The late comedian George Carlin had a famous routine about "stuff," and how many of us have so much important stuff that we need to rent rooms in storage facilities to protect the stuff. Storage facilities offer security protections that an average home might not have; strong alarm systems, climate controlled environments, and advanced fire suppression. For your customers, moving data and services "stuff," including personally identifiable information (PII) and protected health information (PHI), to a cloud computing model is a bit like putting our important things in a high-end storage facility.
Cloud computing issues and risks
Cloud computing brings considerable business benefit. Costs can be reduced when ongoing administrative tasks and management of software and hardware are transferred off-site. To augment the cost savings and attract customers, VARs can offer cloud computing security services by providing additional security protection, customization overlays and risk mitigation to the cloud offering. For example, VARs can offer to transfer some of the customer risk, in the form of insurance coverage and remuneration for loss, should customer data go missing or services go offline due to cloud provider error.
Although risk and accountability sometimes get confused when talking about security, they are different, and it's important to understand why. Risk is the exposure to loss, and accountability is the liability for the loss. Although some risk can be transferred, most accountability cannot. This is why accountability for protecting data and services is harder to transfer, and from a liability and legal perspective, may not even be advisable for most VARs or cloud providers. Legal regulations and control standards prevent your customers from transferring accountability for their own private and sensitive data. These regulations include mandates like the Massachusetts and Nevada encryption laws, disclosure legislation (California's SB 1386) and amendments to HIPAA in the American Recovery and Reinvestment Act of 2009, the recent federal stimulus.
Data protection responsibilities (both risk and accountability) begin when an entity receives data from an employee, customer, partner or other approved source. Once your customer has the data, accountability for stewardship of that data is theirs regardless of whom they pass the data to in the cloud. For the most part, that accountability is non-transferable regardless of which cloud providers and VARs customers use it to manage and store that data. The persistence of data accountability applies to VARs as well. If you are reselling archival facilities in the cloud and your provider loses the information, you are accountable for notifying your customers of the loss and helping them respond to the breach. VARs can differentiate their offerings from the competition with add-on packages that help customers respond in the event of a compliance breach, data loss or other exposure. Example add-on packages that VARs could offer to compliance-focused customers include: long term archival services, customized reports for specific compliance mandates, data masking and least privilege access control.
Improving cloud computing security
Another cloud computing security service to offer that will appeal to compliance-oriented customers is robust auditing and monitoring. The cloud providers' data centers could be scattered throughout the globe and for end-user companies, sending audit teams to each site could be cost-prohibitive. Even if they could afford to send auditors on-site, the providers themselves may not allow physical audits of their centers by end-users. VARs can negotiate with cloud providers to perform on-site audits, review processes and procedures, and confirm certification status. VARs can also negotiate with providers to offer remote monitoring services for their customers.
Customization of the monitoring dashboards and reports for each customer may be too expensive for the large cloud provider, but is a great opportunity for the VAR. Most customers will be interested in key performance indicators (KPI) and metrics that address specific compliance mandates and general availability. For example, a merchant might be interested in reports that detail access to credit card information, so providing a merchant package with prefabricated reports will appeal to buyers in that vertical. Going back to the storage facility analogy, what assurance do customers have that the climate-control is active 24x7? Providing customers with proof that the cloud provider services were running as expected is another way to add value to the baseline offerings.
Though moving physical "stuff" is fairly costly, moving data is cheap. Many cloud providers are offered incentive to keep data in geographic locations where energy, space and human resources are cheaper. Laws pertaining to data protection vary by country. If U.S. data is housed in the EU, it could be subjected to EU data protection and privacy laws. Anyone that's been part of a team trying to track where a data breach occurred on the network knows it can be a complicated process. Pinpointing the exact point of a data breach in a complex cloud environment can be orders of magnitude more difficult, especially if the provider will not allow forensic analysts full access to their data centers. VARs can offer an add-on service that guarantees data will only be kept in certain locations, or will be governed according to a standard policy regardless of location. Post-breach forensic analysis services can be negotiated in advance with the provider and offered to end-user customers as an additional service or as part of a high-security bundle.
Legal considerations for cloud computing
The distributed nature of cloud computing and infrastructure creates other possible legal considerations. Specifically, who is responsible if a data leak or service breach occurs outside of the client or cloud network? Technical responsibility for the exposure may lie with a provider sitting between customer endpoints and cloud provider endpoints, but legal responsibility for losing your customers' data will still, in many cases, be yours. It's for that reason that some data and services may not even belong in the cloud. If the cost of recovering from or responding to data loss, tampering, or other misuse is significantly higher than it is in an on-premise model, then moving to the cloud may be cost- or risk-prohibitive.
Consider a healthcare entity with a regularly updated client database that stores volumes of highly sensitive PHI. Loss of this data could have significant legal ramifications in regard to HIPAA (and the recent stimulus bill amendments) and disclosure (FRCP and SB 1386, et al). If the standard of due care security controls that are in effect in a closed, on-premise architecture can't be met or exceeded in the cloud, then for compliance and legal reasons, this data may not be the best fit for the cloud. VARs who also offer on-premises management solutions can work with customers to determine which data and services may not be "cloud-ready."
Large cloud providers may not have the skills or framework in place to provide granular security customization of the environment in a cost effective manner. Security, like any other aspect of cloud services, is engineered. While certain levels of security are good for business, the baseline cloud provider security policy will be geared toward the common security interest of the majority of users rather than to individual corporate needs. Again, there is a significant opportunity for VARs to provide the granularity and customization for their customers. Keep in mind, however, that additional levels of security may cost more for the provider to offer and require VARs to add to the overall cost to their own customers for the cloud service.
By working proactively and collaborating with cloud providers, VARs can ensure customer data and services are properly protected. It's also necessary for VARs to work with customers to help set the right level of security and audit controls for data and services. Does the customer want the same level of protection for the information in the cloud? Is the customer looking to increase the protections? Specifically, discuss these issues and negotiate any required changes, before you sign an agreement, and up-sell additional security or customization where appropriate. Also, ensure the following points are clearly spelled out in the service level agreements (SLA):
Geography – what locales are approved and what policies govern these locales?
Availability – what uptime is required?
Recoverability – how quickly can archived data be retrieved (online, if already archived offline)?
Change management – do changes require approval?
Data control levels – are additional controls required for data classified as sensitive?
Cost – what requirements will cost extra (e.g. – mutual authentication or stronger access control for sensitive data)?
Certifications – what's required (ISO 27001, SAS Type II, NERC, HIPAA, PCI, etc.)?
Insurance – how much financial protection for data loss or breach? What is the limitation for damages?
Right to audit – Will you perform on-site or remote audits of cloud providers?
- Reporting – type and frequency?
It's tempting for end users to want to transfer risk related to data and services to a provider, but accountability doesn't transfer. Sitting between customers and cloud providers, VARs can add value or get caught in a messy tangle of accountability and liability confusion. Get clarification on which compliance controls and audit reports your customers want upfront. Monitor reports from the cloud provider on a regular basis and communicate any breaches or outages to your customers immediately. Initial planning will greatly improve compliance controls for your customer's information and deliver meaningful value over and above standard cloud offerings.
About the authors:
Diana Kelley is a partner with Amherst, N.H.-based consulting firm SecurityCurve. She formerly served as vice president and service director with research firm Burton Group. She has extensive experience creating secure network architectures and business solutions for large corporations and delivering strategic, competitive knowledge to security software vendors.
Char Sample is a research scientist at BBN Technologies specializing in network security and integration issues.
Cloud Security Alliance, CSA Guide, "Domain 5: Compliance and Audit" by Shawn R. Chaput
Information Security Magazine, "How to Secure Cloud Computing" by Neil Roiter
This was first published in June 2009