Cloud-based services are on the rise. According to recent publications, the cloud is the future for the provision of a wide range of IT services. For example, Capgemini’s latest World Quality Report estimates that cloud-based software testing will encompass 32 percent of all testing by 2015.1 A Gartner study estimates the market for cloud computing to reach US $150 billion in 2014.2 Beyond short-lived hype, this trend should not be ignored from an information security perspective.
Cloud services can allow companies to reduce costs and to operate more flexibly than with a traditional IT infrastructure and thus can enable them to develop new business. However, the promising opportunities of this technology go hand-in-hand with certain risk arising from migrating and operating a business service following the new technological paradigm. One may think, for example, of failures of large cloud service providers such as the Amazon EC2 service in 2011, where customers could not access their data for days,3 the Dropbox vulnerability that allowed users to access files of other users without authorization,4 or recent US National Security Agency (NSA) discussions.5
In the context of service migration to the cloud, such incidents indicate the importance of considering the spectrum of information security and data privacy risk and properly managing these. Information security professionals are faced with the challenge to come up with solutions for an inherent antagonism related to cloud computing: Abstracting from details (e.g., from where a service is provided) and transfer tasks (e.g., data backup) while at the same time retaining responsibility for mission-critical services and data.
A variety of publications exist covering the economic aspects of cloud migration decisions.6 Also, the pros and cons of potential technical architectures and operating models, such as Software as a Service (SaaS), Platform as a Service (PaaS) or Infrastructure as a Service (IaaS), are intensively discussed.7 Yet, from an information security perspective, an additional and up to now often neglected core element to be taken into account is the information being processed as part of the respective service and thus affected by an intended service-to-cloud migration.
To ensure compliance with internal policies and fulfill given legal or regulatory requirements, the organization needs to be aware of the different types of data used throughout the service to be migrated. For each data type, the organization should actively decide on appropriate security measures to manage related risk.
Therefore, one important step during the early stages of such projects should be the identification of all information objects that are involved in the respective service. Following identification, risk related to the various information objects needs to be assessed. Based on the results of this assessment, a suitable solution can be chosen from available (cloud) deployment models. This helps to avoid compliance violations and unplanned adverse effects on security, which could lead to increased costs and, in worst-case scenarios, even overcompensate benefits expected from migration to the cloud.
A systematic approach to the assessment of such risk is key to reliably determining the required level of protection for data intended to be cloud-processed. The Cloud Service Evaluation Model (CSEM), developed by the authors of this article, suggests an easy-to-adopt method based on a structured questionnaire that can provide guidance in situations where services are to be moved to the cloud.
Cloud Computing
Cloud computing has been widely discussed in recent years, while, not surprising for a young technology, a single, generally accepted definition has yet to emerge. However, the definition from the National Institute of Standards and Technology (NIST) has been referred to regularly and adopted by other governing bodies and professional organizations, such as the European Network and Information Security Agency (ENISA), the British Standards Institution (BSI) and the Cloud Security Alliance (CSA), and, thus, will be employed here:
Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.8
Furthermore, NIST distinguishes the three service models: SaaS, PaaS and IaaS. As further classification criteria complementing the five mentioned core characteristics and the three service models, NIST suggests the deployment model. The four major cloud deployment models to be distinguished. From an information security perspective, it is of high importance which deployment model is chosen for a cloud service.
Information Security Challenges in Cloud Computing
After having recapitulated the core characteristics of cloud computing, questions regarding related information security challenges arise. For many companies, cost savings and economic efficiency are principal drivers for the use of cloud services. These savings are expected to result from reduced investments compared to in-house IT. Increased scalability requires fewer buffers for high system load situations. Pay-per-use models allow efficient resource allocation. Flexibility enables faster service setup and adjustments. Location independence of cloud services and distribution across multiple data centers improve general service availability. Last but not least, organizations can focus on their core business while IT services are sourced to specialists. At least for smaller organizations, it is reasonable to expect that a specialized service provider is able to deliver IT services on a higher maturity level than the organization would be capable of on its own.
Still, bearing in mind all those advantages, there are also challenges to meet when it comes to cloud services. The most prominent among those is, according to industry decision makers, the security of processes, applications and data.9
Savings as a result of not having one’s own IT infrastructure go hand-in-hand with having less control over IT systems and limited room for action in certain cases, e.g., in incident and problem management. Not having to care about the system on a regular basis may, at the same time, mean not being able to solve a problem independently in a critical situation.
Efficient resource utilization is implemented via resource pooling and average load calculations in clouds. If high-load situations for multiple cloud participants coincide (e.g., during the Christmas trade), the resource pool might not be sufficient and, without further contractual provisions, this could lead to service disruptions.
With in-house IT systems, resources such as buffer systems for temporary high-load situations or for business continuity are often used as test systems to improve capacity utilization. In pay-per-use models, some organizations might be more reluctant to invest money to test system resources, which might lead to less-comprehensive testing. The same accounts for resource-intensive security assessments, e.g., for disaster recovery tests that might be scheduled less frequently if the standby backup infrastructure is paid based on a per-use model.
Flexibility of cloud service setup sometimes leads to situations in which business departments set up and use a cloud-based service as a kind of end-user computing, without involving the organization’s central IT. This, combined with lack of adequate governance, might lead to security risk and compliance violations.
Location independence of data processing in the cloud, i.e., not caring and potentially not knowing where specific data are actually stored, may constitute a serious issue from an information security perspective as this contradicts an organization’s ultimate responsibility for its data. Regulations such as national data privacy laws explicitly specify where certain information may be processed. Furthermore, other legal aspects are to be considered, e.g., what happens if data get lost, published or confiscated in a data center in another country under a different jurisdiction? Systems and data hosted by the big players in the cloud service market can be expected to be run more smoothly due to a large resource pool. On the other hand, for example, as recent revelations in the Snowden case show, data hosted with these big players are more prone to access by third parties—a situation that, even if these are governmental institutions, might give rise to some legal concerns seen from an international perspective. Different types of risk exist here, often related to transparency of the respective cloud service for users. These risk factors can be mitigated partially, for example, through corresponding contractual provisions between user and cloud provider or independent audits. Yet, these issues should definitely not be neglected.
Another issue might be cross-instance effects. Changes to the cloud infrastructure as a whole, or in other users’ instances, may affect one’s own service regarding confidentiality, integrity and availability. In a similar manner, security risk factors on a higher architecture level need to be considered (e.g., in virtualized environments, hypervisor, host system and hardware), which is not under control of the user organization.
The scalability, combined with granular and flexible service fees, facilitates fast-paced changes of the provided services’ dimensions. Such changes might, at the same time, have significant impact on the security posture of the respective system or service, for example, a service such as Dropbox storing documents for a few hundred people in the beginning vs. millions of people shortly after launching. Security processes and controls need to be set up in a way to adequately cope with this.
The last cloud service advantage mentioned at the beginning of this section is the possibility for an organization to focus on its core business while certain IT services are handled by the cloud provider. Again, moving a service to the cloud does not absolve an organization from its ultimate responsibility for the processed data. When moving a service to the cloud, it is crucial from an IT security perspective that the organization ensures the relevant expertise at its disposal to monitor the respective service and fulfill its duties.
This demonstrates that when deploying a service to the cloud, it is of utmost importance to select an adequate operating model that fits an organization’s specific need with regard to security, risk management and control. CSEM offers an easy-to-apply evaluation model. Structured into six individual steps, the CSEM approach provides users the ability to identify critical features of their service to be cloud-sourced and systematically select a fitting cloud deployment model.
Cloud Service Evaluation Model Overview
The overall purpose of the CSEM is to identify a suitable cloud deployment model for a given IT service intended to be moved to the cloud. On one side, there is the given service with its individual features and requirements. On the other side is the spectrum of cloud deployment models as potential solutions. Illustrates how the CSEM establishes a link between targeted IT services and potential cloud deployment models. Two main instruments are applied here:
- A structured target service questionnaire is used to assess the respective service and identify specific features of the data processed within.
- The deployment model frame of reference presents available cloud deployment models, describing their strengths and weaknesses.
Because the questionnaire and frame of reference use the same evaluation dimensions—confidentiality, integrity, availability and transparency (C/I/A/T)—results can be easily matched and the best-fitting cloud deployment model for a given IT service can be identified in a subsequent step.
Deployment Model Frame of Reference
A detailed assessment of deployment models needs significant expertise and can be time-consuming. On the other hand, the general evaluation of cloud deployment models does not need to be reperformed every time a service is assessed. It can be reused. While allowing individual assessments, CSEM already provides a frame of reference (FoR) containing prepared ratings for four common cloud deployment models as a starting point to accelerate practical implementation.
All deployment models were rated on a three-level scale of low, medium and high regarding their abilities to support C/I/A/T. The assessment of the individual cloud deployment models started with a proposed classification based on statements in current research and professional literature. This proposal was then discussed and refined by subject matter experts (SMEs). Figure 4 shows the resulting FoR, including proposed ratings for common cloud deployment models.
Based on feedback from SMEs, the public cloud deployment model was divided into two sub-classes, reflecting international public cloud offerings (e.g., Google, Amazon) and regional providers, where data processing happens in limited, defined geographic regions and, thus, is subject to the same legislation as the client’s local IT. As a result, figure 4 shows, for example, that the deployment model of an international public cloud received a low rating regarding the confidentiality criteria. Without further measures, it is difficult to identify exactly who has access to data stored in such a public cloud, e.g., from the provider’s side. Integrity was rated medium as, on one hand, certain technical features are implemented to ensure correctness of transfer, processing and storage of data. On the other hand, such models usually do not offer deep insights into the applied measures, and options to control data processing on a detailed level are limited. Due to sheer size and capacity of public cloud providers with distributed data centers all over the world, their service availability features can be considered superior to an average midsized company’s local IT. This results in an availability feature rating of high for public clouds. Of course, other factors such as network availability may also play a role here.
The transparency rating reflects the opportunities for a client (or its auditor) to acquire information on how, where and when its data are processed and to control the data processing. This might be of high relevance if the respective service is subject to certain legal or regulatory requirements and compliance has to be proved. By nature, public clouds abstract from where (and, to a certain extent, by whom) data are processed if no further measures are taken, thus resulting in a low rating for transparency.
The suggested ratings for all other cloud deployment models within the FoR were derived in an analogous manner as described for the international public cloud.
Application of the Model
The model described previously can be applied by following a stringent, six-step process (see figure 5).
Identify Affected Data
As a first step, any organization adopting the CSEM to deploy a chosen service in a cloud environment needs to identify and create a list of all individual data objects, which are processed in context of the respective service. A valid approach here can be to inquire with the business specialists for the service. They will be able to point out core data elements, e.g., content of a company web site, order information from an e-commerce system, client names and addresses inside a CRM. If it is not a new service and the service was supported with in-house IT previously, the related systems, interfaces and data storages (e.g., databases, file servers) can be inspected to identify data objects processed by the service. IT specialists can contribute here through identifying technical data objects (e.g., log files, metadata, backups), which are, of course, relevant as part of a holistic assessment, but not always the focus of business experts’ reviews. The collection of data objects needs to pay attention to the whole of processes linked with the targeted service in order to identify all relevant objects. Thus, the information gathering should be performed by business and technical professionals together.
Assess Information Security Requirements
Subsequently, a structured questionnaire10 (figure 6) is used to assess the C/I/A/T information security requirements for the previously identified data elements. For each of the four main C/I/A/T criteria, respondents are asked to assess the risk level of their data on a three-level scale (low, medium, high). Per the information security goal (e.g., availability), three to six questions are asked. To support structured replies, different types of risk (e.g., compliance violations, financial loss, reputational impact) are to be considered in each answer. After all types of risk have been rated, the overall C/I/A/T risk levels are determined in the next step.
Determine C/I/A/T Risk Levels
To attain an overall risk level for the reviewed service (and the data processed within) regarding each of the main C/I/A/T criteria, the questionnaire answers are condensed. For each criteria, the highest impact rating (figure 6) is considered as determinant and, thus, as reference for selection of a suitable cloud deployment model later.
Evaluate Cloud Service Matrix
The results of the previous step have to be filled in to the comparison column of the cloud service matrix. Either the standard weights (i.e., low equals 1, medium equals 3, high equals 9) can be used, or a custom weighting may be applied. Now the available cloud deployment models, with their capability ratings taken from the FoR, are compared against requirements of the service under review as identified via the questionnaire.
If a deployment model meets or exceeds the required risk level, it is attributed with points matching the required level. For example, the overall data confidentiality requirement for the assessed service is medium, the deployment model private cloud is rated high for confidentiality capabilities in the FoR; hence, the deployment model fulfills the requirement. Because of this, in the evaluation, the deployment model is attributed three points for fulfilling the medium requirement. Please note that, though it offers high confidentiality, only medium was required; therefore, no more than three points can be received here. There is no bonus for exceeding given requirements.
Examine Mitigation Measures
If certain deployment models turn out to be close to the requirements, but slightly miss some individual targets, further measures to achieve fulfillment of requirements can be evaluated in this step. For example, additional local encryption of data before moving them to the cloud could mitigate confidentiality issues in a cloud setup. Certifications or independent service reports (e.g., ISAE 3402) could contribute to transparency, for example.
Select Cloud Operating Model
In the final step, the evaluation matrix (figure 7) lists a comparison of all available cloud deployment models and shows how well they fulfill the specific C/I/A/T requirements of the respective service that is supposed to be moved to the cloud. Those deployment models, the scores of which are closest to the reference score of the target service, are those that are the most suitable and potential candidates for an implementation. If two deployment models arrive at similar overall scores, the most economically efficient solution should be chosen. Current literature suggests that for medium-sized companies, costs usually increase from public cloud deployment models toward individual private clouds. This is also reflected in the economic impact in figure 4. The results of step 5 have to be considered here to take into account which changes or additional measures are feasible to match service requirements and deployment model capabilities.
Conclusion
While the number of services that will be cloud-supported in the future will doubtless continue to increase, selecting the right cloud deployment model is not an easy matter, especially when taking into account the various information security challenges. The presented CSEM decomposes the inherent complexity into a sequence of structured and manageable steps that help to cope with this challenge.
As demonstrated, such assessments can be divided into two main parts: assessing the requirements of the service to be outsourced and evaluating the available cloud solutions for their appropriateness for the given task. The first part needs an individual C/I/A/T requirements assessment for each target service and can be performed, based on the provided questionnaire, with reasonable effort by the risk manager together with business, given that they know the concerned processes and systems well. However, the second task encompasses evaluating available cloud solutions regarding their C/I/A/T features. Here, the CSEM FoR, with its sample evaluation of four common cloud deployment models, can be used as a starting point. Putting both, the questionnaire and the FoR, together, the CSEM, with its systematic, six-step approach, enables professionals to adequately address the often blurry topic of privacy and data security in the cloud according to an organization’s specific need. Information risk managers can apply the CSEM to efficiently provide comprehensive counseling during cloud service migration projects and identify suitable solutions. IT auditors may leverage the CSEM approach to assess cloud-deployed applications in a structured way.
It is a fairly safe bet to say that in the future, in many cases, the question will not be whether a cloud model should be used, but which cloud model. It is critical to be prepared.
Endnotes
1 Capgemini, “World Quality Report 2013-14,” 2013, www.capgemini.com/thought-leadership/world-quality-report-2013-14
2 Gartner, “Gartner Identifies Seven Major Projects CIOs Should Consider During the Next Three Years,” press release, 9 November 2010, www.gartner.com/newsroom/id/1465614
3 BBC UK, “Amazon Fault Takes Down Websites,” 21 April 2011, www.bbc.co.uk/news/technology-13160929
4 Ducklin, Paul; “Dropbox Lets Anyone Log in as Anyone,” Sophos, 21 June 2011, http://nakedsecurity.sophos.com/2011/06/21/dropbox-lets-anyone-log-in-as-anyone/
5 Owen, Paul; “NSA Files,” The Guardian, 25 October 2013, www.theguardian.com/world/2013/oct/21/nsa-files-live-coverage-developments-reaction
6 For example: Rosenberg, Jothy; Arthur Mateos; The Cloud at Your Service, Manning Publications, 2010
7 For example: Sosinsky, Barrie; Cloud Computing Bible, Wiley, 2011
8 Mell, Peter; Timothy Grance; SP 800-145, The NIST Definition of Cloud Computing, National Institute of Standards and Technology (NIST), 2011, http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf
9 Olavsrud, Thor; Dan Muse; “How Secure Is the Cloud? IT Pros Speak Up,” CIO.com, 28 March 2012, www.cio.com/article/703064/How_Secure_Is_the_Cloud_IT_Pros_Speak_Up
10 The questionnaire is available upon request from the authors. Contact thomas-schaefer@onlinehome.de.
Thomas Schaefer, CISA, CISM, CISSP, CEH, is information security officer at an international financial institution.
Michael Hofmann, CISA, CISM, CRISC, CGEIT, CCISO, CIRM, is partner at KPMG Luxembourg, where he is in charge of the information risk management division, providing services in IT advisory, IT attestation and IT audit
Peter Loos, Ph.D., is director of the Institute for Information Systems in the German Research Center for Artificial Intelligence, which undertakes large-scale research projects and offers consulting services for the public and private sectors.
Peter Fettke, Ph.D., holds a leading function at the Institute for Information Systems in the German Research Center for Artificial Intelligence.