The attractiveness of adopting cloud services continues to grow. Who can argue against access to the latest technologies, a pay as you go model, rapid provisioning/de-provisioning and on demand scaling? All of these benefits lead to improved agility, faster time to market and a business focus on the business (not managing IT). Many of the risks of cloud computing have become less frightening as organisations have become more comfortable with data sovereignty and availability issues.
However, many businesses are struggling with risk transparency or put another way the degree to which an organisation can make a valid assessment of the risk posed by adopting a cloud service. This article outlines a process created through (in some cases trial and error, i.e. mistakes along the way) to approach an initiative to move your organisations confidential data to the cloud.
There are many risks present when moving data to the cloud, data security, network availability, cloud provider viability, business continuity and legal or regulatory compliance. I won’t go into these in too much detail, but will focus on how to make your risk more transparent, by considering all of the key points and a lot easier to identify.
Let’s start with the players in the process.
• The most important is the data owner. If data owners haven’t been identified for each of your organisations major data types, e.g. HR, finance, customer etc then now is a good time to start. The data owner will be a representative from the business; they won’t work in the IT department.
Preferably the data owner is a senior executive (C-level). However, in practice that individual delegates the day to day responsibility to another person and remain accountable for any decisions made. The data owner is usually an individual empowered to make business process decisions.
• The project team running the initiative to move data to the cloud, if a project does exist.
• Your organisations IT department, legal department, vendor management function and the cloud service provider (CSP).
The process in a nutshell:
1. Confirm the data
2. Engage the data owner
3. Understand the business process
4. Other considerations
5. Assess the risk
6. Evaluate the cloud service provider
7. Assess the risk
8. Negotiate the contract
9. Assess the risk
10. Ongoing monitoring and risk assessment
Identify the cloud service provider and determine exactly what data, down to the field level is required. This is a very important step, as this assessment will identify the data owners that will need to be engaged and it will ensure that there are no surprises in terms of the data that will be leaving your organisation.
Engage with the relevant data owners and understand the business process, what is the business trying to achieve through adopting the cloud service and why. Step through the process and make sure you understand the what, why, how, who, where and when of what is planned.
Complete a risk assessment by considering the business value of the process (how critical is it to the organisation) versus the importance of the information. Obviously a critical business process that handles confidential information is much higher risk than a non-critical process that handles public information. Ensure that the data owner understands these factors and accepts the inherent risk (risk present without any controls) of moving the data to the cloud. Ask questions like:
• Is the data going to the cloud business critical?
• Does the vendor have a continuity plan?
• Will I keep and maintain a copy of my own data?
• Do I have an in house continuity plan?
• What is the impact to the business if the data is unavailable?
• What is the impact to the business if the data is made public?
At this stage it is very important to consider:
• Integrations/web services – how will your data get to the cloud provider? Are updates in real time required? How will they access any required data in your systems? The need for integration or web services may introduce the need for new infrastructure and systems to allow data to move between your organisation and the cloud service provider.
• Support and maintenance processes – how will your organisations IT department interface with the cloud service provider? How will level 1, 2 and 3 support work in practice? Who is responsible for doing what?
• Development, test and production environments – will data in non-production environments be masked? How will this happen? Who is responsible for making sure it happens?
All of these additional considerations may add significant risk and cost to an initiative and must be explored early in the process. Does moving to the cloud still make sense? Does the proposed business process need to change based on our assessment? Does the data actually need to leave the organisation or can the business process design be amended?
Assessing the cloud service provider is as easy as asking questions. However, not all cloud service providers are created equal and the quality and quantity of the answers can be quite variable. What questions should you ask? Consider the following control frameworks (some free and some not):
• Cloud Security Alliance (CSA) and their Security Trust and Assurance Registry (STAR)
• Defence Signals Directorate (DSD)
• Common Assurance Maturity Model (CAMM)
• The Shared Assessment Program
• The European Network and Information Security Agency
• Microsoft Cloud Risk Decision Framework
All of these frameworks ask similar questions regarding the cloud service provider’s controls across:
• Security policies
• Risk management practices
• Change management
• Vulnerability scanning
• Logging and log retention
• Incident management
• Patch management
• Business Continuity
• Customer segmentation
• Software development practices
A key way of assessing the cloud service provider is to determine if they themselves are independently assessed and if the results of these assessments can be made available to you. The possibilities include:
• ISO 27001 certification
• PCI DSS
• SSAE 16 (SOC 1, 2 and 3) – SOC 2 is the preference.
The SSAE 16 replaced what was previously known as a SAS 70.
Some new draft standards to be aware of:
• 27017 - Information Technology – Security techniques – Security in cloud computing
• 27018 - Information Technology – Security techniques – Code of practice for data protection controls for public computing services
You can assess the cloud service provider by asking questions, reviewing independent audit reports and assessments, conducting interviews with their key people and site visits. Always obtain a copy of any certificates and read the fine print to ensure that the certification covers everything you expect it should.
Be aware that some organisations, especially where the cloud service provider in turn uses other providers. For example, data centre, hosting and network services etc that the providers may only comply with certain sections of any standards and not everything. Multiple parties providing services through sub-contractor relationships will add to the time it takes to conduct your assessment and to your risk.
Once the cloud service provider has been reviewed, assess the risk. Do they have the required controls in place? Do you have the required assurance that controls are designed and operating effectively and that the right controls are in place?
Next step is to review the contract and service levels that the vendor will provide. Consider the following:
• Defined recovery time objective and recovery point objectives that meet your requirements. Do you know your organisations maximum tolerable outage?
• Include a reference within the contract to any documented controls and process (e.g. encryption, incident response process, etc)
• Include the requirement for regular third party assessments and your access to the results
• Consider uptime versus response time SLAs
• SLA penalties – do they reflect the loss or disruption to your organisation? Probably not….
• What’s excluded from SLAs?
• What triggers are there for a termination of contract by either side? How long do you have before the contract is terminated? Is it long enough for you to find a new service provider? Will you receive your data back? In what format will the data be?
Assess the risk.
The final step is on-going risk assessment. This is probably best performed by your vendor management team and regular meetings with the cloud service provider.
Through ensuring that you involve all the key stakeholders within your organisation you can gain assurance that your data will be safe and secure in the cloud. Be aware that when you’re dealing with small to medium size vendors, it not always possible to have a clear view of risk transparency and the decision will not be as black and white. It will require some professional judgement and the data owners will be looking to you for advice. Good luck!