Some businesses and consumers are wary of accepting and adopting cloud computing. However, acceptance comes in...
part from understanding the risk, which is largely about understanding the threat landscape. Therefore, enterprises need to properly define the threats and classify information assets with a security threat-modeling process.
Before being able to conduct cloud threat modeling, enterprises must understand information security threats on a more intrinsic level.
Threats are non-malicious and malicious events; the latter harm information assets. Non-malicious events occur without malicious intent. Examples include natural disasters, faulty technology, human error, power surges, undesirable environmental factors (such as inadequate HVAC), economic factors, technology innovation exceeding staff expertise, innovation exceeding regulatory oversight and innovation exceeding protective measures.
Malicious events are those that occur out of malice. Examples include hacking, hacktivism, theft, abuse of rights, abuse of access and retrieval of discarded assets such as dumpster diving. Harm results from any of these events when information assets are breached, exposed or become unavailable. Shellshock is a good example of a vulnerability that could lead to widespread outages throughout a cloud infrastructure. In cloud infrastructures, many of the edge technologies -- such as firewalls, load balancers and routers -- are appliances running a Linux kernel. An attacker who successfully gains control of edge technologies may cause outages to the cloud services they support. When the goal is information gathering, accessing edge technology is a stepping stone to the internal systems storing personal or financial information. Similarly, a variety of the technologies used in cloud infrastructures also run Linux or Unix hosts, whether they are supporting data warehouses or an enterprise service bus.
Non-malicious events occur regularly and, in some cases, are unavoidable. Consider the recent incidents in which several service providers rebooted instances to apply Xen hypervisor patches. For the patches to take effect, the patched systems had to be rebooted. Those reboots introduced the possibility of unavailable cloud services.
Whether malicious or non-malicious, cloud providers must be prepared to avoid noticeable outages to their customers.
Classifying information assets
An organization should understand what information assets mean. An information asset is any such asset that would result in business or personal loss if breached, exposed or rendered unavailable. Information assets can include data, technology and relationships. Because of its cost, technology is considered to be of greater value than data. However, without structured data, it is unlikely technology that stores and transmits it could be purchased and sustained. Data is a commodity to its owners. Examples of data are customer contact databases, personally identifiable information, credit card information, company financials, consumer financials, infrastructure drawings, confidential documents, system configuration information, healthcare information and strategic initiatives.
Data is more valuable when it can be traded or used to gain the trust of consumers to invest in a service or product. This is where technology enters the picture. Given the dynamic nature of the business market and the disruptive nature of technology, companies and consumers must be able to quickly yet accurately retrieve, transmit and store data both in the cloud and on-premises.
Businesses and their customers are often similarly affected when information assets become breached, exposed or unavailable. Many organizations, for example, have outsourced payroll or recruiting to the cloud. A disruption to payroll services in the cloud would cause a problem for employees expecting their paychecks. Businesses that experience a breach typically suffer from tarnished reputations. Individuals will also experience reputation damage when their information is accessed and used by someone else, resulting in a poor credit rating or personal financial loss.
The last information asset is the set of business relationships that enable greater competitive advantage. Most business relationships involve the exchange and/or sharing of information. Typically, both parties extend a level of trust between segments and hosts on their respective infrastructures. This level of trust is ideally achieved through contractual agreements that document attestation of not only healthy financial posture, but also healthy internal operations. At the core, assurance of best practices in security and risk management is expected.
Relationships become strained when a breach resulting from a partner's inability to meet contractual obligations affects the security of information assets. If one partner leaves the relationship, that asset is lost and must be regained elsewhere. The business model of many health care entities is built on affiliations (as defined by HIPAA). The covered entity will seek a business associate to provide a specialty, thereby improving its competitive edge or reducing operational costs. Business associates are expected to comply with the same security requirements as the covered entity. When a business associate experiences a breach exposing protected health information (PHI), the covered entity is also affected and patients expect it to manage all aspects of keeping that PHI private and secure.
Despite the security challenges posed by rapidly evolving cloud computing technology and business relationships, quantification of threats and assets is necessary to understand cloud computing risk. It provides a security model of the environment. The same information assets, and many of the same threats, exist in infrastructures not hosted in the cloud. The differential is usually the scale of data and expansive landscape for attackers.
About the author:
Ravila Helen White is the director of IT architecture for a healthcare entity. She is a CISSP, CISM, CISA, CIPP and GCIH, and a native of the Pacific Northwest.
Expert advice on advocating the benefits of security threat modeling.