Securely outsourcing to the cloud
August 15, 2012
Grazed from ITWeb. Author: Editorial Staff.
The first question that a CIO should ask his cloud provider is, “Where is my data located?”
The implication of releasing control of sensitive organisational data assets to third parties, such as cloud providers, remains a significant inhibitor to businesses transitioning to cloud-based services. Businesses need to be assured that the risk of data compromise and regulatory non-compliance either stays the same or is reduced when outsourcing.
There are multiple steps businesses should follow as data is transitioned outside of the organisation and during its ongoing management:…
1. Understand what you have. The first step is performing an inventory of data in relation to what’s being outsourced. If business applications are being outsourced to a managed hosting provider, understand the type of data that’s stored and communicated in relation to those applications.
In addition, understand the sensitivity of information in relation to corporate and regulatory policies. Automated classification technologies are a good place to start to perform this inventory of sensitive information. Understanding if personally identifiable information (PII), intellectual property (IP) or payment card industry (PCI) data elements will be moved over to a third party is important.
2. Determine what’s acceptable to transition. The next step is determining what can be moved. The business needs to make a risk-based decision on what may acceptably be managed by a third-party. Regardless of controls, some information may just be too sensitive to outsource. It’s important to understand that upfront before moving down the outsourcing path.
3. Require visibility. Once you understand what it is acceptable to outsource, you must determine how you can be assured data will be stored in a certain location. Regulatory requirements for storing and securing certain data elements vary on a global and regional basis. If you are required by law to store specific data types in a certain region, you need to be assured that will be the case over the life of the contract.
However, negotiating contractual terms upfront that data will be stored in a certain region does not offer complete assurance. Businesses are starting to require real-time visibility into the location of sensitive information they have outsourced. And vendors are responding by delivering real-time visibility into data location as a service differentiator.
The ability to understand where your information is located within your outsourcing provider’s systems will allow you to continue to make informed risk- based data decisions even when data is outside of your control. It will also make compliance efforts significantly easier when it’s time for your annual audit.
Question number two should be: “Who has access to my servers and data?”
After working out how the provider will provide visibility into the location of sensitive data, the next step is determining how it will manage access to the systems where this sensitive information will reside. To achieve this understanding, it’s critical to understand how the provider uses identities, and what its security model is.
A hosting company should be able to demonstrate that it both understands and implements the basic principles of security based on identity management:
Least privilege: All identities, and particularly administrators, should only have the minimum access rights needed to do their job.
Segregation of duties: The concept of segregation of duties requires that more than one person is necessary to complete a task. For example, one person cannot initiate and approve a transaction.
A cloud provider should be able to describe its administrative roles and how they are managed. For example, security management of critical systems and applications (such as databases) should be kept separate from system management. No single administrator should be responsible for both the daily operations and the security of a system or application.
Ideally, a cloud provider’s administrators who require significant access to one client’s most sensitive data should be dedicated to that client, and not have access to data from competitors.
Organisations should also gather information from their hosting company/cloud provider about the individuals who will have access to their systems and data.
Background checks need to be performed. In addition, the country in which an employee is located needs to be considered, as local laws might restrict how the cloud provider may monitor his or her actions.
In the third and final part of this series, I will take an in-depth look at the remaining three questions you should be asking your cloud provider.