I get many requests regarding cloud computing and in particular inquiries regarding the security approach on cloud computing. A couple of while ago I read a very good Blog entry from Dr. Guy Bunker (www.viewfromthebunker.com) who brought the problem to the straight point: "One of the problems with ‘the cloud’ is that it has been tough up until now to distinguish the different variations or even acknowledge that there are different cloud formations out there, and that one size does not fit all. So, are you after software (application)-as-a-service or a platform-as-a-service, are you thinking about in-house clouds or external ones, how about having proprietary or open API access? You see, the possibilities soon mount up. Of course, there is no single answer and different applications will be best suited to different cloud solutions. Understanding the differences will help you to make a good choice and reading the paper will remove some of the cloudiness around the cloud." In his Blog, Guy is refering to the Cloud Cube Model by the very well recognized Jericho Forum (part of the Open Group). The 4 dimensions of the Jericho Cloud Cube Model is really a very crisp and consise way do define the various cloud formations and its characteristics. I personally think that this is very complementary to the recently released “Security Guidance for Critical Areas of Focus in Cloud Computing” by the Cloud Security Alliance. This model gives you very good guidance on the portfolio of domains that you have to consider for every formation of cloud computing in terms of security. The model by the CSA defines 15 domains that includes i.e. the cloud architectural framework, information lifecycle management, traditional security, application security and virtualisation security. Both – the Jericho Model and the CSA Guidance – will give enterprises a clear picture about the entire framework and approach that they have to consider. I really encourage everyone who is considering to put information and applications into any type of cloud formations to read through the advisories from Jericho Forum (Cube Model as well as Collaboration Oriented Architectures) as well as the guidance from the Cloud Security Alliance. This will help to define your own individual approach to secure and manage your cloud formations properly. Please don't hesitate to contact me for any further question.
Just remember you have a choice of two cloud types: public and private (and hybrid, I guess). There needs to be a lot of security analysis regardless of how you go. For example, lets say you want to use public clouds. If you can't afford for your data to "go public", would you select a public vendor that says that they reserve the right to display your data publicly regardless of the reason? And what if the vendor says that their employees have access to read your uploads? So far, we talked about Google Docs, Dropbox and Amazon. It all depends on what your security levels require. If you were a company selling to the public, would any of your customersa be happy knowing that their credit card information, social secuity numbers, security codes, passwords, etc. are being kept on a public website that may have already been breached? How about if you are a layer on a BIG case and you want to put your case notes up there. Can the opposition get a copy by presenting a simple subpoena? How about medical records that are governed by HIPAA? What do the public clouds say about HIPAA compliance and responsibility (you may need to look at the FAQs for that and get other opinions)?
You mentioned Amazon. One of their systems even their employees have no access to. The other allows certain employees access in rare conditionns. I applaud that. At our government agency, where we do law enforcement systems, we really can't afford to have anything we upload seen by anyone, ever. Not even employees of the operator. We are looking at a deal with Box.Net where they are crimal justice systems certified as well as HIPAA certified. The important thing as I have mentioned before: Read the Terms of Service (TOS) completely. Read the faqs as best as you can and read the privacy policies. If you are not sure, you should ask questions. It could be very important.
This is an excellent and timely point you make. CISOs and IT Sec are increasingly aware that on-premise applications and services are rapidly migrating to the cloud to capitalize on the reported lower cost. However, mandates to which the enterprise must abide are still relevant - be it on-premise or in the cloud.
We are in the process of finalizing support that enables a CCS customer to collect security information from their Amazon Web Services environment and intergrate it into the risk and compliance assessment activities. This provides the CISO and Business Owners with a complete view of risk and compliance - on-premise and in the cloud.
If there is interest in learning more and/or participating in a pre-release test of this capability - please see: https://www-secure.symantec.com/connect/forums/control-compliance-suite-and-amazon-web-services.
I did read the document and there are distinct difference between the Dropbox/Google world and Amazon. According to the document Amazon EC2 does not allow ANY of their employees to see the user's data while Amazon S3 DOES allow very restricted access to a small number of employees. In the case of Google, for example, they state they have the ability to read your data, in general and you must give them this right. Dropbox says that not only do you have to give them the same rights but you, yourself, has to have the rights to give them the rights they need.
The document does make one VERY important point. HIPAA requires that the data be fully encrypted when it leaves your hands and all through the path going to the, in this case, cloud. I believe that part is met. I would think that the best policy is that the data should be encrypted fully by the user before any attempt is made to send the data to the cloud. That would eliminate all concerns because the data would be guaranteed encrypted by the user for the data in-flight and also any Google worker or electronic system would not be able to read the data. Does their software allow for this?
So, the document that you stated does set the stage for HIPAA compliance for AMAZON (which, by the way, I think Dropbox uses) but I don't know if the TOS for Google nor Dropbox would allow for HIPAA certification. I know that Box.net under the agreement that we will be operating under, is not only HIPAA compliant (while Google does not accept responsibility for HIPAA-compliance) and is also certied to hold criminal records and court information.
The gist of this: let the lawyers and doctors be aware and do make sure that what you are doing is not going to backfire.
Regarding HIPAA and cloud computing, I remember a discussion two years ago about Amazon Web Services and HIPAA compliance. I managed to find their whitepaper from 2009, which has been actually extended with a few case studies about organisations using AWS in HIPAA regulated environments:
http://aws.amazon.com/about-aws/whats-new/2009/04/06/whitepaper-hipaa/
I have to admit that I didn't read the papers yet with the necessary attention, but I will do this in the next few days or so. Nevertheless given the fact that there are customers using AWS in healthcare, it seems that there are ways to use cloud computing without violating HIPAA principles and requirements.
Just the other day, I noticed a "whitepaper" (or I think it was more of a Google advertisement) going on about how safe and secure Google is. My "feedback" was how secure can a company be if their GLOBAL (as of March 1st) TOS states that they reserve the rights to publically display your "work".
My point of view and suggestion is the "golden rule", which states: If you would be upset having your information on the front page of a national newspaper, don't keep it online. People have to remember that they need to read the TOS, FAQ and Privacy Policy of any online service they use and then make an educated decision as to their participation, The following scares me:
Obviously, if I was a nobody and my lawyer used the cloud to store his case notes, I would not care; however, if I was a celebrity, I would not like my data "out there".. I could use this to my advantage if the D.A. was keeping his case notes on the cloud. I could get a copy of those with a simple subpoena.
2. Use of the cloud by medical professionals
The question still remains: "Is the Cloud HIPAA/HITECH-compatible?" I don't know if anyone has ever answered that question, officially. Google takes no responsibility in this area, according to their FAQs. Considering all uploads are scanned for content, some by humans, is the use of the cloud automatically a HIPAA violation in itself? with the result being fines over $1,000,000?
3. Use of the cloud to store PII especially credit card and social security information
While we know that two of the cloud providers have already been hacked and data exposed, do I have to worry that ANY of my personal and critical information is "out there"? Just because a service requires a password does that mean that everything is really safe from everyone?
Since I work for the government in the IT for criminal justice systems area, I know that the County is looking at a contract with BOX.net. I believe the service has been certified by justice organizations and is certified as HIPAA-compliant. But, blocking the use of other non-certified cloud providers currently in use could be a big challenge.
Exactly, you raised very good points here. Two days ago I saw a blog entry by Gartner that was starting with the following:
'Is cloud secure?' Seriously, why are you asking this? Ask: 'Is MY USE of cloud computing secure?' Or, if you want to be a bit fancy, you can add '...secure enough for my purposes?'
http://blogs.gartner.com/anton-chuvakin/2012/03/13/is-cloud-secure-wtfc/
The bottom line here that cloud computing security responsibility is at both sides - the service provider and the organisation / indivdual using the service.
I have found that the "read, modify, abstract, publically display..." part was not originally written for Youtube. It was written for Google Docs. The "claim" here is that they need these rights, in advance, so that whem you click "Publish" or decide to add collaborators, that they have the rights to perform these actions to provide you with the service/action. Some, do not believe this is actuaaly necessary especially if you are only using the cloud for storage. Another online discussion that came about was titled: "Is Google Docs HIPAA-compliant?" Medical documents such as patient records, X-Rays, drug tests, etc. are controlled by HIPAA. I searched Google's FAQs about this and, while they said that some have uploaded this data as part of their HIPAA storage, Google does not take any responsibility for HIPAA. My personal view is that HIPAA data should be encrypted BEFORE it is sent up to any of these services. According to Google, the company electronically reads evry upload and some are read by Google staff. If I were a District Attorney and putting confidential information on one of these services, I would need to ask myself, "Is this acceptable?". If the answer is, NO, I do not want Google or Dropbox employees reading my uploads (and possibly passing the information on as they have NOT signed any non-diclosure agreement with me, then my choices would be to pre-encrypt the data myself or not use the service. Some things may be best left up to the private cloud. And suppose the word's "bomb" or "destroy" are used in refence to a case such as "the defendent appearred to be bombed out of his mind and destroyed a traffic signal"?
We also know that many of these services have been hacked and they have mentioned in their TOS that they basically take no responsibility for this. I guess the point is: consumers must do due dilligence to read the TOS, FAQ and Privacy Policy of any service they are thinking about using and weigh the benefits and security issues carefully.
In my recently issued article (https://www-secure.symantec.com/connect/blogs/one-size-fits-none-how-assess-security-control-transparency-cloud-service-providers) I start with the advise to look for public available information about the particular vendor when you start shortlisting the candidates for your service selection. I.e. many cloud service providers have statements on their website about ISO 27001 certification, SAS 70 Type II audit attestation (recently replaced by SSAE 16 in the US and ISAE 3402 international), SysTrust or WebTrust certification, etc.
This includes other public available information like the privacy policy statement or the terms and conditions for the service.
Is this enough to trust this provider to handle i.e. your entire CRM data outside of your network? Probably not, therefore you should start to think about further assessment beyond these certifications and labels they provide.
Without consulting an attorney it will be likely hard to de-chipher certain statements in those terms and conditions. In particular for personal information in the light of EU country legislations and offshore-transfer to countries without adequate level of protection. I am not able to give any legal advise anyway other than consulting the right people for this purpose.
You mentioned very good points here, in particular services that allow themselves to monitor, read, abstract, deny, etc. the content you upload. I think you have to distinguish between the purpose of the service itself like YouTube for public broadcasting or platform-/software-/infrastructure-as-a-service like Salesforce, Amazon Cloud or Microsoft Azure. Frankly I don't expect YouTube to protect my privacy when I upload a personal video about myself. Of course I expect YouTube to respect my privacy if someone else uploads a personal video about myself without my permission. This requires people to watch the content and make a decision whether your request for removal of this content is valid or not. But when my company is using Salesforce, I expect and have to verify that no one in Salesforce operations can read my customer data in clear text, or - even worse - is able to extract that data to external media.
As mentioned in my article, questionnaires like the "Consensus Assessments Initiative Questionnaire (CAIQ)" from Cloud Security Alliance gives you some good guideline on how to do further assessments of the service and what questions you should ask. I.e. do they have controls in place to prevent data leakage or intentional/accidental compromise between tenants in a multi-tenant environment? Do they specifically train their employees regarding their role vs. the tenant's role in providing information security controls? Do they document employee acknowledgment of training they have completed?
Encryption is a very important selection criteria to ensure that the service provider can process the data, but not read it, i.e. very important for online backup service providers. Do they have a capability to allow creation of unique encryption keys per tenant? Do they support tenant generated encryption keys or permit tenants to encrypt data to an identity without access to a public key certificate. (e.g. Identity based encryption)? Do they encrypt tenant data at rest (on disk/storage) within their environment? Do they have a capability to manage encryption keys on behalf of tenants?
The bottom line here is that the selction of cloud service providers requires a somewhat different approach than selecting a hardware- or on-premise-software vendor, and requires a different set of key-questions you should ask to make the decision.
There are private and public clouds. One issue I have with public clouds is that users tend to either ignore security in exchange for the convenience or the users make broad assumptions about security.
The most important thing for a new user to do is READ the Terms of Service (TOS) and the company's Privacy Policy and then apply that to what you want to use the public cloud for. For example, a quick view of the two most popular public clouds' TOS rules will show that not only do they have a right to read, modify, abstract and publicly display your uploads, but you also have to have the "right" to transfer these rights to the cloud provider. It is claimed that these reserved rights are necessary to perform services for you, the user, but you need to evaluate the rights in comparison to what you are uploading. They no longer claim ownership of your data but the still require these rights. They also take no responsibility for any HIPAA/HITECH data that you upload (may be found in FAQ's on a search for HIPAA).
The cloud companies also state that all documents uploaded will be electronically scanned for anything that would violate their terms and, in cases, will be scanned by human reading. If anyone remembers what happened to two British youths who used slang terms in a private tweet in England having that tweet showed to them by American authorities before they were sent home, my suggestion would be to remember that YOUR uploads may not be as private as one would assume.
In summary, I would strongly suggest that anyone planning on using cloud services outside of their control read the TOS and Privacy Policy carefully and ask questions before committing "secure" data to a public cloud.
@SimonJonesHC I agree. Whilst the Cloud Cube Model is still valid, the article is from 2009 and cloud computing made a huge evolution in between. I recently wrote a new article about "One Size Fits None - How To Assess Security Control Transparency Of Cloud Service Providers": https://www-secure.symantec.com/connect/blogs/one-size-fits-none-how-assess-security-control-transparency-cloud-service-providers
The bottom line here is that you should ask the right questions about operational efficiency and information security before you select your cloud provider.
Even different cloud companies would offer different forms of cloud solutions and it is best to check out what they do and whether it fits your needs before signing right up. Some of these companies even offer a trial account, so you might want to give those a try and see which is a better fit.
Thank you for this information. At our Symantec Vision 2010 conference in Barcelona last week we had a very good session hosted by one of the CSA board members of the Spanish CSA chapter, talking about his experiences of adopting the CSA guidance into his own organisation in his role as Information Security Director. I encourage everyone who is looking for those type of real-life examples to contact the local country or regional chapters of CSA, and attend cloud computing and cloud security events to hear more about best practices and real-world adoptions.
CSO at Zynga & Co-founder of Cloud Security Alliance, Nils Puhlmann will provide an overview of where we are today and what areas of cloud security are actively being worked on in the industry at the third season of Business Technology Summit 2o1o in Bangalore. Further he will discuss about the specific risk and threat areas and how can they be mitigated? What other security efforts are underway in the industry to ensure that security is a key part of every cloud offering? For more information log on to btsummit.com