Microsoft: Cloud Computing – Privacy, Confidentiality and The Cloud
Written by Vic (J.R) Winkler
Adapted from “Securing the Cloud” (Syngress, an imprint of Elsevier)
These days, you’re frequently processing, storing, or transmitting data that’s subject to regulatory and compliance requirements. When that data falls under regulatory or compliance restrictions, your choice of cloud deployment (whether private, hybrid or public) hinges on an understanding that the provider is fully compliant. Otherwise, there’s the risk of violating privacy, regulatory or other legal requirements. The implications for maintaining the security of information are significant when it comes to privacy.
There have been enough privacy violations outside the realm of cloud computing for there to be concern about any system—cloud-based or traditional—when storing, processing or transmitting sensitive information. The cloud has its own examples as well. In 2010, several cloud privacy information exposures occurred with a number of cloud-based services, including Facebook, Twitter and Google.
Privacy concerns within the cloud model aren’t new. As a tenant with legal privacy obligations, your handling of privacy issues is no different if you use the cloud. Just as you wouldn’t store such information on a server without adequate controls, you wouldn’t select any cloud provider without verifying it meets the same benchmarks for how it protects data at rest, in transmission or while processing.
Your policies may exclude any external provider managing sensitive information for you, including cloud providers. While there may be a perception that the computer on your desk is safer than a public cloud, it’s probably not (unless you’re taking unusual technical and procedural precautions). Safety and governance are two separate issues, and as part of due diligence, you’ll need to fully understand your provider’s privacy governance, as well as its security practices and guidelines.
As with personal information subject to privacy laws, various classes of business and national security information are also subject to regulation and law. National security information and processes benefit from strong and highly developed laws, regulations and guidance. These derive from public law and flow down through each individual agency or officially responsible entity.
Given the size of the government and the number of levels and jurisdictions, it seems the government itself could operate a series of community clouds for its exclusive use, thereby obtaining the benefits and avoiding the issues with cohabitation in a public cloud. On the other hand, if the government were to use a public cloud, that service would have to fully meet the interests of the tenant and all applicable regulations and laws.
It’s possible that a tenant could implement additional security controls that meet regulatory or legal requirements even when the underlying public Infrastructure as a Service (IaaS) or Platform as a Service (PaaS) does not fully meet those same requirements. However, it must be understood that the range of additional controls that can be added by a tenant are limited and can’t overcome many gaps in some public cloud services.
Data ownership and locale concerns
In addition to privacy and confidentiality concerns, ownership of information assets brings up additional questions. There’s potential for erosion of information asset ownership when moving resources to any external system. There’s a fundamental difference between data ownership and having responsibility as a data custodian.
Although legal data ownership remains with the originating data owner, one potential area for concern with a public cloud is that the cloud provider may become responsible for both roles. There’s no better example of this than when a law enforcement entity serves a warrant to a cloud provider for access to a tenant’s information assets.
Where data resides and what jurisdictions it may traverse are related concerns. Storing and moving data online presents the opportunity for surreptitiously examining someone else’s secrets. In response to this, the European Union (EU) Data Protection Directive stipulated in which countries EU private and personal data may or may not traverse or reside. This has profound implications for all EU member states.
From the standpoint of cloud computing, the impact of this directive will likely shape how public cloud providers implement their services. This is a perfectly reasonable model for limiting the jurisdictional footprint of data to minimize the potential mischief to which that data is subject in traversal, processing or storage. All cloud service tenants and users should be concerned by the potential that a public cloud may push data or applications out of the jurisdiction in which the tenant resides or has legal obligations.
Auditing and forensics
Auditing is an overloaded term in security, but here I mean evaluating security policy, procedures, practices, and the technical controls for correctness and completeness. This is necessary to assess whether controls and procedures are adequate to meet all operational aspects of security, including compliance, protection, detection and forensics.
For cloud services, such audits have great value for tenants and customers as they convey a sense of trust about the cloud provider’s diligence in assuring security. As the owner of information assets, a tenant must perform informed due diligence on the provider. Because due diligence by customers generally doesn’t scale for the provider’s business model, the provider must be transparent about its security policy, governance and procedures. As a result, tenants are in a better position to make informed decisions.
There are several issues around the responsibilities and limits that affect tenants and providers with regard to collecting legally admissible evidence for prosecution. Understanding who did what and how is hard enough with an evidence chain where responsibility for collecting data is shared between the provider and tenant.
One party may be the lawful owner of the data, while the other is the custodian. Given the nature of how some services are accessed, it may be difficult to authoritatively represent or even understand the trail of actions leading to and following a compromise or penetration. To begin with, having a tenant obtain access to a provider’s records may compromise the privacy of other tenants.
Second, events in the two sets of logs may not track if system clocks aren’t identical. It may be difficult to prove that a tenant’s forensics data gathered and stored in a public cloud hasn’t been altered. This situation represents a set of excellent opportunities for cloud providers to distinguish themselves by offering advanced services.
Some of the oldest programs are sometimes found to have vulnerabilities that have remained undiscovered for years. You should always expect that what you thought was safe may be found to have been vulnerable before you were even aware of that vulnerability. In addition, some of the technologies—and certainly many of the software components—that cloud computing is comprised of are still quite new and have yet to engender a high degree of trust from experienced security professionals.
Some components are built on top of what can only be described as layers upon layers of software and protocol scaffolding. Is the sum of these parts secure? The answer is probably no. Complexity and interaction between components are two realms from which vulnerabilities spring forth.
So is it safe?
The cloud is still new, so the push for effective controls over the protection of information in the cloud is also nascent. Currently there are fewer security solutions for the cloud than there are for securing physical devices in a traditional infrastructure. While the cost of instantiating virtual security appliances is lower in the cloud, the technology is newer.
Much of the present action in adopting the public cloud is in the realm of early adopters. It’s difficult to ascertain if any data or processing is being done in violation of legal requirements or compliance. The United States government has launched an effort called the Federal Risk and Authorization Management Program (FedRAMP), which is oriented toward enabling the entire process of assuring cloud instances are appropriate for individual agency applications.
Two organizations that are actively pursuing the improvement of data protection and security controls in the cloud are the Cloud Security Alliance and the Cloud Computing Interoperability Forum. Another group, the Jericho Forum, has approached the problem from a different perspective, namely that de-perimeterization has already taken place due to a variety of services that penetrate the perimeter of infrastructure largely by tunneling through firewalls to provide access to critical services.
One problem with most certifications is that they’re focused more on facility and process than they are on the new de-perimeterized, service-oriented world. A second issue is that many systems in use have virtualized servers running on them. If these servers have conflicting security requirements, there’s already a problem in practice.
Most of the security issues with cloud computing are neither unique to the cloud-computing model nor very difficult to address. The cloud model itself represents a golden opportunity to achieve better security. However, it must be recognized that there are differences. You can’t be cavalier about security with the cloud model.