Cloud Security Grows Up
By Kevin Winter, VP & CIO and Brian Javonillo, Senior Associate, Booz Allen Hamilton
Many companies today have established minimum levels of security requirements for their IT environments. CIOs are realizing, though, that those security models don’t translate when IT capabilities move to the Cloud.
"Compliance documents and audits are not a full proof measure of compliance soundness, but they add value by providing visibility into the vendor’s security stance"
Cloud offers innumerable benefits, such as creating economies of scale, streamlining processes, and allowing for anytime, anywhere accessibility. SaaS(Software as a Service) provides enormous flexibility and capability to CIOs today. SaaS providers have changed how IT organizations operate, saving costs and shifting from a capital expenditure model to an operational expenditure model.
As lT leaders outsource these capabilities to SaaS providers,the security of the data they place in a SaaS provider’s environment is also outsourced, yet CIOs remain responsible for the security of their data no matter where it resides. As new SaaS capabilities are utilized, CIOs should take these steps to help ensure the security of their data:
Request a SSAE16 (Statement on Standards for Attestation Engagements No. 16)-
Since utilizing a SaaS can impact a company’s own compliance reporting, it’s important for CIOs to know that the SaaS’ internal compliance controls are up to snuff. Implemented in 2011, SSAE 16 reports have become a guide for service providers’ internal compliance controls and the standard for all service auditors’ reports. Obtaining this report is also less expensive and less time consuming than a CIO having to commission their own audit of the SaaS’ systems.
Request Copies of Other Applicable Security Audits-
Depending on the SaaS that’s used, there may be other audits a CIO can and should request that cover certain types of sensitive information, such as heath and personally identifiable information (e.g. HIPAA, PCI, PII, etc.). If available, obtain them for all the SaaS providers used by the business.
Ensure Master Service Agreements (MSAs) Cover the Right Things-
MSAs should cover indemnification roles and responsibilities, incident response, and notification procedures between the SaaS provider and your organization. Addressing these issues when going into a relationship with a SaaS provider will reduce the risk of addressing these items during and after an incidence occurs.
Compliance documents and audits are not a full proof measure of compliance soundness, but they add value by providing visibility into the vendor’s security stance. If a SaaS vendor is lacking in its responses to the above types of questions, it should raise a warning flag about continuing with that service.
Rethinking Traditional Network Security for the Cloud
Ensuring the security of a SaaS provider is just one piece of the Cloud security puzzle for which CIOs must solve. There may be thousands of SaaS offerings that a business may leverage, but it is likely that a company also builds and maintains its own platforms and applications that are not available via SaaS. This is where Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) come in, giving businesses the capability to extend their data centers and custom applications into multi-tenant Clouds(e.g. Amazon Web Services, Microsoft Azure, Open Stack, etc.). As in SaaS, addressing security requirements in IaaS and PaaS is a critical part of a migration plan to extend an organization’s data center to the cloud.
Over the past 15 years data center security has matured. Many organizations are very effective at monitoring and protecting data based off a network environment that the CIO controls. They are skilled at implementing firewalls, intrusion detection, logging infrastructures, and various other monitoring systems to protect their data centers.
But as the organization extends its data center into the Cloud, its leaders lose control of that network, and the security they expect today. This rings more true when moving into a Cloud, where a network is shared with other, and possibly competing companies in a multi-tenant and multi-Virtual Private Cloud. In this environment, the CIO no longer has autonomy to apply the company’s security design onto the shared Cloud network.
New Products Offer Security in the Cloud
It’s only been in the last two years with the advent of Cloud security networking products and technologies such as Cisco InterCloud Fabric, vArmour, etc., that CIOs have gained more control of the network in the Cloud. Networking and security vendors have taken technologies out of the physical appliances they sell for the data center and virtualized those security offerings, so that now we can use them at a system-level instead of a network-level. So even if the enterprise has moved to a multi-tenant Cloud environment, these products and technologies provide a comparable level of security to that of a traditional data center.
Booz Allen is increasingly leveraging SaaS to deliver resilient and operationally cost effective IT services, and within the last 24 months began using IaaS/PaaS to move Booz Allen-specific IT (non-SaaS offered) into IaaS/PaaS Cloud environments by leveraging these recent advancements in Cloud security products. Doing this provides economies of scale, reduces downtime from system failures, and shortens the time to deliver a new service, and ultimately begins to move more IT costs into that operational expenditure versus capital expenditure model. We’re doing this for ourselves as a firm, and helping our clients do the same, while maintaining compliance with the strict security demands we require, and which our clients demand of us.
Cloud technologies and cyber security capabilities have both been on a hyper innovation curve within the last five years. We’re finally beginning to see Cloud and cyber security capabilities align, allowing enterprise organizations to take advantage of the flexibility of the Cloud, while also relying on the safety of enterprise-class cyber security technologies.