the beachhead that the hackers used came by compromising one of their third-party provider relationships creating a domino effect impacting multiple independent organizations and their customers all at the same time.
Sustaining the Relationship
Cyber Insurance Exclusions
If you think that the business general liability or even purpose built cyber insurance policies will cover you in the event of a cyber security breach, it’s highly likely you are mistaken. In fact, it is in your carrier’s best business interest to deny your claim.
Chances are the exemptions in your policy exclude coverage for access to or disclosure of confidential or personal information which accounts for the majority of claims. Cyber criminals are in it for profit which means they are going after confidential or personal information.
Insurance claims are being denied when breaches occur as the result of hackers exploiting commonly known security vulnerabilities which amounts to negligence on the insured. When on average 96% of all breaches are avoidable, the only thing that stands between being breached and having your cyber insurance claim denied is the effective implementation of controls and countermeasures from taking a proactive cyber security approach.
This again is one of those situations where betting the farm on the inexperienced could spell disaster for your company. At least have a conversation with a proven cyber security risk assessment firm. Typically this advice does not cost you anything and the recommendations may very well help you avoid this and other common pitfalls so many businesses experience.
Vendor risk assessments
Just as you vetted while considering engaging a third-party provider for your cloud computing requirements, once contracted, you should on at least an annual basis be performing vendor risk assessments just as you did during the vendor vetting phase. In cases where the vendor is the custodian of data that would be considered restricted and require breach reporting in the event of an exposure, the frequency of these risk assessments should be increased.
An important fact to not lose sight of is that your vendor risk assessment cycles may be out of synchronization with the vendor’s third-party attestation reviews and in the event the vendor fails a particular aspect of that compliance review, knowing this sooner rather than later may impact your own operations as well.
An important part of a risk assessment is what’s called the site visit which is nothing more than physically inspecting the service provider’s operations that includes the data processing facet. Depending on what type of data is being processed, this may not be important enough to add to your vendor risk assessments.
For example, if the service provider processes restricted data such as credit card, social security numbers or any other data that would trigger a breach notification. Each state has their own breach notification rules for you to be aware of them so you can fully understand what your business requirements are in the state(s) or countries where you do business.
If your service provider is the custodian of your data and an exposure would require a customer notification, you should be conducting an annual site visit along with more frequent vendor risk assessments to verify your service provider is holding up their end of the cyber security bargain.
SOC, PCI, FedRAMP, ISO 27001 certifications
The SSAE 16 SOC 1, SOC 2, SOC 3, PCI RoC, PCI SAQ and FedRAMP assessments are conducted annually. You should request a copy of the reports from your service provider annually when they first become available and look for any troubling results. The exception here is the ISO 27001. The ISO 27001 is valid for a three year period of time and only a certificate is presented making it impossible for customers to read the audit report and make an informed decision about their vendor. Additionally, three years is like an eternity in the technology world so the value proposition is diminished when a vendor offers you a copy of their ISO 27001 certificate unless you have required them in your service contract to share a copy of the actual audit report.
The SSAE 16 SOC 1, SOC 2, SOC 3, PCI RoC, and FedRAMP assessments are by far the more meaningful reports simply because they are conducted annually and they are performed by independent third party assessment organizations that are authorized to perform the assessments.
The Big Breakup
All things eventually come to an end and your third party service provider relationship is not an exception. Regardless of how that vendor relationship ends, your primary concern should be about the protection of your intellectual property and your sensitive or restricted data. If you have been diligent along the way now is not the time to become complacent.
Systems will be decommissioned and data will be process either by transfer and or destruction. This protocol should have been detailed in your service contract. If it has not, then try to work with your (soon to be) former service provider to manage exiting the relationship in a way that does not pose a risk to your organization (and with anyone represented or otherwise contained in the data.)
Chain of custody is important with the transfer of data and systems, so make certain the people who are responsible for this transaction are knowledgeable and experienced to help ensure this does not become an exposure requiring the notification to the state(s) or countries whose citizens are represented within your data stores.
We have taken a cursory review of initiating a contract relationship in Considering Cloud Computing. We have examined some on-going best practice recommendations in Sustaining the Relationship. The Big Breakup consisted of some closing comments to keep your company protected.
I’ve covered quite a bit of common high-level points that should not be overlooked when considering or sustaining a cloud computing business relationship. Keep in mind that this review is not intended to be a comprehensive list because every business is a little different and service providers are unique as well.
You are not alone if you think that this is a bit overwhelming. The best path is to get assistance from a reputable and experienced proactive cyber security company to help you identify and manage the risks along the business lifecycle. When the average cost of a breach per company is $5.9 Million USD, and the cost of expert assistance is less than the salary of a single employee dedicated to cyber security, it should be an easy choice to avoid trouble rather than invite it.
I’d be remiss if I did not mention Continuum GRC and Lazarus Alliance the Proactive Cyber Security® companies for Audit & Compliance, Risk Assessment & Management, Governance & Policies and Cybervisor® services.