Taming the Wild West: How to build a strong cloud security strategy Technology

Technology
Taming the Wild West:
How to build a strong
cloud security strategy
Can You Reap the Benefits
of the Cloud?
Perhaps you are not yet convinced that the benefits
of the cloud outweigh the considerable legal and
regulatory risks. Or maybe you are waiting for the
right moment to commit. You ask, “Are we ready to
shoulder the responsibility of moving our data to the
cloud?” and “Do we really know what good cloud
security is for our company?”
The cloud is a fast-moving target
that will operate very differently six
months from now than it does today.
It is clear, however, that companies
are already reaping game-changing
benefits by using the cloud to, for
example, improve time to market or
quickly scale up or down their capacity
demands. And many are doing so in
a controlled and secure way, either
using the cloud provider’s services or
supplementing those services in-house.
Indeed, the cloud represents a fresh
chance for organizations to rethink
their approach to information security.
Typically, security is a bolt-on affair,
limited to dealing with the inadequacies
of a specific technology. That approach
is reactive and bottom-up.
As companies transition to the cloud,
they have the opportunity to adopt
a top-down approach in which the
security framework is understood, set
and supported by management. And in
many cases, organizations will not own
the security mechanisms themselves.
2
An effective cloud security program
will delegate layers of security to
various parties, with cloud providers
doing their part as well.
Security management is about
protecting the company and its assets.
It is not a purely technical issue. The
topic covers legal, compliance and
regulatory requirements, hackers and
attackers, threats and vulnerabilities.
So far, the security race has not fully
kept pace with the speed at which
the cloud model is moving. That will
change rapidly, as cloud providers
continue to mature their security
operations, the law catches up with
technology, and standards emerge to
address the risks of a multi-tenant
computing environment.
Based on Accenture’s experience
working with the providers and clients
breaking ground in the cloud, we
recommend five principles for crafting
an effective cloud security strategy.
Five principles for crafting a
security strategy
1.Know your appetite for data privacy
and security risk.
2.Expect to share responsibility.
3.Demand transparency and
accountability from cloud providers.
4.Use the cloud to solve identity and
access management issues.
5.Architect solutions that address
the risk.
Know your appetite for data privacy and
security risk
Legal and regulatory issues are
amplified in a cloud setting. These
issues can pertain to the handling
of an incident, protecting individual
data privacy or collecting evidence.
Cloud technology is evolving so
fast that legislation and regulations
have not been able to keep apace
of its development, leading to
different and sometimes conflicting
obligations in terms of who has to
follow the law. This is something
recognized by the EU and the revision
of the EU Data Privacy Framework
Legislation will seek to catch-up
with developments in technology.
It is important, first, to distinguish
between data privacy and security.
Compliance with data privacy law
is a minimum requirement. That
goal can be achieved in a number
of ways—for example, by collecting
only the minimum amount of
personal information or issuing
notifications in case of a breach.
Security is a broader topic that allows
an organization to take clear-cut
action in accordance to strategic
objectives and the importance of
the assets that will be at risk.
To figure out whether a risk is worth
taking, companies need to classify (and
value) their data and make internal
policy decisions regarding how to
handle each class. Low-sensitivity and
non-personal data are not regulated by
data privacy laws and can be placed in
the public cloud without modification
of standard contract terms or
operational controls. Enterprises
may decide to retain confidential
and regulated data in-house or filter
it before passing it through to the
cloud — though some companies
are choosing to put sensitive data
in the cloud in controlled use cases,
fulfilling the legal requirements around
transfers of data to determine where
the real issues lie.
Data can also be risk delineated based
upon knowledge of the application type
that will move to the cloud, such as:
• Enterprise applications – core lineof-business applications that involve
personally identifiable information
(PII) and contain regulated data that
must be handled internally or in a colocation facility on behalf of clients
•Edge applications – applications
that are not mission critical, have no
data issues, and can be hosted in a
dedicated or shared environment
•Application extensions – extensions
of enterprise or edge applications,
such as components used for
bursting of bandwidth, web portals
or front ends with seasonal usage,
which can be hosted in a dedicated
or shared environment
The costs of adding confidentiality,
integrity and availability protection
mechanisms for each application type
will vary. For example, a core banking
application or manufacturing process
control system will not relocate to
the cloud without steep security
investments. Ultimately it will be up-to
management to decide if the benefits
outweigh any residual risks.
The Compliance
Dilemma: Regulations
in Need of Global
Harmonized Approach
The security and data privacy laws
and regulations currently in force
were instituted pre-cloud. They
reference de facto standards (e.g.,
ISO/IEC 27000-series, NIST Special
Publications) that do not attempt
to decipher or address cloud issues
such as continuity of cloud services,
evidence control in a virtualized
environment or security architectures
across jurisdictions.
As a result, cloud security solutions
that rely solely on these standards will
sometimes find themselves in conflict
or deviation with regulations. Across
the European Economic Area (EEA),
data privacy laws prevent data from
being accessed or transferred outside
the EEA unless certain preconditions
are fulfilled. In order for companies
to store EEA data in clouds outside
of Europe, these conditions must be
satisfied by the cloud providers and
described in the terms of service.
Non-EEA cloud providers that do
not meet these legal conditions are
not eligible to host EEA data.
Even when regulations are not directly
at odds with what the cloud is trying
to do, ambiguity and the thicket of
potentially conflicting laws cast a
cloud over companies’ initiatives to
deploy to the cloud.1 Here are just
a few examples of the quandaries
companies face:
•Laws requiring backups to be
encrypted (such as the Health
Insurance Portability and
Accountability Act (HIPAA) and in
Massachusetts and Nevada) can
be difficult to interpret in a cloud
environment. Who is responsible
for performing the backup? For
the encryption? In addition to
application-level encryption, who
is responsible for encrypting data
and hardening communication
channels as data gets replicated
between data centers?
•Laws that include physical and
hardware security requirements
(Spain, Italy and Massachusetts)
don’t specify who is responsible for
implementing these requirements in
a shared environment. How does a
cloud supplier respond to multiple
overlapping requirements from
different customers?
3
•Laws controlling data retention
may conflict with each other
or with governing data privacy
laws. If an enterprise needs to
collect passport information, there
will likely be a local mandate
for a retention period, and that
mandate may conflict with data
privacy laws of another country.
Until global IT, data privacy and
information security regulations
regulations are updated and
harmonized, companies should survey
the cloud provider’s security and
data privacy controls in the countries
where they operate or where their
data may reside, and then use a
cumulative set of requirements as
a baseline. That knowledge can
help businesses and cloud providers
resolve impasses regarding data
privacy and security. Indeed, a close
analysis of a wide swath of data
privacy and security laws reveals
that many countries’ compliance
regulations are overlapping, but also
contain specific requirements.
Furthermore, organizations should
be aware of and help accelerate
the creation of global harmonized
requirements for data privacy and
security and global standards by
industry groups. The Common
Assurance Maturity Model (CAMM)
and the Open Group Initiative are but
two examples of efforts to create the
standards on which regulations rely.
CAMM, for example, is proposing
standard levels, similar to the ISO
27005 certification model, to help
companies perform due diligence on
cloud providers. Instead of performing
a full audit themselves, clients can
rely on the CAMM certification
level achieved by the provider.
A Cloud Computing Risk
Management Framework
The shift to cloud computing alters
the risk landscape, just as any
technological change does; and
this risk must be analyzed and then
mitigated at the enterprise level. If
data is stolen or released by mistake,
for example, a company would be
exposed to direct losses, public
embarrassment, and lawsuits as well as
the costs undoing other damage.
4
There are new vulnerabilities and
threats that are specific for cloud
computing. For example, a cloud
provider can outsource certain
specialized tasks of its “production”
chain to third parties. In such a
situation, the level of security of the
cloud provider depends on the level of
security of each one of these links as
well as the level of dependency of the
cloud provider on the third parties.
Multi-tenancy and shared resources,
two of the defining characteristics of
cloud computing, can in the extreme
introduce “class breaks”. Here a failure
in the mechanism that separates
storage, memory and routing, would
lead to new attacks from data theft,
service disruption to invalidation
of assurance levels for both cloud
provider and their clients.
Decision Point: Do You
Need to Know Where
Your Data Will Reside?
Control over data location comes up
frequently in contract negotiations.
Cloud providers prefer to locate data
wherever it makes the most sense
from a scale and cost perspective,
while customers want to dictate that
location.2 Remember, regulated data
remains regulated regardless of its
location, and data owners remain
responsible for the acts and omissions
of their service providers.
Providers should be able to pinpoint
the country or countries in which the
data is located; the sticking points
are whether they have the freedom to
move that data and whether they will
agree to the obligatory contractual
and operational guarantees that
satisfy applicable legal requirements
based on the data’s origin and use. In
several industries, such as biopharma,
momentum is building to harmonize
regulations related to the cloud,
particularly those related to data
location, roles and responsibilities,
movement restrictions, and
government data access.3
Regulated data
remains regulated
regardless of its
location, and data
owners remain
responsible for the
acts and omissions
of their service
providers.
5
Cloud technology is evolving so fast that legislation and regulation have not been able to keep apace of its development,
leading to different and sometimes conflicting obligations in terms of who has to follow the law. This is something recognised
by the EU and the revision of the EU Data Privacy Framework Legislation will seek to catch-up with developments in technology.
Understand the cloud
Gain visibility into the cloud
Govern the cloud
•Determine the level of risk
that you are willing to take by
rigorously analyzing threats,
vulnerabilities and selecting
countermeasures.
•Use technical, administrative
and physical control mechanisms
to check for the security
health of a cloud provider.
•Ensure executive management
is on board, define policies
and implement a continuous
security program.
•Verify that security controls
are maintained so long as the
relationship is in place.
•Ensure strong coordination with
and direction of system
integrators used to place
and maintain regulated
data in the cloud.
•Harmonize the right regulatory
regimes and legal requirements
from different industries, countries
and jurisdictions.
•Find the right mix of guidance
and standards: National Institute
of Technology and Standards,
International Organization
for Standardization, European
Network and Information Security
Agency.
•Sense and predict when systems
will deviate from the norm in order
to avoid violations and emerging
threats.
•Promote security awareness with
employees and provide checklists
of “must-have” security criteria
for contracting teams, systems
integrators, and application
developers.
•Ensure that vulnerabilities are
caught early and deploy cloudspecific defensive capabilities.
•Verify that SLA/contract terms
are favorably established with
all cloud service providers.
Goals: Share risk, establish trust and get assurances
Figure 1. Achieving scale to reduce risks and costs
Automation increases audit
frequency which reduces risk
Mature organizations use automation
to reduce costs by up to 54%
100%
Relative spend on regulatory compliance
Months between assessments
7
6
5
4
3
2
1
0
Least
mature
Based on survey of 3,280 companies
Source: IT Policy Compliance Group
6
Most
Mature
54%
less
80%
60%
40%
20%
0%
Least
mature
Most
Mature
How can a cloud
provider be safer
than my own
data center?
Security is a heavy burden
for many companies. Security
patches have to be kept up
to date, and configurations
monitored for breaches. The
turnaround time to apply a
software patch typically runs
30 days and does nothing
for unknown and advanced
threats, such as the 6 million
new viruses identified in 2010.
Companies cannot thwart
sophisticated cyber-attacks
without advanced security
capabilities, but building
ROI business cases for these
capabilities is difficult.
The automation of routine
security activities — which has
moved from once a year or
once a quarter, to once every
month or even every day —
leads to much lower risks and
costs. (See Figure 1.) Various
security measures can be
achieved at lower cost when
implemented on a larger scale.
Cloud computing provides an
opportunity to escape from
the treadmill of patching
systems and operational
security activities.
Large cloud providers such
as Microsoft, Amazon
Web Services, Google, and
Salesforce.com run tens
of thousands of identical
systems to take advantage
of the economies of scale.
Having grown up managing
mountains of data and
complex IT operations, cloud
service providers perform
many tasks automatically,
at far less expense, than the
majority of companies can.
And by leveraging custombuilt and uniform systems,
they manage systems
better than most of their
customers do. It is the scale
and embedded automation
that make a cloud provider’s
shared data centers safer
than many companies’
private data centers.
Keep in mind, that most public
cloud providers will provide
only a base level service that
is common to all customers.
Cloud providers with a
heritage in co-location or
dedicated hosting are uniquely
able to customize and add
on security services for an
incremental cost.
7
Expect to share responsibility
It is crucial to clarify the roles of the
data owner, cloud provider and system
integrator, if applicable, in delivering
legally compliant solutions. From a
legal perspective, there is no clear
division of labor between the cloud
provider, an application manager (or
system integrator), and the data owner.
The law only cares that certain things
get done, no matter who actually
does them, and makes the data owner
responsible for the outcomes.
Unfortunately, many data owners and
cloud providers have misperceptions
of their responsibilities that hinder the
evolution of a secure and compliant
cloud solution. The division of labor
varies by the cloud service model.
Some requirements will be in the span
of the cloud provider’s control, others
in the tenant’s control. For example,
a provider may be responsible for a
business continuity or disaster recovery
capability that is not a standardized
component of its offering. The provider
may not be equipped to fail-over
to its own cloud, but there may be
an opportunity to design a fail-over
solution to another data center.
A slew of security and compliance
capabilities can be added to a cloud
provider’s standard offer. Yet in our
experience to date, cloud providers
view one-off customizations for
customers as anathema to their
business models. Companies,
regulators and the public should
continue to pressure cloud providers
to ensure that their services support
compliance with applicable data
privacy and security requirements.
Cloud providers remain reluctant to
commit to terms that would help
clients and consumers meet their
obligations to the law, describing these
requirements as impossible or at least
prohibitively expensive. But in fact,
overlapping regulations have much
in common; the superset of major
regulatory requirements around the
world can be determined with relative
ease. In short order, we expect cloud
providers to recognize this fact and
change their stance.
8
The willingness of the cloud provider to
share the risk as a “service provider,”
and in turn bear the necessary legal
obligations on the part of the data
owners, is a key part of the equation.
Indeed, progressive public cloud
providers can be used to host a wide
array of confidential and regulated
data. For example, most organizations
interpret the legal or regulatory
requirements to encrypt data at rest
too stringently. Encryption is one
way to obfuscate data, but there
are other ways to achieve the same
end, including masking the data and
making it difficult to reassemble
(by scrambling and distributing data
components through virtualization).
Google uses the latter approach, which
currently does not satisfy encryption
laws or regulatory regimes such as the
Payment Card Industry (PCI) or HIPAA.
Given that the key used for encryption
for data at rest in most cloud solutions
usually leads to a loss of possession
of the key itself, Google's obfuscation
approach, which keeps even Google
from easily reconstructing the data,
may be a valid alternative.
The issue of data residency is
significant and poses a real hurdle
to the adoption of cloud computing.
Enterprise users of cloud services are
uneasy about the potential for a foreign
government to demand access to their
data. On the other hand, governments
worry about losing the legal ability
to oversee data in the cloud and
apply their laws to data that is stored
outside geographic boundaries.
All organizations, multi-nationals in
particular, can reduce data privacy
risks by creating accountability
through robust contractual
agreements, including EU Model
Clauses. Each accountable party is
then responsible for the data handling
and protection including addressing
the important issue of transferring
data across legal jurisdictions.
However, the enduring solution to the
data residency issue needs a global
approach that includes industry
involvement and recognizes and
builds on existing initiatives such
as the Data Privacy Accountability
Model, Privacy-by-Design, and
Binding Corporate Rules.
Decision Point: Pick a
Cloud Model that Works
for You
Cloud computing models vary
significantly in the security controls
employed by the provider and its
willingness to commit to terms and
conditions (Figure 2). Most of the
regulatory compliance burden will fall
on the customer of Infrastructure as
a Service (IaaS). Platform as a Service
(PaaS) is in the middle. With Software
as a Service (SaaS), the burden shifts
to the supplier.
These differences underlie trends in
current adoption rates of these cloud
models. A 2010 Technology Business
Research survey found that 54 percent
of respondents in the United States
and Europe had purchased SaaS, while
only 26 percent had purchased IaaS
solutions.4 Almost 40 percent of the
respondents claimed to be planning
purchases of both SaaS and IaaS by
the end of 2011.
Hybrid models mix internal
infrastructure, private cloud, and
public cloud, and are designed to allow
companies to take advantage of the
economies of scale and computing
power of the public cloud but store
sensitive data internally.
At the end of the day, there is no
100% turnkey cloud solution. Data
owners, cloud providers and system
integrators (if involved) must be
willing to agree to each of their roles
and obligations in any cloud solution,
regardless of the type.
Figure 2. A spectrum of cloud service models
Matching Application Styles to Cloud Services
Content Collaboration
And Distribution
Core applications
Web Extensions to Core
Applications
Marketing Portals and
Applications
Vertical specific high
performance applications
Hybrid Cloud computing
Private Cloud
Internal Data
Center
Dedicated
Hosting
Deployment Options
•Software as a service (SaaS)
– The provider offers finished
applications that are very tangible
and easy to understand (e.g., email,
collaboration, communication,
customer relationship management).
The embedded security and
compliance features of the
software may not be customizable.
Examples include NetSuite,
Microsoft Office 365, and Gmail
are SaaS solutions, sometimes also
called “desktop as a service.”
•Platform as a service (PaaS) –
The vendor abstracts the virtual
infrastructure but gives the
customer flexibility to build its
own applications. Examples include
Force.com, Microsoft Windows
Azure, and Google App Engine.
Public Cloud
Co-location
SAAS
PAAS
IAAS
Service Models
•Infrastructure-as-a-service
(IaaS) – The enterprise purchases
a logical infrastructure, typically
preloaded with an operating
system. The customer determines
how to use the hardware and
selects most of the security,
data privacy and compliance
controls. Examples include
Amazon EC2, VMware vCloud,
Verizon Computing As A Service.
Co-location and server hosting,
both well-established outsourcing
models, are similar to IaaS.5
Multi-tenancy and
shared resources,
two of the defining
characteristics of
cloud computing,
can in the extreme
introduce “class
breaks”. A class
break occurs
when one breach
leads to a whole
new category
of attacks on a
range of systems.
9
Demand transparency and accountability
from cloud providers
Cloud providers should be transparent
— willing to tell customers what they
do. And they should be accountable –
willing to take responsibility for their
acts and omissions. If data owners
cannot win a reasonable amount of
transparency and accountability from
cloud providers, they should walk away
from the negotiating table.
It is not reasonable, of course, to
expect cloud providers to divulge
their trade secrets or compromise the
security of their network. However,
subject to nondisclosure agreements,
when both parties are known entities,
there must be sufficient disclosure
to allow data owners to make
meaningful risk-based judgments
about how to handle their data.
Lacking transparency, basic risk
management methodology forces
companies to assume, or at least
plan for, the worst-case scenario.
For example, some cloud providers
label themselves as a “Payment Card
Industry-ready” or “validated as PCI
Data Security Standard” compliant,
implying that they adhere to 12
requirements for any business that
stores, processes or transmits payment
cardholder data. That does not mean
an enterprise is automatically PCIDSS-compliant if it is a tenant of that
provider. The only way a customer
could become automatically compliant
would be if a PCI-compliant cloud
provider managed all the way up
the application stack. Organizations
have to engage in the effort to
determine any missing capability
(e.g. missing documentation, private
key rotation, anti-virus scanning)
and then find a fix or workaround.
Cloud providers are also customers.
For example, a provider of SaaS may
contract with another provider for
infrastructure. As customers, these
providers can lack the visibility and
control into the workings of other
providers that would allow them to
commit to a specific level of service.
A combination of security reviews
across the physical infrastructure,
cloud management software and the
application will provide the complete
compliance and situational awareness
picture. Figure 3 shows how both a
cloud provider and a data owner have
increasingly less visibility as the stack
of providers deepens.
No single set of standards will be
definitive. The appropriate standard is
one that takes into account multiple
regimes and legal requirements.
Figure 3. The more parties in the equation, the less visibility
Enterprise Acquisition Strategies
Systems
Integrator
Direct Purchase
Outsourcing
Arrangement
In-House
Implementation
Each layer reveals new risk
Salesforce.com,
Workday, Ariba,
Google Apps
Software
Cloud Supplier
Windows Azure,
VM Force, Force.com
Platform
Cloud Supplier
BT, Verizon, AWS,
NTT Communications
Infrastructure
Cloud Supplier
10
• SLA Dependence
• Supplier / SW
Pedigree
• Compliance
Traceability
• Security Courses
of Action
Degree of Control
and Visibility
Eventually, we will see a set of
standard audit frameworks that can
be reused across cloud providers
and multiple cloud application
authorizations (see Figure 4). Until
then, companies should approach
conversations with cloud providers
as they do any other vendor
conversations— from the bottom
up (people, process and technology)
and the top down (risk, compliance,
governance). A cloud provider that has
a good process will likely have a good
product. It will be your responsibility
as the buyer to evaluate the assurance
level of a cloud provider’s claims.
As a consumer of cloud services, data
owners or system integrators should
ask the following questions:
•How does the provider’s technology
work, and which of their people
(including subcontractors) have
access to customer data?
•What testing has been completed
to verify that service and control
processes are functioning as
intended and that unanticipated
vulnerabilities can be identified?
•To what extent is security embedded
in the cloud solution?
•Does the cloud provider reserve
the right to change its terms
and policies at will (this right
significantly magnifies data privacy
and confidentiality risks)?
•Do we know how to secure
each cloud service provider by
incorporating security controls and
risk mitigations?
•Have we accepted, reduced,
transferred or mitigated the risks?
What processes do we have in place
to verify periodically that controls
are functioning?
With all these outstanding questions,
there needs to be a more effective
way forward to achieve accountability.
A key finding from our work with the
World Economic Forum6 is the need
for governments worldwide to adapt
and harmonize regulations relevant
to cloud. The aim is to improve
regulatory applicability and reduce
divergence across jurisdictions, while
considering the maturity of the
overall industry. This would imply
achieving a harmonized approach
to the underlying principles that
guide the regulation, which currently
differ amount jurisdictions – notable
through the US’s fragmented
approach to data privacy regulation
and the EU’s more universal one.
Minimum regulatory standards are
not a solution – they are often not
sufficient to reduce complexity,
as they do not stop countries from
introducing additional provisions.
The security and
data privacy laws
and regulations
currently in force
were instituted
pre-cloud.
Figure 4. Relevant standards and specifications
Cloud Security & Data Privacy
Industry Organizations
• Cloud Security Alliance (CSA)
• American Institute of Certificate
Public Accountants (AICPA)
• Object Management Group (OMG)
• Trusted Computing Group (TCG)
• PCI Security Standards Council
• Distributed Management
Task Force (DMTF)
Standards Bodies
• International Organization for
Standardization (ISO)
• National Institute of Standards
and Technology (NIST)
• European Telecommunications
Standards Institute (ETSI)
• European Network and Information
Security Agency (ENISA)
• Organization for the Advancement
of Structured Information
Standards (OASIS)
Standards and Specifications
•
•
•
•
•
•
ISO 27001/27001 Series
NIST 800-53 Special Publication
PCI-DSS
Web Services Security / SAML
Open Authentication (OAuth)
SSAE 16
11
Use the cloud to solve identity and access
management issues
Identity management in the cloud
matters just as much as outside
the cloud: Let the good guys in
and keep the bad guys out using
a proven, flexible identification
and authentication process.
Companies want one view into
users and applications, regardless
of whether they reside on the
cloud or on its premises.
Every time a user accesses a cloud
resource, a defined interaction should
analyze the trust assignments and
allow appropriate access. Access
control will be your first line of
defence to protect your assets
and resources. Remember access
control is not just technical or
logical (e.g. passwords, and software
configurations). Access control spans
administrative controls (e.g. internal
policies, screening of personnel,
security awareness training) and
physical controls (e.g. protecting
individual networks, locks and alarms
on exterior doors, security guards).
Logical identity (and access)
management is one of the fastestmoving areas in the cloud ecosystem,
and we expect that identity will
become a “service” over the next
few years. In other words, identity
management tasks (enrollment,
provisioning, authentication,
authorization, audit, single sign on,
and role management and reporting)
will progressively move from an
on-premise solution to a SaaS model
(Figure 5). This approach will catch on
fast, too: By some estimates, Identity
as a Service will expand into a $700
million business by 2014.
Vendors are responding. Verizon has a
host of identity management offerings
that are managed and cloud-friendly.
For this vendor, a purchase of cloud
computing services can also include
a bundle of authentication and
directory services. Salesforce.com is
another vendor that offers improved
identity management. Salesforce.
com has a sophisticated roles-based
access control system that manages
the assignments of permissions to all
objects in the application, including
data and display items.
One piece of caution: Cloud data
centers are alluring targets for cybercriminals because of the concentration
of data from multiple sources.
Vulnerabilities include infiltration of
suppliers by criminals using stolen
identities, insiders colluding with
criminals, or brute force attacks.The
concepts of authentication and identity
management, should also be applied to
the entire supply chain – to determine
authenticity of all components.
While standardization and large-scale
operations help prune out errors and
vulnerabilities (see the sidebar “How
can a cloud provider be safer than my
own data center?”), the attack surface
is larger and the opportunity, motive
and methods of criminals are advanced
and persistent.
Companies with a high degree of data
sensitivity should assess the supply
chain risk if a component, business
process or individual is compromised.
Like any outsourcing vendor, the cloud
data center itself should be evaluated
in terms of vendor pedigree, the
potential for counterfeits and insider
threats. Some of the questions to ask
include:
1.Is our supply chain geographically
and geopolitically resilient to risk? Is
the risk spread across an appropriate
number of partners?
2.Are our contracts and relationships
flexible?
3.Do our service level agreements
protect our exposure?
4.Can we predict a supply chain risk
event?
Each cloud provider will vary in
terms of their level of protection
against these so-called supply
chain cyber-risks.
Figure 5. The many faces of identity and access management – from private to utility based services
Custom
Standardized Solutions
Private
Managed
Hybrid
Utility
SaaS
Cloud
Outsourced
On-Premise
Past
12
Future
Architect solutions that address the risk
In the near term, many enterprises
will select hybrid clouds as a bridge
solution waiting for the industry
to mature and data privacy and
compliance features to be gradually
“designed into” standardized offerings.
A hybrid model allows organizations
to hedge their bets and keep parts
of their system in house while taking
advantage of running dedicated
processes as cloud services.
As an example of cloud security
architecture, consider a healthcare
provider that wants to secure patientrelated medical data on a public
cloud. The first step would be to look
at whether the cloud solution can be
HIPAA compliant. The company would
need to get a Business Associate
(BA) agreement through which the
cloud provider would adhere to HIPAA
security and data privacy rules.
Public cloud computing vendors have
very large financial incentives to
provide the data privacy and security
controls that companies are requesting
in order to move mission-critical
applications into shared environments.
The company would then evaluate
the business and regulatory risks
associated with outsourcing patient
records to a third party. Finally,
the solution would have to cover
unambiguous requirements such
as record-level logging and audit
capabilities, encryption of data,
and breach notification procedures/
requirements for any lost or
compromised data.
These changes will come, and very
soon. One step in this direction is
represented by Google Apps for
Government. With this solution,
agencies are assured that their supplier
has passed Federal Information
Security Management Act (FISMA)
certification and accreditation. Google
was the first vendor in the industry
to complete certification and receive
“an authority to operate” at the
FISMA-Moderate level. This type of
"community cloud" – as defined by the
National Institute of Standards and
Technology – is also available from
Microsoft for U.S. federal, state, or
local governments.
Over the next several years, companies
and suppliers will grow smarter about
where they run applications and how
they deal with security management
on the cloud. As they do so, they will
use the savings to invest in security
architectures and innovations that add
value to the business.
Even with a BA agreement, the third
party could lose data. The security
architecture implemented to address
gaps could incorporate innovations
such as:
• Mask sensitive information, if any
must be sent. Map a 9-digit SSN to an
obfuscated 15-digit number and keep
a look-up table to make sure all your
databases do the same conversations
consistently.
• Consider multiple cloud vendors.
Processing different subsets of the
data in different places might provide
additional data privacy in case some
information is compromised. There is
still an issue with having to decrypt
the data when it is processed and
having private decryption keys in the
possession of the cloud provider.
• Apply encryption and/or tokenization
at a proxy server, potentially using
a private network or a trusted
third party. These vendors create
trusted communication paths and
data processing centers to help
customers adhere to data security
and regulatory concerns of using
cloud- hosted applications.
• Apply format preserving data
encryption. If data is going to be
processed in the cloud, it usually has
to be temporarily decrypted. During
this brief period of decryption, the
supplier may have the technical
ability to access data. By using format
preserving encryption applications can
continue to function even while data is
in cipher text.
• Limit the information sent to
the cloud for processing. If the
patient's name is not needed,
don't send it; if zip code suffices,
don't send the whole address.
13
Where We Stand
The fast pace of cloud maturation
provides new solutions to old
challenges. There are clear benefits
to highly elastic, scalable, on-demand
computing power and an ecosystem
of providers eager to meet the needs
of large enterprises. For the most part,
there are no barriers to the placement
of non-regulated, non-personal data
onto a public cloud.
But that does not mean that
companies should throw caution to
the wind. Data privacy and security
implications are amplified when
putting regulated personal data onto
the cloud. In that case, we believe that
good security by itself does not satisfy
regulatory obligations. And vice-versa:
Rock-solid compliance activities do
not ensure adequate security against a
growing threat landscape. Enterprises
have to determine which data and
applications make the most sense for
the public cloud and which require a
different solution, such as a hybrid
pass-through of data into the cloud for
number-crunching and then back to a
private data center for storage.
As with any technological solution,
companies need to understand the
risks associated with multi-tenancy in
the cloud, develop a risk management
framework for security and governing
data, and then architect solutions to
address the risks. Both enthusiasm
and speed are warranted, but a “buyer
beware” attitude is still essential.
Furthermore, companies should help
create cloud ecosystems in which they
would be comfortable placing their
data. To do that, companies need to
support and possibly join efforts to
create standards immediately.
Companies considering the cloud
should keep these final thoughts in
mind as they move forward:
•Study data privacy laws to ensure
that none are violated. Think twice
— at least in 2011—before putting
consumer data in the cloud.
•Bring the right people (privacy,
IT, security, corporate governance,
legal) to the table when cloud
decisions are being made.
•Do not allow any ad hoc cloud
computing. Require business
units to follow standardized
enterprise-wide rules.
•Read a cloud provider’s terms of
service, and then read them again.
Accenture is also working with cloud
providers to help them understand
the regulatory environment affecting
their potential client base. These
efforts are bearing fruit, and more
cloud providers are now providing
the transparency and the controls
demanded by data owners.
For more information on how
Accenture is helping organizations
address the cloud security challenges,
please visit accenture.com/security
Reference
1
Accenture and the World Economic Forum, “Advancing Cloud Computing: What to Do Now?
Priorities for Industry and Governments”, 2011.
2
Accenture and the World Economic Forum, “Advancing Cloud Computing: What to Do Now?
Priorities for Industry and Governments”, 2011.
3
Accenture and the World Economic Forum, “Exploring the Future of Cloud Computing,”
November 2010.
4
Technology Business Research October 2010 Cloud Study. Forrester has identified similar trends.
Jonathan Penn, “Security and the Cloud,” Forrester (October 20, 2010).
5
Kevin Fogarty, “Cloud Computing: Today’s Four Favorite Flavors, Explained,” CIO (July 8, 2010).
6
Advancing public cloud computing: What to do now? Priorities for industry and government; Part
two of the 2011 World Economic Forum project.
14
15
Contacts
Dr. Alastair MacWillson
Global Lead, Security Practice
+44 20-7844-6131
alastair.macwillson@accenture.com
Walid Negm, CISSP
Global Lead, Cloud Security Initiative
Accenture Technology Labs
+1 703-947-4614
walid.negm@accenture.com
Bojana Bellamy
Director of Data privacy
+44 20 7844 6879
bojana.bellamy@accenture.com
Benjamin Hayes, Esq., CIPP/G/C/IT
Data privacy Compliance Lead,
North America
+1 703-947-2292
benjamin.hayes@accenture.com
Copyright © 2011 Accenture
All rights reserved.
Accenture, its logo, and
High Performance Delivered
are trademarks of Accenture.
11-1327 / 02-2578
About Accenture
Accenture is a global management
consulting, technology services
and outsourcing company, with
more than 215,000 people serving
clients in more than 120 countries.
Combining unparalleled experience,
comprehensive capabilities across all
industries and business functions,
and extensive research on the world’s
most successful companies, Accenture
collaborates with clients to help
them become high-performance
businesses and governments. The
company generated net revenues
of US$21.6 billion for the fiscal
year ended Aug. 31, 2010. Its home
page is www.accenture.com.