248 |
S.R. Chaput and K. Ringwood |
administer the systems and those who monitor the logs should probably exist. Regardless of the specifics, the logging and monitoring will likely be required, presumably in some sort of Security Information and Event Monitoring (SIEM) solution format. This of course begs new questions immediately: is the SIEM part of the cloud provider’s standard offering? Should it be? How costly would it be, and how reliable? Would it make more sense to manage the SIEM internally rather than trust it to the cloud? Again, these are questions an organization should be concerned with prior to even looking at engaging the cloud.
14.2.3.3 Encrypting Data in Motion
Given the nature of services cloud offers, as well as the type of requirements most companies have to operate successfully and optimally, a large volume of data will travel between the client and the cloud. How does an organization protect the data in motion? Encryption quickly comes to mind as an immediate solution, especially when it comes to web applications and other Software-as-a-Service offerings, where protocols such as Secure Sockets Layer (SSL) may adequately address the issue. When looking at Platform and Infrastructure-as-a-Service, however, the transit becomes a little more complicated. Should there be a dedicated site-to-site Virtual Private Network (VPN) between the organization and the cloud provider? It is likely that the organization would at a minimum desire some sort of encryption for the authentication traffic and presumably for any administrative activities, but the nature of the data and relevant legislation influencing its usage and storage would otherwise dictate what needs to be protected and how.
14.2.3.4 Encrypting Data at Rest
With respect to specific compliance requirements and the mechanisms needed to be in place to protect various types of information, encrypting data stored in the cloud will also most likely be a requirement. Once the cloud provider has been made aware of it, certain assurances would need to be given with respect to the use of encryption or similar controls that would allow clients to maintain their compliance. One should not, however, underestimate the potential costs of such a solution, nor forget that there would be a need for substantial administrative activities such as key management and key changes.
14.2.4 Risk Assessments
Sufficient research and various assessments should be conducted prior to considering use of clouds. In this context, various frameworks needed to establish the overall impact of the risk of outsourcing to the cloud, as well as the related costs of
14 Cloud Compliance: A Framework for Using Cloud Computing in a Regulated World |
249 |
compliance, would need to be taken into account. During the process of conducting these analyses and assessments, an organization should be able to determine whether utilizing cloud resources is a viable and cost-justified option, while at the same time ensuring that all of the essential regulatory and legislative requirements have been considered. A sample of a few key assessments follows.
14.2.4.1 Threat and Risk Assessments
Without going into detail describing a Threat and Risk Assessment (TRA), an organization must ensure that a TRA with respect to an organization’s existing infrastructure is conducted prior to considering switching to the cloud. Through employing a TRA, an organization will at a minimum be able to identify shortcomings of the existing deployment and develop or build a remediation strategy appropriate to the shortcomings, taking into account the likelihood of using the cloud and changes that would be entailed.
There are different options that would allow an organization to exercise due diligence when looking at cloud computing as their new direction. Requesting the cloud provider to supply the results of their own TRA would be one alternative. The client could also conduct its own independent TRA of the cloud. If the data and systems in question are of particular importance and sensitivity, doing a scheduled TRA, or at least one on a regular basis, may be an extremely beneficial tool that would enable the company to ensure compliance to existing laws, and more actively and aggressively monitor the quality of service a provider is giving them. An example of something that is already in place externally would be PCI DSS 1.2, which mandates that a Risk Assessment be conducted at least annually for payment card processing environments.
Frameworks for TRAs tend to be based on Risk Management best practices and are fairly easy to come by. Some of the most common best practices are: AS/ NZS 4360:2004 Risk Management14; BS 7799–3:2006 Guidelines for Information Security Risk Management,15 and; ISO/IEC 27005:2008 – Security Techniques
– Information Security Risk Management.16 Adopting any one of these frameworks would ensure easy understanding of the organization’s obligations; suggesting the cloud provider use one of these approaches further aligns the cloud with the overall desired course, as well providing a way to confirm TRAs are being conducted and are dependent on the shared and pre-approved best practices methodology.
14 http://www.standards.org.au/
15 http://www.bsigroup.com/
16 http://www.iso.ch/