Cloud computing has taken the IT world by storm, fundamentally changing the way organizations approach IT. The cloud has brought promise of financial and business benefits including reduction in IT capital and operational expenditures. Yet, as with any new technology, cloud computing has been associated with a number of security risks.
While the cloud continues to evolve and address these security & compliance requirements, organizations are left to wonder if cloud computing is a boon for IT value optimization or bane for enterprise risk management. What should be considered, however, is that amidst the backdrop of the current security risks, there are also a number of security and risk management benefits that the cloud can offer.
Opportunities are the Face of Risks
Many of the security risks associated with cloud computing are not unique to the cloud due to the nature of the underlying infrastructure. The cloud can be exposed to risks from poorly defined and implemented policies and procedures, flaws in infrastructure security, physical & environmental security, disaster recovery, personnel security and IT operational security. The cloud can bring new dimensions to some of these existing threats while also introducing new risks.
Some of the inherent risks are related to data theft, leakage or destruction due to co-location of data, spread of malicious activities and malware infections to multiple customer environments. However, there is also the risk of choosing a low-grade service due to cost limitations. Since cloud is a utility model, cloud consumers may have the tendency to sacrifice security features and offerings in order to reduce the costs further, putting themselves in jeopardy.
Another major challenge commonly found is security awareness among the staff of a cloud provider that has its presence in multiple countries. In these instances, users may find that a provider's culture, perception of risks and needs for security and privacy vary with local regulations, or the lack there of. The cloud needs to have 24x7 operations to service customers across the globe, and must offer the optimal value to its customers by dynamically pooling and allocating resources, depending upon peak usage & traffic patterns and time of day. The cloud is meant to be in motion constantly and so is your data.
In a typical outsourcing situation, it is easier to locate data within networks of a selected vendor and restrict access to the data. Verifying vendors' compliance with the contractual requirements and local regulations regarding data protection, etc., are relatively less challenging when compared to a cloud environment where it is hard to restrict the movement of one's data.
Cloud's Security Benefits
Keeping data on-premises was once considered the safest way to go. Now, however, moving data outside has turned out to be an opportunity for substantial bottom-line growth, and enhanced business agility for new products & services, and time to market. In addition, the cloud can offer the opportunity to offload operational security administration such as patching, log reviews, user administration, device administration, back-ups and so on. The cloud can also bring about reduction in the number of human resources required for operations, security, audit and compliance functions. In essence, the cloud is very attractive for those that are accountable for IT value optimization and maximization.
An understanding about potential security benefits to be offered by the cloud can help alleviate some of the fears associated with security professionals, auditors, compliance officers and certainly with C-level executives in those organizations where IT governance and risk management has been recognized and practiced at the senior management level.
1. The cloud due to its economies of scale, can bring in the best skilled human resources, potentially increasing the quality of service that it is expected to provide.
2. The cloud can offer the best security safeguards in access controls, data level security, etc. Two-factor authentication, data transmission security using SSL/TLS, encrypted storage of data, etc., can become de facto standards.
3. In an era where applications are increasingly becoming the target for attacks and security breaches, the cloud has the potential to offer secure applications as part of its service. For example, a SaaS vendor is more likely to get its web applications tested at the very least, against the Open Web Application Security Project (OWASP) Top Ten Vulnerabilities on a regular basis because they can afford it more easily. It becomes a value proposition, a differentiator against competing vendors and customers are more aware of security risks and demand protection.
4. The cloud can offer certain default disaster recovery capability, while physical and environmental safeguards are a given.
5. Stronger security controls tend to become easily affordable, especially for smaller businesses. The cloud, due to external pressures will be forced to choose the best security vendors and products, and thus potential for packaging best of breed' solutions along with their services is very high.
6. The security safeguards can be more effective due to periodic scrutiny by multiple customers, as well as independent and in-house auditors.
7. With the increasing adoption of the cloud, private networks converge into the data centers of cloud providers, making it harder for intruders to find and penetrate into vulnerable networks and systems.
8. The cloud tends to provide continuous monitoring of its networks, systems and user activities. This 24x7 operation can be very significant in fortifying preventive as well as detective measures for security violations.
9. The cloud may have the potential to isolate and prevent any malicious activity originating from external sources and malware infections within a single virtual environment. Thus, the cloud can effectively prevent intrusions from spreading to other erstwhile private networks that are part of the cloud now.
10. When it comes to complying with regulations such as SOX, PCI-DSS, etc., companies tend to get overwhelmed, and sometimes overreach, resulting in a significant waste of resources. Even the scoping of operations and infrastructure for compliance can be a daunting task for many companies. Clouds can help compliance become more standardized for a given regulation and also make it more effective and efficient.
When it comes to risk management, information security, and business continuity programs, it is often said that there is no one-size-fits-all approach or solution. However, the cloud has the potential to make the one-size-fits-all solution a reality. Think about PCI compliance, where a significant number of merchants opt for a single vendor offering cloud-based transaction processing, settlement, and reporting. What would happen to the scope of the PCI compliance requirements of these merchants?
PCI-DSS is one of the very few global standards that addresses not only "what needs to be done" but also "how it has to be done", down to more granular details whether it is related to applications or passwords or visitors. While the merchants are still responsible for compliance and any breaches for any transaction or data captured and processed on their behalf, a portion of the scope is moved to the service provider. This brings in standardization in the delivery of services offered to the merchants, and also the back-end data stores, wherein card holders' data from multiple merchants are stored in encrypted/tokenized forms.
Refining Security and Compliance Through Data Classification
When you move a part of your business to the cloud, the boundaries of your IT infrastructure are only redrawn as you still retain ownership of your data and its security. A well-defined and implemented data classification policy, which determines security requirements throughout the lifecycle, can not only help reduce risks significantly, but costs too, making effective retention and disposal measures essential for your data in the cloud.
Data in the cloud is a moving target and hence can make every program dependent on data, a moving target. A dynamic risk management program demands focus on the controls specific to the risks as they evolve. This in turn, relies on a well-defined data classification policy, which is fundamental to many compliance programs. The cloud therefore offers the potential of making investments in risk management perform better.
Arvind 'Benny' Benegal is general manager of MindTree's Security Services practice. Benny has 19 years of experience in the system and information security space in both products and services, in roles including business development and product management for IBM Internet Security Systems (ISS), information security officer at Sun Trust Banks, and senior security consultant at HP. Thiru Annadorai is principal consultant within MindTree's Security Services practice, focusing on Risk & Compliance. His expertise includes management of risks to information and related processes, technology and operations.