The below are answers from Dr. Chenxi Wang, principal analyst, security and risk management, Forrester Research, Inc., to questions from a discussion on cloud computing and its impact on IT security featuring Qualys Chairman and CEO Philippe Courtot and Cisco Chief Security Officer (CSO) John Stewart.
Click here to listen to the recorded webinar.
Q: Federal agencies have a need to control cloud-based identities. The problem in the security space is it is not easy to establish a robust Information Assurance Trust Model in the public cloud space. Any ideas?
A: You are right – there isn’t a robust trust model today with respect to identity in the cloud, especially when it comes to federation. However, it’s not clear what a cloud-based identity is. Most people, when they talk about identity in the cloud, they mean extending enterprise identity, roles, and entitlement policies into the cloud. The enterprise retains full control of the identities and entitlements, the cloud is simply a user of the identity and the associated policies. If that is the case, then assurance trust model with respect to identity in the cloud simply consists of ensuring the cloud services interprets and enforces the identity policies of the enterprise. This can be accomplished through monitoring and auditing.
Q: Reason: Today, there is no standard way for an Identity Provider to express what level of ID assurance it provides. Also, there is no standard way for a Relying Party, a Federal Agency, for example, to specify what it wants in terms of identity assurance.
Q: Is SAS 70 Type 2 enough to ensure a cloud provider has a sound security program?
A: No, SAS 70 type II is not enough to ensure that the vendor has a sound security program. SAS 70 type II is an audit that is subject to a discretionary scope–the vendor can decide to leave out many parts of their operations/infrastructure. As such, SAS 70 provides a baseline, but usually is not sufficient proof for security and privacy.
Q: What organization do you feel will establish the IT Controls that the industry will follow (NIST, ISO, other)? Or will there be multiple control sets; and if so, who will these be?
A: NIST has a cloud security task force, and they have come out with a set of cloud security best practices. NIST would have more influence in the government space. ISO has a set of security controls for its various frameworks and certifications, which have more international implication. NIST may in fact adopt some of the ISO standards, but it’s not clear the ISO standards will be universally adopted. At this point, it’s likely multiple standards will emerge and they likely will be geographically based: e.g, one standard for the US, one EU standard, etc.
Q: IRS asked EC2 to perform a C&A; the IRS was refused. How can IRS/US establish an acceptable level of confidence?
A: In this case, the IRS should look elsewhere. Perhaps other vendors may be open to an audit. If the vendor is not forth coming in terms of helping the client establishing an acceptable level of confidence, the best course of action is to avoid that vendor.
Q: How would you address the issue of cloud computing adding a 'new unknown'. One specific question would be, how do I know that a host can positively ensure that sharing a computer (even a disk) with unknown others will not compromise my data
A: Just because data are hosted on the same physical server in a virtualized environment, it doesn’t mean they are more susceptible to compromise than if they are hosted in a dedicated environment. You need to make sure that there are proper access control and authentication underscoring the access to share media, such as memory, backup storage, logs, etc. But there is nothing inherently insecure about using a virtualized environment, with the exception of certain attacks that leveraging the knowledge of shared resource consumption in the virtualization environment (see my blog: on MIT’s attack on Amazon’s EC2)
Q: If under legal discovery can data stored in cloud not directly involved in legal case be bypassed from discovery efforts?
A: This is a legal question, which we are not qualified to answer. But in general, data involved in a legal case that is discoverable will remain discoverable regardless if it is stored on premise or in the cloud.
Q: Is it best at this time of cloud evolution to stay away from storing industry regulated data or federally regulated data out of cloud?
A: If you were to store regulated data in a cloud, especially a public cloud, make sure you understand whether the cloud environment can keep you compliant to the regulations. Most cloud providers do not make customized provisions for customers; So if they provide regulatory-compliant service for one user, they’d offer it for other users. If you cannot find a provider that will help you meet regulation requirements, it’s best to stay away from the cloud.
Q: Why are the number of platform as a service providers so small?
A: Platform as a service usually is very specialized. Hence contributing to a smaller number of players.
Q: If there is a security breach on the data stored in the cloud, would the U.S regulation hold the cloud provider or the Cloud user accountable?
Q: Who is responsible if there is a data breach that includes PII or PHI?
Answer to above two questions: Ultimately, it is the owner of the data who is responsible. The fact that you place this data in a cloud environment does not alleviate your responsibility of data protection or breach response. Unfortunately, this responsibility today does not translate very easily to service providers, except for some limited cases. Recent addition to HIPAA actually has specific requirements for service providers who may handle PHI.
Q: For Cloud Storage, we see vendors offering on-site appliances to manage the connection and encrypt the data before it transits to the cloud. How do we attain an acceptable degree of encryption for cloud application hosting like email? While we are assured that they will not misuse the data, it only takes one disgruntled employee to invalidate that promise — how do we make sure they cannot take that option?
A: The risk of disgruntled employee exists whether you use cloud or not. The scenario that a cloud provider’s employee violates data protection has to be dealt with in the SLA or master service agreement – this is a breach of contract. And any breach of contract should be dealt with using either service credit or early exit clauses. Hosted email providers would offer encryption capabilities, at an additional cost. But most will not let you choose a particular encryption mechanism or strength.
Q: Is there such a thing as "reasonable/acceptable" security profile that a PaaS provider offers? Or, are security, governance and compliance sufficiently industry and business specific that there is no such thing as a "reasonably" or "acceptably" secure PaaS?
A: Unfortunately, there isn’t such a thing as "reasonable/acceptable" security profile for PaaS providers. This is not because security, governance, and compliance too industry specific. Rather, it is because the whole cloud computing industry is still too early to come to a consensus of what a "reasonable/acceptable" security profile is. I am currently conducting a set of interviews with industry leading cloud providers to understand what they do in terms of security and privacy. I will soon have a set of common practices to report, from which perhaps we can derive a set of "reasonable" security profile.
Q: Please comment on the premise/proposition that "cloud service providers have focus and resources for security that is greater than what most businesses/enterprises provide since it is not their core competency?"
A: This is not a universally true statement, but I can attest that for certain cloud providers, it is indeed true. These providers are not only conscientious about security, but have intentionally acquired a team of very capable individuals to run their security operations. These security team experts breathe security day in and day out–that is their job, so they are about as capable as a security team can get in this industry. You’d be hard-pressed to amass a team of people with the same expertise.
Q: Are cloud computing organizations typically contracted to provide disaster recovery services in addition to the primary cloud computing service.
A: DR is usually considered as part of the service, reflected in the availability clause. There usually isn’t separate stipulation about disaster recovery in the contract.
Q: Since this is so new, is anyone working on qualifying cloud computing companies via ISO, SAS-70, or some other common method.
A: I am not sure there is an industry-wide effort. But many cloud providers are certified via ISO or SAS-70. For instance, Salesforce is ISO 27001 certified. Amazon EC2 has completed its SAS-70 type II audit.
Q: How transparent are the service providers with regards to security controls they have? For ex. Philippe mentioned that he can guarantee that data will reside in a geographical location if requested. How do they ensure that?
A: Overall the cloud providers today are not very open with regards to their security issues. But in terms of which data center they use to host your data, that can usually be accommodated. Some providers can provide you evidence of chain of custody, and through logs to show you where data is housed, etc.
Q: What are some common security concerns with Cloud Computing? Is the communication channel to the cloud the bigger security concern or the host where the application resides?
A: Data protection (for both data in transit and data at rest), identity management (authentication and access control), compliance, data privacy, auditing are among the most common security concerns.
Q: Do you think we’ll see the day where hosting of virtualized systems in the cloud will be distributed across thousands of computers to harness their unused processing cycles, much like the famous SETI program does for crunching astrological data?
A: Unlikely, today’s cloud computing is more about virtualization and data centers, rather than harnessing small CPU cycles from thousands of computers. The latter is more about grid computing.
Q: if one of your cloud providers has a security breach, one which they cannot fix in a timely way, how difficult would it be to switch to another?
A: End of service support is an important issue to work out at the beginning of the contract. You have to make sure that you stipulate the conditions of which a contract can end, and what kind of support the service provider can give at the end of the contract. If you want to switch data to a new provider, you need to make sure that the old provider will package up the data in a format that is transferable and within a time frame you want.
Q: To audit a security provider, what checklist should I have with me?
A: Please refer to my blog, the cloud security category.