7 ways to tackle private cloud security concerns

Steve Hodgkinson, research director IT - Asia/Pacific, Ovum

The key is to apply well proven, and traditional, ICT security and management techniques!

1. Negotiate the contract terms to ensure that legal and regulatory obligations are adequately delegated to the cloud services provider.

2. Agree and monitor the service level agreement to ensure that the service will meet business requirements for reliability and performance.

3. Analyse and define information categories and be clear about which categories of data can, and cannot, be stored in a cloud service and how adequate information security and privacy protections will be implemented. This may include encryption of some or all data both in-transit and at rest.

4. Negotiate a ‘pre-nuptial agreement' to clarify ‘who owns what' with regard to data, meta-data, service logs etc. and the terms around what will happen if the service is terminated - how will data be recovered? This may include periodical local data replication.

5. Develop, implement and test a ‘Plan B' which will be put in place in the event that the cloud services fails or is interrupted. This may include the creation of an emergency application to enable locally replicated data to be used as a business continuity option.

6. Define processes for protecting the integrity and security of the applications and information and train in-house staff in their use. Monitor compliance.

7. Select trustworthy enterprise-grade cloud service providers that can demonstrate adequate quality and audit certifications such as SOC 2, ISAE 3402, ISO 27001, VeriSign, SysTrust, SafeHarbour etc.

SOC 2 is an audit standard for data center operations. It arises from the ‘Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization', defined by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) in January 2010. SSAE 16 effectively replaces SAS 70 as the authoritative guidance for reporting on service organizations.

Within the SSAE 16 audit framework there are a range of reporting and compliance requirements. The most relevant for data center operations are the Service Organisation Controls (SOC) reports. A SOC 1 report is restricted to controls relevant to an audit of a user entity's financial statements. SOC 2 and SOC 3 reports address controls relevant to operations and compliance.

SOC 2 creates a more rigorous external assessment than the previous self-attestation of the SAS 70 auditing standard. Under SOC 2 an external audit practitioner is engaged to examine and report on a service organization's controls over one or more of the following fine Trust Services Principles:

- The security of a service organization's system.

- The availability of a service organization's system.

- The processing integrity of a service organization's system.

- The confidentiality of the information that the service organization's system processes or maintains for user entities.

- The privacy of personal information that the service organization collects, uses, retains, discloses, and disposes of for user entities.

ISAE 3402 is the International Standard on Assurance Engagements (ISAE) No. 3402, ‘Assurance Reports on Controls at a Service Organization', was issued in December 2009 by the International Auditing and Assurance Standards Board (IAASB), which is part of the International Federation of Accountants (IFAC). ISAE 3402 provides an international assurance standard to allow accountants and auditors to issue a report on the internal controls at a service organization relevant financial reporting.

PCI DSS is the Payment Cards Industry (PCI) Security Standards Council defines standards and supporting materials to enhance payment card data security. These materials include a framework of specifications, tools, measurements and support resources to help service providers ensure the safe handling of cardholder information. The PCI Data Security Standard (PCI DSS) provides a framework for the payment card data security process -- including prevention, detection and appropriate reaction to security incidents.

ISO 27001 is an information security management system standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Its full name is ISO/IEC 27001:2005 - ‘Information technology - Security techniques - Information security management systems - Requirements'. The standard requires that the organization:

- Systematically examines its information security risks - threats, vulnerabilities, and impacts

- Designs and implements a coherent and comprehensive suite of information security controls and risk mitigations, and

- Adopts management processes to ensure that the information security controls continue to meet the organization's information security needs on an ongoing basis.

The standard provides a basis against which a service provider's information security management processes and controls can be formally assessed by an external party to assure compliance.