While much scrutiny has taken place in the realm of cloud security practices over the last several years, much of the attention has been focused on the largest cloud security providers (CSPs), like Amazon, Rackspace, Verizon’s Terremark and Google. Most of these large providers have well-documented and publicized security practices. However, many organizations are doing business with smaller CSPs in one vertical, such as Software as a Service (SaaS) services for medical billing or marketing firms. The scant security information some of these vertical-specific CSPs make available on their websites, though, makes it difficult for a potential customer to glean any insight into their security controls. Cloud transparency is critical for an organization to make an educated buying decision, but an examination of some vertical cloud provider sites illustrates how elusive cloud transparency is.
Vertical cloud provider sites lacking security details
One example of a vertical-specific CSP is Peake Healthcare Innovations. An affiliate of Harris Corporation and Johns Hopkins Medicine, Peake provides a number of cloud-based services for the medical industry, including medical image sharing and disaster recovery, medical archiving for patient data collaboration, virtual desktops for clinical monitoring and analysis, and medical research applications and data. With all of this medical data, you would assume the Peake Healthcare website would have lots of useful information about HIPAA compliance and security measures in place, right? Unfortunately, this is not the case.
The Peake product portfolio uses the brand name “PeakeSecure,” which implies a security-focused set of offerings. None of the information available on the website lists security controls in place, however. One brochure describes the company’s relationship with Harris Corporation, stating that it offers vulnerability detection, configuration monitoring and risk assessment and mitigation. However, Harris Corporation announced earlier this year it plans to discontinue its cloud hosting business. What does this mean for potential medical consumers? Essentially, there’s no simple way to assert that vertical-specific CSPs like Peake are HIPAA compliant, offer adequate security controls that meet best practices, or really maintain the cloud infrastructure at all.
A CSP serving the financial community is InvestCloud, which targets investment banks, brokerage firms and investor services. InvestCloud makes some interesting claims regarding its security. First, according to the company’s website, data is “safe, secure, and available only to registered users in your organization” since the company uses Secure Sockets Layer (SSL). InvestCloud also touts its secure environment that uses a “firewall and other advanced technology.” Finally, it makes the claim that “[c]loud computing today is accepted to be more secure than traditional enterprise computing…”, citing internal governance and resources restrictions that won’t allow enterprise organizations to adequately create and enforce security policies. Many in the security community would argue this is not true, and would be left wondering exactly what kinds of security technology InvestCloud has in place based on its somewhat vague description.
The same cloud transparency problems exist for more general-purpose CSPs that are smaller or regionally focused. One example of a regional CSP that provides hosted private cloud services targeted at small- and medium-sized businesses is NearCloud. According to its website, it can host PCI DSS applications, pays close attention to physical security, and is SAS 70 Type II “compliant.” This sounds great, except there’s no such thing as being “compliant” with SAS 70 Type II; furthermore, SAS 70 is no longer used, and there’s no additional information for would-be customers who are concerned about security.
Peake Healthcare Innovations, InvestCloud and NearCloud were all contacted for feedback and input regarding their security controls, and none responded.
Vertical cloud provider completes SSAE reports
The news is not all bad, however. Options IT, a CSP that offers its PIPE Private Financial Cloud services platform to the banking, trading and investment communities, announced in April 2012 it had successfully completed the new SSAE 16 SOC2 and SOC3 reports for security and compliance controls attestation (.pdf). The CSP displays the SOC3 seal on its site, and interested consumers can actually read its SOC3 report (.pdf). Among the controls outlined and described in the report are:
- Windows Active Directory with Kerberos authentication and Group Policies in place;
- Written permission requirements to add, modify, or delete customer file shares on the Options PIPE SAN;
- Redundant and highly available architecture designs for network and application distribution and performance;
- The use of Check Point firewalls for network traffic inspection and control;
- The use of Cisco Network Access Control Lists;
- Trend Micro antivirus agents on all workstations and servers;
- Brightmail, Ironport and Sophos email antimalware and antispam protection for mail gateways, and Trend Micro mail protection for internal Exchange servers;
- Security policies;
- A risk assessment process; and
- Device and event monitoring.
In the future, hopefully more vertical cloud providers will provide this level of detail, but for now, there’s a wide variance in the level of detail potential customers can get before talking to company representatives and possibly signing non-disclosure agreements (NDAs). If you’re having trouble getting the security controls information you need from a potential cloud service provider, either through SSAE 16 reports, customer references or other methods, it’s probably best to keep looking.
About the author:
Dave Shackleford is owner and principal consultant at Voodoo Security, senior vice president of research and CTO at IANS, and a SANS analyst, instructor, and course author. He has consulted with hundreds of organizations in the areas of security, regulatory compliance, and network architecture and engineering. He is a VMware vExpert and has extensive experience designing and configuring secure virtualized infrastructures. He has previously worked as CSO for Configuresoft, CTO for the Center for Internet Security, and as a security architect, analyst, and manager for several Fortune 500 companies. Dave is the co-author of Hands-On Information Security from Course Technology as well as the "Managing Incident Response" chapter in the Course Technology book Readings and Cases in the Management of Information Security. Recently, Dave co-authored the first published course on virtualization security for the SANS Institute. Dave currently serves on the board of directors at the SANS Technology Institute and helps lead the Atlanta chapter of the Cloud Security Alliance.