Maksim Kabakou - Fotolia

Security Think Tank: Secure the cloud when negotiating contracts

Misconfigured cloud environments are increasingly identified as the source of damaging data breaches and leaks, raising serious questions for enterprises. Where does responsibility for data security in the cloud lie, and how can security professionals best work with their teams and cloud providers to resolve the problem?

I have previously made the call for getting the security basics right, and those basics apply irrespective of whether we are considering traditional or in-house IT, cloud-based IT or a hybrid mix of the two. Misconfigured IT can be damaging to any enterprise, but the rise in the use of cloud environments has brought with it an increase in damaging data breaches and data leaks.

That raises the question of where, in a cloud or hybrid environment, the responsibility for information security lies. The answer is simple: responsibility lies squarely with the enterprise. But as with anything “simple”, the devil is in the detail.

So what can infosec professionals do to improve the security posture of an enterprise where cloud or hybrid environments are used? The obvious is to ensure that good communications, working practices and agreed protocols are in place, maintained and used both with the in-house IT team and the cloud suppliers’ IT and infosec teams. That needs to be in place not only when systems are in production, but crucially during contract negotiations and design and implementation phases.

During the contract negotiation phase, it must be remembered that while systems can be outsourced either fully or partially – to cloud services, for example – the legal responsibility for security stays with the enterprise. That includes the General Data Protection Regulation (GDPR) and the UK’s Data Protection Act 2018, but can cover other industry, legal and regulatory requirements. It is during this negotiation phase that infosec professionals must ensure the contract with the cloud supplier, or any supplier of outsourced facilities or services, fully covers off the enterprise’s data security needs.

In previous times, outsourcing contracts have often been totally silent on security issues, or where it was mentioned, it was just one or two terse clauses that, in effect, said, “over to you…”. Today, you need to spell out what is required for the enterprise to comply with its legal, contractual and statutory requirements and a clause that just says, “… must be ISO 27001 certified…” is not sufficient.

It is instead necessary to spell out which ISO 27001 clauses must be complied with and, where necessary, how. For example, external and internet-based penetration testing weekly, monthly, and so on; internal security testing monthly, quarterly, and so on; change and incident management requirements; security and performance monitoring; reporting requirements; and an annual audit against ISO 27001 with the auditor’s opinion supplied to the enterprise. But this is not an exhaustive list – there will be other requirements depending on the enterprise and its use of external facilities.  

Supply chain considerations

During the contract negotiation phase, the security professional must also consider and ensure that any supply chain security requirements are included in the cloud contract.  The question here, of course, should be, “can you define supply chain in the context of the cloud?”. Answering that question can open a can of worms, but here is a reasonable scenario that should provide an answer.

“While systems can be outsourced either fully or partially, the legal responsibility for security stays with the enterprise”
Petra Wenham, BCS volunteer

Many cloud providers don’t own their datacentres outright, they instead take space in a data warehouse alongside other cloud and similar providers. A data warehouse will typically provide not just the space, but all the necessary services, such as internet connectivity, heat, light, power, air handling and – crucially – physical site security.

This last part is interesting because guarding will typically itself be outsourced by the data warehouse company. Often, the guarding services will operate any access control systems within the warehouse and control the issue of cards and tokens used to access the building and the various areas within the warehouse building, including the cloud supplier’s area.

The supplier might also have its own reception in the warehouse, and that too could be outsourced. The cloud supplier will inevitably have multiple clients running on its systems and so inter-client security also needs to be taken into consideration.

Do bear in mind that at a minimum there will be a shared network infrastructure, with the added potential of systems from multiple clients operating on the same physical hardware as the cloud supplier, and so using the same virtual machine or hypervisor environment. Don’t forget that the cloud supplier’s own IT team will have privileged access to these environments.

The cloud supplier may also outsource some of its own IT services to other suppliers – for example, penetration and internal security testing. It might also license some of its services, meaning that a third-party company might have access to “their” licensed services for the purpose of maintenance and the “third parties” here could themselves be using cloud services – and not necessarily the same cloud as you.

To summarise, the outsourcing of an enterprise’s IT, in whole or in part, to a cloud supplier means infosec professionals must consider what parts of their IT remains within the direct control of the enterprise, what part is reliant on the good security of others, and how to ensure that “other” security can be meaningfully covered off in contractual clauses and associated contract schedules and addendums with the cloud supplier.

As part of this process, enterprises will need to identify and articulate what areas are completely outside of their control. Each of these three areas will have their own vulnerabilities and associated risks, and security professionals will need to ensure that the contract with the cloud supplier addresses all of the areas not under the direct control of the enterprise to a level that that gives a good degree of confidence that the security posture of the enterprise is as good as is required, given the enterprise’s own risk appetite. 

Read more about cloud security

 

Read more on Cloud security