Blog de Matias Katz Hablamos un poco de seguridad?

Security in Cloud Computing

The following is an article I wrote that was published in the last printed magazine of the CXO communty, referred to Security in Cloud Computing.

CXO is a latin-american information security community, that gathers professionals from many nationalities to share their knowledge, experiences and corporate visions about this beautiful profession.

To subscribe to the magazine, follow this link: http://www.cxo-community.com/revista-impresa/3000.html?task=view

Now, the article:

Security in the Cloud:

What lies behind the big corporate image of our Cloud Computing Provider? What guarantees can we have as a customer that our information will be protected and our security regulations will stand applied? In an operational model that each days is gaining more field, there are unsolved fears and doubts that could endanger your company in a visual, economic and legal way.

Cloud Computing is a term quite abarcative that pretends to solve the performance and availability issues that any company may have, in the most economic way possible. However, the implementation of that model requires to take several important considerations regarding information security:

1. Confidentiality: Many risks regarding confidentiality may emerge when trusting our information to a third party. When hiring their service, certain questions appear that should be clarified before signing a contract:

1. 1. What kind of physical and technical protection does the provider have for the infrastructure hosting the service?
   2. What level of visibility towards the customer's information does the provider have?
   3. Can the customer know (or even choose) which provider employees may have access to his information?
   4. Can the customer choose which authentication methods will be required to access his information from the Internet?
   5. How does the provider handle Identity Management?
   6. What ill happen with the customer's information after the contract ends?
   7. In which way would the customer be able to access his information if there is a dispute with the provider, or an abrupt contract termination? Could the provider hold the information from the customer?
   8. What will happen to the customer's information if the providing company dissolves?
   9. What level of abstraction exists betweeen the resources, either virtual or physical, assigned by the provider to each customer?
   10. Can the customer use his own information encrypting methods in a layer higher than the one delivered by the provider?

The correct mitigation of the risks regarding confidentiality will deliver your company with an invaluable peace about the level of protection of your cloud information.

1. Availability: Availability is a key player in Cloud Computing, and represents one of the main requirements when hiring that service. However, the provision of an effective level of availability depends on different factors, many of which are not taken into consideration:

1. 1. What physical infrastructure (hardware, backups, links and redundant electric connections) does the provider offer to guarantee the availability he promises?
   2. What level of resilience does the provider have in his DataCenter?
   3. How does the provider handle Incident Response?
   4. What guides and policies regarding upgrade and maintenance of hardware and software, logs revision and internal BCP and DRP strategies does the provider hold?
   5. What methods does the provider offer for the exporting and/or importing of information and resources from/to other providers?

In some cases, the risk of failure in the delivery of the level of availability promised by the provider ends its reach in the customer himself. But in other cases, the customer is commited with his own customers to deliver a service quality directly bound to what's been signed with the Cloud Computing provider, for which a failure in service can damage the reputation of the customer and even bring legal implications, which leads us into the third point of discussion.

1. Liability: Liability is the most important factor in the game of outsourcing key services for your company. The lack of a thorough analysis may result in serious legal consequences. The necessary baselines must be established to be able to stay protected against any responsibility bound to any law or regulation breach:

1. 1. Who is the owner and legal liable individual of the information stored in the provider’s servers?
   2. In case an attack has been made against the customer’s resources hosted in the provider’s servers, who is in charge of conducting the corresponding legal actions?
   3. How is the procedure if the attack was made against another company that shares the provider’s physical resources with the customer?
   4. If the forensics analyst requests a confiscation of the server holding information of the customer, to collect evidence related to an investigation on another company that shares resources of that server, does the analyst have the right to revise the customer’s information?
   5. What is the legal execution mode to follow if the service is being provided from a country different to the une in which the customer resides?
   6. With which policies, baselines and security compliance regulations does the provider comply? How does he maintain and reinforce them?
   7. Which quality certifications does the provider hold, on a company-level and for each employee that interacts with customer’s information?
   8. Does the provider receive internal and/or external audits on a regular basis?
   9. Can the customer conduct an audit of the provider, to be able to demonstrate Due Dilligence and Due Care?
   10. Can the provider adjust its structure and policies to comply with the regulations required for the customer (for instance BCRA 4609 or SOX)?

The risks involved in Cloud Computing are not exclusive to that situation. In fact, many of these questions also apply to in-house solutions.

However, when you delegate resources over third parties you lose that thorough control you could have by administering those resource internally.