Cloud Security Concerns, Best Practices

Cloud Computing
Cloud Security Concerns, Best Practices

By Barbara DePompa

Caveat emptor’ was the key advice from industry observers and early adopters of cloud computing at the recent Cloud Computing Summit in Washington D.C.  And if a recent survey is accurate, 70 percent of government technology decision-makers are indeed concerned about data security, privacy and integrity in the cloud.  

The Cyber Security Alliance partners released the results of a collaborative cloud computing and cyber security survey in late April. Results reflect input from 198 respondents from all military branches and a variety of federal government agencies. The alliance commissioned an online survey to measure awareness and attitudes about cloud computing and cyber security. Established in 2009, the Cyber Security Alliance’s mission is to address key cyber security concerns. Led by Lockheed Martin, alliance members include: APC by Schneider Electric, CA, Cisco, Dell, EMC Corporation and its RSA Security Division, HP, Intel, Juniper Networks, McAfee, Microsoft, NetApp, Symantec and VMware.

The best way to address cloud security, according to NIST officials, is to play close attention to the following elements when working with cloud services providers:

* Work with the provider to determine its attention to security. Compare the vendor’s security precautions to current levels of security to ensure the provider is achieving parity, or better security levels.
* Assessing risk is paramount. Require cloud computing partners to provide risk assessments and information on how to mitigate uncovered security issues.
* If the provider doesn’t have a seasoned client-facing CSO, CISO, or equivalent security professional, proceed with caution. This is a sign the vendor doesn’t take security seriously.
* Understand cloud security should be equal to the most risky client the provider supports.
* A cloud provider should be able to map policy and procedures to any security mandate or security-driven contractual obligation an agency faces.
* Pay attention to the provider’s adherence to secure coding practices. If the vendor doesn’t provide a strong story about the discipline used to write code, run away.
(Source: NIST)

Meanwhile, the Cloud Security Alliance also published a list of best practices advice for securing SaaS and PaaS environments, including:

1. At minimum, authenticate users with a username and password, along with stronger authentication options depending on the risk level of the services being offered.
2. Enterprise administration capabilities are required, especially the administration of privileged users for all supported authentication methods.
3. Self-service password reset functions should be used first to validate identities.
4. Agencies must define and enforce strong password policies.
5. Consider federated authentication, which is a means of delegating authentication to the organization that uses the SaaS application.
6. User-centric authentication (such as OpenID) can allow users to sign in using existing credentials that need not be stored by the consuming site.

Questions to Raise…
Separately from the Cloud Security Alliance, a list of security-related questions for federal agencies to keep in mind when negotiating a cloud-computing contract include:

* What access control model is used and how well does it meet agency requirements?
* Are the authoritative sources of access control policy and user profile information chosen by the cloud provider, the individual user, or a third party such as the organization a user belongs to?
* Where do user accounts reside? How are they provisioned and deprovisioned? And how is the integrity of information protected?
* What authentication mechanisms are supported? And are they appropriate for the sensitivity of information in the service?
* What single sign-on model(s), if any, are supported? And who can select the external authentication services allowed for users? (This influences the integrity of data used for access control.)
* Does the supplier support the retrieval of access control policies and user profile information from external sources? If so, what formats and transmission mechanisms are accepted?
* What support is provided for delegated administration by policy administration services?
* What log information is provided, and can it be accessed so it can be imported into internal operational analysis and reporting tools?
* Can a user specify external entities with which to share information? If so, how is that accomplished?

For more information, read the white paper at: www.cloudsecurityalliance.org/guidance/csaguide-dom12-v2.10.pdf

Contracting Pitfalls
Finally, and equally worrisome, according to recent research conducted by Yankee Group analyst Camille Mendler, is a troublesome lack of customer service on standard cloud computing contracts. “Cloud vendors offer poor service guarantees and limited financial redress if their service fails,” she said. “Get-out clauses are rife, and robust privacy policies are rare, potentially exposing organizations to litigation.”

Mendler’s analysis is based on an investigation of 41 software, infrastructure and platform-as-a-service (SaaS, IaaS and PaaS) providers that collectively market 46 different services. Included in the research were standard service terms, service-level agreements (SLAs) and privacy practices. Yankee Group found only half of service providers offer SLAs, and none offer financial compensation when they fail to perform against the SLA. Timelines to fix problems are often not listed and customers can expect limited reparation other than service credits or the ability to terminate the contract, according to the Yankee Group report.

Mendler said as cloud service outages (such as the one suffered by the Treasury Department) regularly hit the headlines, focus must be sharpened, “on the minutiae of cloud service commitments.”