Whether you're a small business relying on Google Docs for document sharing or an enterprise moving your global ERP system to the cloud, you should demand that some common security and compliance requirements are met by vendors providing applications and services over the Web. These requirements involve who can access your applications and data, as well as the systems hosting them; where the data is stored; and whether the data is hosted on dedicated, rather than on shared, hardware. They also ensure that you get detailed logs of who has accessed your data and applications so that you meet corporate and regulatory standards, and they verify that data is properly encrypted -- a factor that's more critical outside the corporate firewall.
What you demand of the cloud depends on your corporate standards and your compliance needs, the amount and type of workloads you're moving to it, and how you are dividing administrative and security responsibility between your staff and your provider. Security requirements also vary depending on whether you're using software as a service (SaaS), infrastructure as a service (IaaS) or platform as a service (PaaS) offerings. But you should at least consider each of the following questions in your cloud security plans.
1. Who has authentication/access control?
The ability to prove that users are who they say they are and control the data they can see and the functions they can perform, based on their identities and roles, is the top priority of almost every cloud user interviewed for this story. Authentication can be the most challenging when you maintain user information and controls within the firewall using a repository such as Active Directory but host your servers and applications in the cloud.
The ideal is a "federated" identity management access system that pools authentication information from all of your organization's systems -- internal and external. This allows instant authentication of any user who presents the proper credentials, such as a password or a password and a token. It also provides for single sign-on, allowing users to access all of their applications and data, in-house and in the cloud, with a single username and password. While top SaaS providers have the infrastructure to provide single sign-on to large customers that are themselves equipped to serve as "identity providers," many smaller service providers and their customers lack those capabilities, says Eve Maler, an analyst at Forrester Research.
However, because federated identity management can be expensive and cumbersome to implement, many organizations settle for a "synchronized" approach in which different copies of a user's authentication information are maintained by different applications, says Maler. This can compromise security by spreading user credential data among multiple locations and companies. It can also create delays between the time that an employee's access is withdrawn from internal systems and from a cloud-based application, creating a potential security gap.
Another authentication option is for the cloud provider to connect directly to the company's store of user information, which Maler says "is probably safer than synchronizing" but practical only if you have a relatively simple collection of systems. That's the route taken by healthcare provider HCR ManorCare. Thomas Vines, director of information security at HCR, says he has used a cloud-based application to host the company's electronic medical record system for the past seven years and is "very comfortable" with it. Vines says he allows a cloud-based security service from Zscaler (which also checks websites for malware and controls which sites users may access) to access his Active Directory implementation to determine which users to authenticate and what level of access to grant them.
An IaaS implementation in which a customer buys the use of servers in the cloud is one case where a simple link from a service provider to an LDAP directory might be enough, says Tom Cecere, director of cloud product management at NetIQ. That's because there are usually only a limited number of administrative roles, he says. For example, one role might cover users who can create new servers, a second might cover a wider set who can expand the capabilities of the servers, and a third role might cover the still larger group who can use the servers.
A number of vendors, including Symplified, Okta and Ping Identity, provide single sign-on through what Maler calls "a simplified way of federating," redirecting users' access requests to a cloud-based authentication process that supports every cloud-based service the customer uses.
The next challenge is to ensure that users can access only the applications, the data or the functions within applications for which they are authorized. Not all organizations require the same level of granularity in specifying access, says Maler, but it's critical to hold out for the level of detail you need, rather than relying on only the "fairly coarse-grained" control offered by vendors that have an incentive to allow access by more users to maximize their revenue. One vendor providing more fine-grained access control is Aveksa, which sells its software to both cloud vendors and cloud customers.
2. Is the location secure?
The cloud allows data to be moved to the most cost-effective location without users' knowledge. But to safeguard security, customers should know the location of their data. Gary Landau, vice president of IT infrastructure and information security at financial services provider Wilshire Associates, wants cloud vendors to provide replication to redundant sites, "but I also want to know where that [data] is going to be, because I don't want my data being migrated" to a country that lacks strong legal protection for it.
Cloud customers whose concern is document security can use SaaS tools like WatchDox, which lets them control who can view cloud-based documents and track who accessed them. According to Kevin Gholston, vice president of business development at defense manufacturing consultancy CVG Strategy, WatchDox is easier to use and less cumbersome than digital rights management software.
AMAG Pharmaceuticals relies on cloud providers to host all 24 of its sensitive applications and just under 8TB of data, including information related to manufacturing processes and quality control, says Nathan McBride, AMAG's executive director for IT. He uses CloudLock for Google Apps from CloudLock (formerly Aprigo) to restrict document access to authorized users and to transfer ownership of documents to another employee when a user leaves the company. This eliminates the manual process of finding each document and changing who can access it.
3. When are audits conducted?
Proving your applications and data meet corporate, industry and government standards requires audits and reports. Vines does a quarterly audit of each of HCR's critical application providers, covering everything from software updates to the validity of users' accounts and the controls required for HIPAA and Sarbanes-Oxley compliance. He says years of experience and "hand-in-hand" cooperation between the audit and security groups means audits require only a quarter of one staffer's time. "Once we get into the flow, it's well documented and not so ad hoc," he says, noting that scripts and processes his team developed proactively highlight problems.
Each cloud vendor that AMAG's McBride uses must meet strict FDA data security requirements, one of which calls for a multiday on-site audit by AMAG of the vendor's facility and processes.
While SAS 70 compliance is frequently cited as an assurance of security, it only lists the controls the provider has in place, not how it enforces those controls, say Karthik Chakkarapani, IT director of technology solutions and operations at the American Hospital Association, which hosts everything from CRM systems to payroll to data for mobile applications in the cloud. Jason Lau, director of IT security at Service Now, an SaaS IT management vendor, suggests ISO 27001 as a more rigorous alternative.
Marlin Pohlman, chief governance officer of storage vendor EMC and chairman of the strategy board for the Cloud Security Alliance (CSA), suggests using SOC 2 and the Statement on Standards for Attestation Engagements (SSAE) No. 16 instead of SAS 70. The CSA also has put forth a set of security principles in its Cloud Controls Matrix and, in the fourth quarter, expects to give users access to security questionnaires completed by cloud vendors for its Security, Trust and Assurance Registry (STAR). This will give users a format for comparing the security practices that providers claim to follow, says Jay Chaudhry, CEO of Zscaler and a co-founder of the CSA.
In any case, Chakkarapani advises, ask detailed questions about which systems store which data, how the data is stored and encrypted, and the exact paths by which it is read and written. Also, he says, find out which administrators can access your systems and how their access is controlled.
While the single sign-on capability eliminates the confusion of multiple usernames and passwords, it can also provide more complete audits by capturing all of a user's actions regardless of which systems they logged in to and the credentials they used, according to NetIQ's Cecere.
Vendors such as Core Security Technologies and nCircle allow users to conduct vulnerability scans. Many companies want to do the same scans they do internally and see the same reports on cloud providers that they see for their own organizations, says Tim Keanini, chief technology officer at nCircle. But some argue that by mimicking attacks, the tests themselves can interrupt a provider's service. Others say the scans are incomplete and inaccurate or, as McBride says, "one sure way to put a dent into the relationship" with a provider. Pohlman recommends the Security Content Automation Protocol, developed by the National Institute of Standards and Technology, as a less intrusive way to assess a provider.
4. Is my data on dedicated hardware?
Many cloud vendors tout their "multitenant" architectures, in which multiple customers' data and applications share the same servers or storage, as a way to offer cost-effective, scalable services. But sometimes customers need to ensure that their data is on its own platform, kept securely separate from that of other customers.
Kris Herrin, CTO of Heartland Payment Systems, says he insists that providers let him choose which applications will sit on dedicated hardware and which can go on shared systems. Herrin chooses the dedicated option, for example, for apps running on virtual servers. He wants the extra safety because even though it follows Heartland specifications, the IaaS vendor, rather than the company's own engineers, is managing the hypervisor.
5. Who's minding the store?
Service Now's Lau says customers often "want to explicitly know all of the downstream third-party vendors involved."
"A SaaS provider might look like a big company, but is it just a small mom-and-pop shop using another hosting facility?" he says.
Lau recommends probing for the actual size of the company with detailed questions about the type of office park the provider is housed in, the size of its security team and whether security is a full-time job at the vendor. "Ask them for a copy of their security policies and standards," he says. "If they cannot provide one, they probably don't have a security program."
6. How will data be encrypted?
Encrypting, or disguising, data is a central part of any security policy. But the type of encryption necessary and how it is applied can vary depending on how a customer uses the cloud.
Encryption is central to Herrin's plan for "getting out of the data center and hardware business" by hosting applications on servers owned by a cloud provider but managed by his staff. He uses hardened appliances from Voltage Security to encrypt portions of customers' credit card numbers from the time they are swiped at the merchant through to their processing. The approach allows him to reap the cost savings of the cloud without worrying about whether every step is compliant with Payment Card Industry standards for protecting customers' credit card numbers. Because the full credit card numbers are unreadable, he says, the processes aren't subject to PCI requirements.
Larry Whiteside Jr., director of information security and chief information security officer at the Visiting Nurse Service of New York, insists on 1,024-bit encryption for data moving between users and cloud applications, as well as for the associated encryption certificates. Encryption for data at rest is desirable but not mandatory for his organization, assuming other security controls are in place, such as data obfuscation and the use of separate SQL instances or even physical machines.
One way to avoid unpleasant surprises is to make sure your IaaS provider quotes prices for servers and storage fast enough to handle the required level of encryption without slowing applications. Pohlman suggests consulting the FIPS (Federal Information Processing Standards) 140-3 guidelines to determine the level of encryption required for each organization and jurisdiction. You should also make sure that a provider's disaster recovery plan protects not only the encrypted data, but the decryption keys necessary to use the data, Vines advises.
Once all precautions have been taken, the key to security is people. Some users feel cloud vendors can do a better job of keeping data secure than they could themselves, since vendors have more money -- and more at stake.
Rather than trust someone on his own staff "who might be doing 15 different things" in addition to security, McBride says he's more confident relying on a cloud vendor "whose very job depends on" keeping clients' data secure.
"You know they're going to get it done," he says.
Scheier is a veteran technology writer. He can be reached at bob@scheierassociates.com.