Clouded Judgement – Risk Awareness in the Cloud

By jamal elmellas | 2 March 2016

Ask anyone today what the number one barrier to cloud adoption is and they will invariably tell you it’s still security. And yet it’s fair to say that most organisations not only use the Cloud in some form or fashion, but benefit from better security than they would have had at their disposal. The Cloud industry itself has worked hard over recent years to allay concerns, banding together to self-regulate with standards and roll out technical mechanisms, as well as address issues over multi-tenant architectures through tenant isolation. So why does the stigma of security remain?

The main reason is not a technical one but a cultural one. The perception remains that Cloud is a form of outsourcing but this fails to take into account of the need for the organisation to perform its own due diligence and internal assessments. To gain the maximum benefit from cloud migration the enterprise needs to plan, deploy and manage the Cloud service and that means scrutinising the commercial agreement to ensure it meets the needs of the business. What security standards does the CSP adhere to? How does it indemnify customers against risk? What culpability will it admit in the event of a major issue? What insurance is in place? How does it provide assurances over data sovereignty? What responsibility is there on the customer to maintain security? What provisions are there for Forensic and Evidence requirements?

When it comes to using the Cloud for digital transformation, the internal focus should be on the restructuring of systems and processes. An inventory of the organisation needs to be performed to identify the applications and data that need to be moved to the Cloud, changed or decommissioned. As well as an understanding of the impact on existing business process and any changes that maybe introduced.

Invariably this will also involve an appraisal of risk. Risk will be determined by the type of service to be taken (SaaS, PaaS or IaaS), the type of architecture (public, private or hybrid Cloud) and the data itself and how it may be affected by possible scenarios.

The business needs to understand its own risk appetite when determining what data to house in the Cloud. Typically, this will be undertaken by the IT team who use a standard framework to assess threats, vulnerabilities and the consequences of the realisation of these on the business. But risk management in the Cloud is not a tick box exercise and should seek to assess numerous factors. This is heavily dependent upon the level of reliance on the CSP, among other factors, risk will be determined on the service procured.

In “Best Practices for Mitigating Risks In Virtualised Environments” published by the Cloud Security Alliance (CSA), the message is clear: virtual environments can “introduce new and unique security risks or lead to more significant impacts for particular known risks” requiring the organisation to “continually monitor and proactively mitigate evolving risks”. Risk assessment and management therefore needs to a) continuous, b) regularly reviewed and c) reported to senior management to enable effective decisions making.

In fact, risk is pivotal in deciding on the way data is stored and how security controls are applied. It’s risk that should determine security but what’s often the case is that the organisation is lead by the recommendations of the CSP who now has an impressive array of security mechanisms to offer, from encryption, to multi-factor authentication and disaster recovery mechanisms.

Take encryption. CSPs such as Google, Amazon and Microsoft have all added server-side encryption to their existing cloud services. Encryption of data in transmission and at rest is recommended particularly in public or hybrid cloud deployments which present the enterprise with a set of APIs or interface to manage cloud services that can be susceptible to attack. In the CSA report previously cited, for instance, the authors outline a number of steps that can be taken to help improve security including encryption but encryption is only half the story: to be effective, it requires careful key management and derivation techniques. If your keys are inherently weak, transmitted insecurely or not rotated properly, the encryption used is flawed, providing a false sense of security.

Always ask where the keys are to be stored and the mechanisms in place for the management of those keys as key retrieval, tokenising or reversing queries and accessing data. For example, when it comes to incident management, what happens if a compromise is discovered, who gets notified, what happens to existing keys, what governance requirements need to be met? Organisations also need to be wary of using cloud providers with proprietary encryption software and mechanisms – what happens when you decide to move to a new Cloud Provider? It’s also more difficult to protect your data when you are retro-fitting encryption to an already established cloud solution, so ensure encryption is intrinsic to the solution and that asymmetric keys are used.

What the cloud encryption issue reveals is that data security remains the responsibility of and is best governed by the organisation. The uniqueness of the environment means Cloud security requires a Cloud-specific risk management policy. Completing a risk matrix that assesses threats, vulnerabilities and consequences can help here and periodic audits can ensure risks are regularly reassessed. The matrix also can be used to determine which Cloud security controls should be applied to appropriately reduce and mitigate risk and also provides a valuable tool to communicate Cloud risks to senior management, helping dispel those often unwarranted fears over Cloud security.

By Jamal Elmellas, Technical Director, Auriga.

Become a bobsguide member to access the following

1. Unrestricted access to bobsguide
2. Send a proposal request
3. Insights delivered daily to your inbox
4. Career development