There have been significant improvements in basic security capabilities for cloud deployments over the past two...
years -- a good thing, given that 45% of organizations now use infrastructure as a service (IaaS).
While tools are essential, effective cloud security demands a number of governance-focused elements as well, and many of these need further scrutiny and maturity. In this article, we'll examine the key areas of cloud security governance, detail where they need improvement and offer advice for enterprises in the interim.
Cloud security standards and frameworks
First among these are the accepted frameworks (and associated questions) for assessing cloud provider and project risk and standards for security best practices. There are a number of risk assessment options for cloud deployments, as well as security controls frameworks that may help organizations evaluate the types of controls cloud providers have in place. FedRAMP presents one interesting model, but there are others, which we'll get to shortly.
One of the biggest challenges facing organizations looking to move assets and data into the cloud is the lack of accepted security standards for cloud provider environments. This makes risk assessment difficult, as every organization will have subjective views on what constitutes an appropriate minimum standard for security controls, as well as a model for evaluating risk.
The federal government, with its FedRAMP standard, has solved this problem to some degree. FedRAMP provides a framework of controls that cloud providers must have in place before being approved for use in government agency cloud deployments. Independent auditing firms are required to evaluate provider controls against NIST federal standards for security (800-53 version 3), including the ability to provide continuous monitoring of controls. Once a cloud provider is authorized to operate, agencies can properly evaluate providers using its own business criteria, knowing that a minimum standard of security is in place.
The U.K. government has a similar initiative to FedRAMP, called G-Cloud. Cloud service providers request acceptance into the program; if accepted, they are listed as a G-Cloud supplier. There are excellent guidelines and frameworks for risk assessment publicly available for both U.S. and U.K. initiatives.
However, these programs are only focused on government cloud use, so their applicability and mechanics are somewhat limited for many organizations. Fundamentally though the concept and design of a program like FedRAMP is gaining traction. Organizations want the following:
- A set of security and organizational controls that cloud providers must implement and attest to in regular audits.
- A requirement (compliance or otherwise) that mandates sharing details of the cloud provider's controls infrastructure and status both prior to contracts (during a due-diligence phase with vendor and contract management) and on demand during the period of service implementation.
- An independent third-party organization that is responsible for auditing and assessing cloud providers and attesting to their security controls efficacy.
- A process for managing all of this and facilitating cloud service provider evaluation and selection.
There is no independent risk program for cloud that provides this for all types of organizations internationally. One effort that is currently underway is the Cloud Security Alliance's Open Certification Framework (OCF). This consists of the following programs:
- CSA STAR Certification: The STAR Certification relies on an independent third-party assessment of a cloud provider against the ISO 27001 standard, as well as the CSA Cloud Controls Matrix (CCM).
- CSA STAR Attestation: The STAR Attestation phase will provide a report via the audit-reporting standard for customer consumption known as the SSAE SOC 2 Report.
- CSA STAR Continuous: STAR Continuous is not yet implemented, but is planned for release in 2015. CSA says the Continuous service will provide a scanning and monitoring console that customers can use to remotely assess cloud providers' control statements using the CloudAudit XML-based tag format and the Cloud Trust Protocol (CTP) for data transmission and retention.
This model from CSA is similar conceptually to the FedRAMP program, but is maintained by CSA and implemented by a network of independent audit and security firms. Additional cloud risk frameworks and guides (albeit less-specific ones) are available from the Shared Assessments Program and the European Union Agency for Network and Information Security (ENISA). The ENISA guide, in particular, breaks down the various areas of risk categorically, aligning more effectively with ISO 27001 and CoBIT standards.
Surveying cloud provider security controls
The other major area of focus for enterprise teams concerned about cloud provider security is the controls used within any given risk framework. Most organizations using cloud computing will have already defined some controls they want met, for internal policy and compliance/regulatory requirements. This serves as a good starting point, since there will be "need to have" and "nice to have" controls, as well as potential compensating controls that have already been defined and established. Most organizations will also have specific requirements for disaster recovery and business continuity (for instance, recovery metrics and service level agreements), and these should be extrapolated to any cloud-control model implemented, along with physical security needs for hosting, colocation or wholly owned data centers.
Beyond these areas, however, many teams need help defining the additional controls that should be evaluated within different types of cloud service environments, and also need guidance on what best practices are for cloud provider controls implementations. The threat surface is much larger in cloud environments: The provider maintains most or all of the controls, and on a regular basis there are many attackers looking to compromise cloud provider environments.
The best source of data for building an initial matrix of cloud security controls, or adapting one that an organization may have in place, is the CSA Cloud Controls Matrix (CCM). The CCM (current version is 3.0.1) contains more than 100 various controls that apply directly to most cloud providers. These are broken down into categories such as security incident management, application security, physical security, and others (much like the ENISA risk assessment guide). To implement the CCM successfully, adapt the framework to your needs: Take your existing controls set, determine what you need to have in place and map this to the CCM. Also, break down controls severity and applicability by relating each assessment based on the CCM to data value or sensitivity. If your teams want to move sensitive data into a cloud service environment, more controls (and more strict ones) should be required.
Defining controls and risk frameworks to perform a reasonably thorough assessment of providers can be done. The industry is still lacking independent organizations that can emulate FedRAMP and related frameworks for government, but using CSA's CCM as a starting point, we can then adopt any number of risk assessment models ranging from ENISA to ISO 27001.
Over time, as industry pressure is applied to cloud providers, I believe they'll become more transparent about the controls they have in place and how well they're implemented. Either way, a sound risk assessment program for cloud services implementation is needed. To get started, you'll need to build an in-house program that incorporates existing and new standards and guidelines like the CCM, and then develop a process for gathering controls information about providers and assessing the risks both prior to signing the contract and afterward.
Here's your short list of steps to get started:
- Download the CCM, and modify it to meet your particular controls requirements (add controls you would like to see, remove and change others if needed). This can serve as a great template if you don't have an existing controls framework in place.
- Add a column in the spreadsheet for all data classification levels you have defined per your internal policy (including regulated data). With security, risk, compliance, IT operations and business unit input, determine which controls are required, nice to have or unnecessary for each data classification level (if this data is to be stored, processed or moved through the cloud environment). If any controls are "deal breakers" if not present, ensure that's clear.
- Incorporate this updated controls assessment framework into project planning, where all cloud projects need to undergo a risk assessment using the framework. This will help to determine what requirements will be needed when evaluating cloud providers' audit and attestation reports (SSAE 16 SOC 2, ISO 27001, CSA STAR and the rest).
This should help get you on your way to more secure cloud computing!
About the author:
Dave Shackleford is the owner and principal consultant of Voodoo Security LLC; lead faculty at IANS; and a SANS analyst, senior instructor and course author. He previously worked as CSO at Configuresoft; as CTO at the Center for Internet Security; and as a security architect, analyst and manager for several Fortune 500 companies. He currently serves on the board of directors at the SANS Technology Institute and helps lead the Atlanta chapter of the Cloud Security Alliance.
Can multifactor authentication make your cloud more secure?
Watch out for the 'shadow cloud' in the enterprise.