TORONTO – For the United States Mint, its effort to gain insight into the systems and processes that secure its SaaS ecommerce system proved to be a worthwhile investment of time and resources. According to its chief information security officer, however, it faced a tough battle dealing with the resistance from its cloud provider.
Be prepared for resistance and unprepared -ness, because they aren't always prepared for these kinds of questions and requests.
Chris Carpenter, CISO, U.S. Mint
Speaking to attendees at the 2012 SecTor security conference, U.S. Mint CISO Chris Carpenter said he insisted on understanding how his organization's SaaS application was being secured, from system architecture to firewalls and how the provider conducts security internally and externally.
However, he was shocked when his inquiry to the provider was met with the response, "No one has ever asked us that before."
Carpenter quizzed the firm during the Cloud contract negotiation on how it vets its employees, its security controls, its corporate policies, how often it conducts penetration testing, and its incident response plan. Seeking to improve his provider's cloud computing security transparency, he requested to visit the security operations center and forced the firm to provide an example of how it responded to an incident.
"There was tap dancing and delays," by the provider, Carpenter said. "Be prepared for resistance and unpreparedness, because they aren't always prepared for these kinds of questions and requests."
Case in point: Carpenter said his request for continuous monitoring and access to firewall, Web server and database logs specific to the Mint's SaaS application was met with resistance. The cloud provider, recognizing his insistence, eventually created a portal to the information and built the requirement into the contract.
"Cloud providers don't really give you specific logs for your stuff, but your data is there, so you've got to ask for it," Carpenter said. "Down the road, we want it to be a steady stream into our IDSes."
In seeking cloud transparency, it doesn't hurt to ask
IT security pros have been seeking increased transparency from cloud providers, but industry analysts say they often don't have the bargaining power to demand it. Carpenter acknowledges that the cloud provider was eager to sign a contract with the U.S. Mint. The Mint had more than $700 million in sales in 2011, Carpenter said, and would have been its first government client. The U.S. Mint manufactures all of the coins circulating as legal government tender in the United States.
Carpenter, a former pen tester at Fairfax, Va.-based ManTech, joined the U.S. Mint in 2011, and said he was immediately thrust into contract negotiations with the cloud provider, which he declined to name. The Mint's ecommerce system was aging and plans had already been in place to overhaul or replace it. Managed hosting, he added, was seen as a way to reduce costs and transfer risk, while admitting a better scenario would have been to be involved in the project prior to selecting the vendor.
Carpenter urged attendees to ask for their cloud providers' report on compliance or RoC, system security plans and testing results before signing a contract.
Carpenter urged CISOs to conduct aggressive pen testing. A cloud provider may say it runs a Nessus scans, he said, but organizations should do their own intensive testing. Carpenter negotiated external and internal pen testing into his agreement with the provider.
"If you can demonstrate that you have a credible testing program," Carpenter said, "they'll let you in."
Carpenter said the way in which the cloud provider conducted incident response was also initially unclear. The firm reported no incidents, which Carpenter said was clearly an omission.
"As for specific incidents and results," Carpenter said. "You want to see an incident and how they handled it."
SLAs must have incentives for the cloud provider
The U.S. Mint negotiating team clarified incident response notification times in its service level agreement, but more importantly, according to Carpenter, the team inserted language into the service level agreement (SLA) stating that the more features the cloud provider offers, the more money it will make.
"You've got to understand the true impact, or lack of impact of SLAs," Carpenter said. "You have to have an incentive or hold a carrot out so they work hard for you."
The SLA had an escape plan in place in the event that the relationship soured. The Mint got a data escrow vendor to hold its data, which Carpenter said also required extensive research. The Mint's goal was to keep any credit card data out of its data center, eliminating the need to manage the PCI DSS compliance program.
Despite having been more than a year since contract negotiations began, the system is not yet live, Carpenter said. Fortunately, he added, security is not a factor; the implementation has been paused while the cloud provider meets technical requirements on the functional side.