Assessing Risk in the Cloud

Source: Security Buyer Magazine

Introduction

The global adoption of Cloud Computing and Software-as-a-Service (SaaS) is increasing in intensity, forcing businesses that want to remain competitive to evaluate how SaaS can be put to work for them. To complete such a measured analysis, enterprises must carefully consider the relevant risks alongside SaaS’s many benefits .

Users Moving Sensitive Applications to the Cloud

I recently blogged a case study describing how a large county in the US moved several sensitive applications to the cloud and the decision-making process involved. (“Real World Risk Management and the Business Value of SaaS” (http://www.cyber-crime.biz)

For this county, both data and applications are hosted offsite and include patient care, human resources, crime reporting, credit card compliance and security team services. One of the conclusions we reached with them is how when distributing their applications and data among several independent vendors, the risk associated with catastrophic failure of all applications at once was significantly lower when compared to the failure of their own single data center.

What’s My Real Level of Security?

The other key point from this case study is the often real divide between required levels of security and an organization’s actual security posture. Our recommendation: the county’s actual security could be significantly improved when contracting a third party who is committed to a higher standard of security.

Evaluating Risk

In the case discussed above, this county organization was reaping substantial, measureable benefits from moving to the cloud. But is that where it ends? How does an organization determine what their risks are when evaluating whether to move physical security and business applications to the cloud?

ASIS International (www.asisonline.org), the Cloud Security Alliance (www.cloudsecurityalliance.org) and The European Network and Information Security Agency (http://www.enisa.europa.eu) provide valuable answers to this question. ENISA’s document titled, “Benefits, risks and recommendations for information security” is a useful guideline to help evaluate risk likelihood and impact. Some 35 policy and organizational risks are covered.

Technical Risks

To gain a more comprehensive understanding of these risks, one should read the full report. One quarter of the identified risks are significant, and those are listed briefly as follows:

• Loss of Governance (lessened security controls affecting confidentiality, integrity and availability, and subsequent compliance challenges)
• Compliance Challenges (Lack of evidence that compliance challenges will be met and the identifying the need for an independent audit)
• Changes of Jurisdiction (Unpredictable or autocratic legal frameworks in other jurisdictions may place data at risk of disclosure)
• Data Protection (Lawful handling, collection & storage of data)
• Network Management (Congestion, mis-connection & non-optimal use)
• Isolation Failure (separation of multiple tenants storage, memory & routing)
• Malicious Insider (system administrators, auditors and managed security service providers)
• Management Interface Compromise (Manipulation & availability of infrastructure)
• Insecure or ineffective deletion of data (Several scenarios whereby customer resources are maliciously used resulting in an economic impact)

Evaluation and Process Risks

In addition to the technical risks outlined above, several other factors should be considered when evaluating and developing a business case to manage risk that might impact the project. Those factors include:

• Business Case

Evaluate and document the financial and organizational benefits.

• Risk Appetite

Decide your organization’s risk appetite. Which risks are non-negotiable? (e.g. mandatory compliance)

Meet with business unit heads and discuss, in business terms, the risks and their position relative to business benefit.

• Good Advice

Ensure that you receive competent counsel. Don’t assume that all IT and security staff will be conversant with the risks process for cloud technology.

Review certifications of technical staff: For example the Cloud Security Alliance recently announced the world’s first user certification for cloud security knowledge (CCSK), available from September 2010.

Utilize the tools provided by CSA and ENISA

• Evaluate Potential Cloud Vendors

Can you measure the quality?

Do they have their own audits, which conform to a standard, and will they share control measures and audit results?

Are their staff subject to background checks?

Who has access to your data and where will it reside?

What is the degree of “fit” with your written performance and security requirements?

Does a service level agreement adequately describe what is being delivered?

Some cloud vendors are willing participants in describing their assurance process, see article by Brivo System’s John Sczygiel at http://blog.brivo.com/bid/40112/Do-You-Trust-Your-Cloud

• Contract

Your bargaining power may be limited depending on the size and duration of your requirements, and whether the application is a custom or a commercial SaaS offering.

What are you getting?

Is the service adequately described or does it leave room for assumptions?

Are there any special requirements (e.g. – availability of system log report documentation, required to meet a compliance requirement).

Document the risks and who is responsible for specific performance requirements, especially if the impact on the enterprise could be significant.

Notification and Remedies

Consider the escalation process if things do go wrong.

What is your recourse to seek performance?

If there is the potential for legal action, what form will it take and in which jurisdiction will it occur?

Ensure exit clauses cover ownership and extraction of your data. For sophisticated applications, the format you receive data in should be thought through in advance.

In Conclusion: Balance

There are many ways to manage risk. The key word is manage; meaning, to make informed, conscious decisions about the value received, compared to what is presently being attained.

The business benefits of SaaS and Cloud solutions can be maximized by forming a project team of appropriately skilled staff and/or consultants with knowledge of the source material outlined above. Utilizing this team to engage the relevant business stakeholders in a meaningful risk decision-making process prepares the organization for a relevant, targeted evaluation of vendors. In so doing, you will successfully achieve accurate specifics about the service offering and the business benefits received.

- Shayne Bates