Standardizing the Cloud for Security
Cloud computing is becoming the paradigm shift it always promised to be, even for larger organizations who scoffed at the cloud’s lack of enterprise support and thought it was for SMBs only. The promised all-around savings in almost all aspects of IT’s hard and soft costs are driving more and more businesses to adopt the cloud, as it allows them to shift large chunks of budgetary Excel spreadsheet from Capex to Opex.
Over the last few years, the cloud has brewed up a storm in the IT Infrastructure world. The basic idea behind the cloud is to deliver centralized IT services, usually from a third party, to help free up almost all operational and administrative burdens in the local IT department of your business. The cloud is routinely defined as having a handful of essential characteristics; on-demand self-service, broad network access, resource pooling, rapid elasticity and scalability.
You’ll also find the cloud is generally delivered in three service models; Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), and Infrastructure-as-a-Service (IaaS). Each of those service models can be deployed as a Private Cloud, Community Cloud, Public Cloud or Hybrid Cloud. We’ve done quite well standardizing the definitions of cloud, but less so in applying standards to help customers and users of the cloud evaluate the security and suitability of any particular cloud or cloud vendor. This article will examine information security standards in the cloud and why we’re finding it hard to agree on a way forward.
The underlying technology behind the cloud is not that different from the systems traditionally within your network; cloud services generally offer platforms that replace onsite services like email, file handling, information management, and so on. For those to work, normal protocol standards are used. Protocol standards are the prescriptive standards that drive the interoperability of the Internet; SMTP, HTTP, SSL, TCP/IP etc. All of these standards are very well defined in the Request For Comments (RFC) system. The cloud simply uses them like any other platform in its normal communication and every day operation, so there is really nothing new here. We shouldn’t worry about how the cloud utilizes these standards, as being RFC compliant is an essential part of Internet participation.
Providers of cloud services and platforms also subscribe to an evaluative standards model as a way to differentiate themselves and ensure they are providing best practice and recognizable standardized behaviour to their customers. Evaluative standards are used to certify providers’ infrastructure, services and importantly their processes; the most common and well known form of evaluative standards are the ISO family, and the most applicable for this discussion is ISO 27001:2005, or to give it its full name ISO/IEC 27001:2005 - Information technology -- Security techniques -- Information security management systems – Requirements. These standards are the most obvious areas we can improve on for the purposes of securing the cloud, and to some extent work has already begun.
General security and specifically security of stored data are often cited as the biggest barrier to entry for IT Managers looking to adopt the cloud in their business. There will always be the “flat-earthers” who resist the cloud outright and will object to almost all rational arguments, but to those who see the technological and functional benefits, security is usually the final hurdle they have to cross. A lack of formal cloud security standards could make it trickier for some to use the cloud, but the worry also extends to cloud interoperability and data portability too; when combined, these three areas often present enough of a barrier to adoption to put organizations off.
However, the cloud has become increasingly popular and the benefits of adopting it are obvious, so the lack of common standards is not putting many organizations off. Why is this? Due diligence, of course. When organizations are wary of moving to the cloud, allowing them to conduct their own intensive due diligence has proven to be a helpful way to break down the barriers to adoption. Naturally, when it comes to due diligence, transparency is not only essential, but is fundamental to cloud security standards and this discussion. As a vendor of cloud services, Mimecast has always encouraged a high level of due diligence by our prospective customers. We do this for many reasons, not least of which are because we are proud of our infrastructure, security and processes, but also because we want to help customers understand the work that goes into providing a reputable and reliable cloud platform. The very nature of the cloud and the nervousness of new users mean that cloud vendors are often subjected to far greater levels of scrutiny than any other sort of IT provider.
So what can be done to help those looking for assurance that their cloud provider is safe and secure? Evaluative security standards like ISO 27000 series are an obvious starting point and one should always look for this certification as a bare minimum. A note of caution on certification though – simply having the certification is often not enough. One should carefully examine the scope of that certification. Often, ISO 27001 certification is granted for a system or process outside that of the cloud platform on offer. For example, a vendor may have only certified their HR and recruitment processes, rather than their cloud service platform.
Evaluative standards like the ISO 27000 series will take some time to be fully adapted for the cloud. In the meantime, they still provide an excellent measure of an organization’s dedication to information security, and should always be sought as a benchmark standard.
Transparency is also crucial. Most cloud providers will probably become more transparent when you agree to sign their exhaustive non-disclosure agreement, but some will make due diligence an easy process by being transparent from the start. Often we use the phrase “reputable cloud vendors” when talking about providers who are keen to help you understand how your data is secured. Positive moves in this direction are supported by third party organizations like the Cloud Security Alliance (CSA), which promotes cloud security and the use of best practices for providing security assurance within cloud computing. The CSA has a strong educational ethos and drives awareness of cloud security through its education and certification program.
The CSA maintains a registry of cloud providers’ security controls called the CSA Security, Trust, and Assurance Registry (STAR). CSA STAR is a publicly accessible registry of cloud vendors’ security controls, designed to help users assess the security of a vendor they might be considering. By its very nature, CSA STAR drives openness and transparency in the security controls and processes used by cloud vendors; this at least is a good start to helping customers understand and trust a vendor’s security, and when combined with other existing evaluative standards, makes for a great set of tools to help one build confidence in the cloud.
Unfortunately, not all cloud vendors are keen to publish their controls or even divulge much about their infrastructure and operations other than through their clinically controlled marketing process. This is a shame and suggests most vendors are not yet ready to adopt a leadership position for the good of the cloud industry. Instead, they want to keep their closely guarded secrets, or their security protocols will not stand up well to public scrutiny.
Large scale adoption of evaluative security standards for the cloud will help quell the majority of the nervousness that exists about cloud security, but as I have mentioned before, conducting thorough due diligence, both technically and contractually will help to remove perceived barriers to entry as well. Vendors who are willing to be transparent add to the trust base that is slowly being built up in the cloud. These are all vendors who are sponsoring and willing to comply with the adoption of wide scale standards too, mostly because it’s quite painful and expensive allowing so many prospective customers to carry out their own standards audit rather than point them towards an international body.
The last two, smaller hurdles related to cloud data security are more aligned with the usability of the data and how businesses move that data. Interoperability between cloud platforms, and data portability are often associated with the security model; administrators think of ways to back out of cloud agreements should the worst happen. Sometimes they simply choose to shop elsewhere and need to migrate data anyway. Cloud lock-in remains, for me anyway, the last remaining great fallacy when it comes to the cloud. I would argue that on-premise vendors lock their users and customers into a solution to a much greater extent than cloud vendors. That aside, we should also see from transparency and standardization comes a much higher degree of interoperability and data portability, mostly because more cloud providers will have to make their APIs and storage formats open and available to a growing number of users who demand access and automation. The usefulness of data in a cloud archive, for example, is improved exponentially when access to that data is cheap and ubiquitous; the days of locking data away in a “vault” never to be seen again are over, as that data can never offer value back to the business once it has been locked away.
Although there is no quick fix to a security standard for the cloud, working to extend what we have already got will help make customers and users of cloud solutions feel much happier that their data is safe and will lower the barriers to entry. We are likely to see significant development of standards like the ISO 27000 series over the coming years and that will reassure cloud users and customers. It may even persuade the laggards now is a good time to examine the cloud, just as the next big technology creeps over the horizon.
About the Author
Orlando Scott-Cowley.A product marketing manager for Mimecast, Orlando leverages his expertise in Internet and messaging security and compliance to help Mimecast innovate email management in the cloud. He joined the company when it was in its infancy in 2006 as a Technical Evangelist and has aided its growth into the North American market. A technologies graduate, Orlando has a solid IT Security background and 14 years of high-level technical consultancy experience working with Fortune 100 companies, governments, vendors, and resellers. He writes and speaks for influential publications and events in North America on a variety of topics from compliance, unified email management, archiving and security to continuity; in particular the emergence of cloud and SaaS technologies.
Juergen Hoeller,Stéphane Nicoll Dec 18, 2014
Helen Walton Dec 17, 2014