The Toronto Cloud Business Coalition – a group of more than 60 Canadian experts drawn from the IT management, cloud services provider, channel, academic, VC/corporate finance and consulting communities – has published a new document outlining best practices to manage cloud security risk and in the use of cloud to improve IT reliability.
Cloud Security, Privacy and Reliability: Essential guidance on how to identify and assess key issues relating to cloud security, privacy and reliability in a business environment was co-created by a working group of six Canadian professionals, spanning multiple critical domains:
Don Sheppard – writer and senior IT consultant at ConCon Management Services and contributor to multiple international standards, including cloud computing
Stefano Tiranardi – long term security strategy consultant, and now national manager, enterprise security, technical sales and services at Symantec Canada
Chris Vernon – a technical and sales professional with experience in Canada and the UK, he now serves as technical account manager at Symantec Canada
Brandon Kolybaba – entrepreneur, founder and investor in Cloud A, Dynamic Hosting and Cloud Brewery
Ed Dengler – former CEO/CTO of managed security firm eSentire, now startup advisor and board member at CIPS
Sangam Manikkayamiyer – with 17 years of experience in information security and risk, he has designed targeted IT solutions in enterprise security, vulnerability assessment, end-point security enforcement and GRC, and is now principal security specialist Symantec
Collectively, this group was able to approach cloud security from many different directions, providing commentary from the IaaS provider and security solution expert perspectives, and incorporating views on security frameworks, standards and technologies. As a result, the Cloud Security, Privacy and Reliability best practices document delivers guidance that will help businesses that are adopting or expanding cloud operations to better understand broad issues and requirements in security planning, policy, and implementation, including measures to evaluate the success of cloud deployments.
Where does traditional IT security end and cloud security begin? This question animated much of the Toronto Business Cloud Coalition’s security working group discussion, and framed its output, the recently published TCBC Cloud Security and Reliability Best Practices whitepaper. While many traditional security practices and technologies arguably are applied in cloud deployments, the group chose to focus on risk and resolution that are unique to cloud only as a means to addressing the TCBC’s primary mandate – education on cloud adoption hurdles to accelerate deployment in Canada. To this end, the whitepaper also delved into cloud’s ability to mitigate risk, namely the potential to build system reliability though use of cloud technologies, in order to better reflect the balance between security challenge and opportunity that cloud computing presents.
While noting misperceptions of the risk associated with cloud security that are fed by high profile accounts of online security breaches – and acknowledging the professional capabilities, certifications and security expertise offered by many cloud service providers – the TCBC working group also pointed to the very real loss of control involved in outsourcing corporate data to third-party organizations, and to a lack of transparency in some provider relationships around the proper execution of security parameters, which can introduce regulatory exposure. So though cloud by its very nature, or in the service offerings delivered by providers, does not necessarily entail risk, the working group advised that proper planning, company policy and management of provider relationships must be in place to ensure data and systems are safe and secure in cloud environments.
A second key question for the working group was which audience within user organizations to address – the technical or business communities? Since multiple constituencies are involved in adoption processes, including business managers who are increasingly the masters of their own technology budgets, the working group aimed in this foundational document to highlight security issues for both the non-technical business manager considering or engaged in cloud deployment as well as IT staff that may be technically proficient, but less familiar with implementation of cloud technologies and requirements in provider relationships.
As with all TCBC best practices documents, Cloud Security, Privacy and Reliability opened with a discussion of the business objectives of the technology or practice under review – in this case, security technologies, or the deployment of cloud to support greater reliability. While the benefits of cloud-based DR may be more readily grasped by a broader community, the translation of risk avoidance to business benefit is a proposition that is generally not well understood. Cloud security is rarely viewed as a direct driver of business growth; however, its absence clearly entails the opposite – increased business vulnerability for the cloud provider who cannot differentiate based on security capability, and for the user organization, who may not access the agility and costs savings benefits that cloud can bring. To help raise awareness around the most effective means to realize this benefit, the whitepaper provided best practice guidance around the following topics.
- Cloud security overview
- A high level overview of the “prevent, detect and react” security framework intended to educate senior and middle management within user organizations on security issues related to cloud deployment, on the need to align policy requirements, and on the range of technology solutions available in the marketplace designed to inform security procurement and safe cloud deployment.
- The overview also aims to support IT professionals looking to better understand security issues that are unique to cloud. It provides summaries that focus on specific security technologies and processes which align with imperatives in the “prevent, detect and react” framework, including data access technologies, identity management (including single sign-on), data encryption, retention cycles, and data management and provisioning.
- Data privacy
- The processes involved in scoping data privacy requirements, including issues around data retention needs, data residency, and the legislation that may impact it, are examined from both the cloud provider and cloud user perspectives.
- Data portability
- Corporate strategies for porting data to cloud providers and between clouds, which takes into account the needs of the enterprise but also the small- to medium-sized business are outlined. A lifecycle approach to data transport is taken that addresses the user organization’s need to prepare, securely transmit and recover data from the cloud provider.
- This view of data portability focuses on security technologies such as encryption and VPN that secure transmission in IaaS relationships. But the whitepaper also considers provider SLAs in hosted environments – in SaaS deployments, for example – and the need for greater transparency in defining the limits of responsibility for security in cloud networks, and for APIs that ensure the interoperability needed for transport or recovery of data should this be required.
- Cloud reliability and DR
- Concepts of reliability, resiliency, high availability, disaster recovery and business continuity may all contribute to the businesses’ ability to align cloud delivery with user/process needs, but only when these are identified and specified in service delivery agreements. This section of the document identifies key factors that should be considered as the user looks to define requirements with the provider, when building disaster recovery-as-a-solution, and also describes cloud-enabled DevOps as an approach designed to ensure high availability or support applications with high redundancy needs.
The Cloud Security, Privacy and Reliability whitepaper concludes with a section on metrics that may be applied in order to monitor and measure the effectiveness of cloud security activities. While measuring security performance presents a philosophical challenge – can the absence of a thing (security breach) be quantified as a positive? – the working group pointed to the development and increasing prevalence of systems that monitor infrastructure and applications, counting items such as the number of attacks that were ‘prevented’ over a certain period, the accuracy of threat detection in ‘detect’ activities, or the time to threat remediation in ‘react’ scenarios. Metrics are now understood as the key to shifting perceptions of security from a necessary evil (expense) to an enabler of business outcomes.
About the whitepaper
The Cloud Security, Privacy and Reliability whitepaper is available immediately to TCBC members through the site’s library. Non-members can purchase individual copies for $995, or can instead consider joining the coalition as individuals or as corporate members.