Tag Archives: cloud computing

Data Protection and Off Shoring Data

Some thoughts on EU Data Protection Day from Advent IM and Security Institute Director, Mike Gillespie.

Today (Jan 28th) Is EU Data Protection Day #DPD2014 and it has sparked some interesting content and discussion on Social Media so far.

It has also afforded those organisations who bang the drum for Data Protection and Privacy to bang it a little louder and longer, trying to get the attention of those that really need to take heed.

10118847-10118847-definition-legislationAnyway, the topic of off-shoring services and functions and with going personal data , cropped up. As a data subject I ought to be able to expect to be explicitly consulted if my data is going offshore to a country not on the trusted country list. Personal data according to  Principal 8 of the Data Protection Act (1998)

“…shall not be transferred to  a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data”

Principle 2 states

“Personal Data shall be obtained for only one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes”

No organisation should be allowed to hide the intent to offshore personal data in it’s “small print” or to decide to offshore personal data without consulting the data subjects. Some companies pay only lip service to this requirement and data can be shipped around the world to suit the business and without the explicit agreement of the data subject.

Bottom line, businesses off-shore services to save money. However, the cost of maintaining data protection and privacy of personal data and offshore is prohibitive and so guess where the cost is cut? Cheap hosting in non-compliant countries is the cost-saving great hope, it seems. Buying hosting space from a Cloud Broker for instance, means that data could be shuttled around the world to wherever the space is cheapest if end points have not been specified in the SLA and let’s face it, if you priority is cheap then I can’t imagine it being much of a priority…

The European Data Protection Directive defines consent as-

“any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him, being processed”

So we may expect that the individual may signify agreement other than in writing. However non-communication should not be interpreted as consent. In other words, opt-in not opt-out…

istock_000012299872medium.jpgThe problem is that companies can exploit vague language in the law.  For instance, Personal data should only be processed fairly and lawfully. In order for that data to be classed as ‘fairly processed’ at least one of these six conditions must be applicable to that data (Schedule 2)

  • The data subject (the person whose data is stored) has consented (“given their permission”) to the processing;
  • Processing is necessary for the performance of, or commencing, a contract;
  • Processing is required under a legal obligation (other than one stated in the contract);
  • Processing is necessary to protect the vital interests of the data subject;
  • Processing is necessary to carry out any public functions;
  • Processing is necessary in order to pursue the legitimate interests of the “data controller” or “third parties” (unless it could unjustifiably prejudice the interests of the data subject

So the argument might be that it is OK to offshore because “processing is necessary for the performance of or commencement of a contract and as I have moved my call centre to (for the sake of argument and only as an example) India, and as my contract requires the provision of a call centre then my contractual obligation also requires the move of the personal data to India.

Even when consent is given, it should not be assumed that it is forever. although in most cases, consent lasts for as long as the personal data needs to be processed – individuals may withdraw their consent, depending upon the nature of the consent and the circumstances in which the personal information is being collected and used. How many orgainsations like supermarkets or banks offer you this option? Ever had one of those personal injury or PPI calls and asked them to take you off their list only to be told they can’t delete you because of Data Protection!?

So the Terms and Conditions is where the sneaky stuff hides in clauses that says they reserve the right to have a cavalier attitude to your data (or move it elsewhere for further cheaper processing once its initial processing is complete) should they choose and then label that as your consent…

You can connect with Mike and enjoy further Security Discussions on Linkedin.

Technical Security Skill Shortfall Means Heightened Risk Levels For Business

First published in Outsource Magazine September 12 2013

A report commissioned by IBM concluded that Technical Information Security Skills are in short supply and that this is creating vulnerability and risk in business. The research, carried out by Forrester Research Inc., revealed that even mature organisations are facing increased risk exposure due to difficulty sourcing and retaining Information Security talent.

Overall, 80% of Chief Information Security Officers are finding it difficult or very difficult to recruit technical security staff that met all their needs, according to the research. A range of issues are feeding this difficulty and the resulting concerns about rising risk levels include some very disturbing elements, as unfilled roles create anxiety. Only 8% of respondents said that they didn’t have a problem with security staffing issues.

The remaining 92% identified some key areas for concern that any business should be considering, regardless of whether or not they think they have security talent issue. Whilst the solution for many businesses has been to recruit further down the experience ladder, you can see from the kind of pinch points identified here, that this is not a sustainable solution. Whilst it may ‘fill a security role’ it is not filling the right one.

  • external threats not understood or discovered (27%)
  • deadlines not met/projects taking longer to complete (27%)
  • a growing gap between threat and controls (24%)
  • technical control systems not fully effective (this is anti-malware and such like) (22%)
  • technical risks not identified (20%)
  • technical control systems not implemented (20%)
  • technical risks are unresolved (20%)
  • security road map is unclear (20%)
  • internal technical security audits are not undertaken (20%)
  • Process-based controls (e.g., segregation of duties, privilege review) are poorly defined, dated, or inefficient (18%)
  • concern that Security architecture is complied with (17%)
  • It has prevented adoption of new technology (e.g., cloud, BYOD) NB. Given some of the concerns we have seen in the list so far, this is probably a blessing. (16%)
  • External technical security audits are not undertaken (e.g., at service suppliers, supply chain)  (15%)
  • It has prevented business agility and/or growth (13%)
  • Security architecture is poorly defined (13%)

istock_000012299872medium.jpgThese result show us that not only that there is an increased risk to business from the skill shortage but that the kind of risk business is facing is not simply about architecture and cyber threat but also about the prevention of growth and agility. These are positive contributions that security can make and their inclusion as potential risks show a willingness to move security out of the cost column and into the investment column, but again this is being thwarted by the skill shortage. This may reveal itself in a lack of confidence in moving certain functions or activities to The Cloud or perhaps not instituting Bring Your Own Device (BYOD). Whilst it is better not to do these things if you do not know if they are within your organisation’s Risk Appetite, if you do not know what that Appetite is and there is no one sufficiently knowledgeable and skilled to be able to ascertain this and then mitigate the risk if appropriate, then an organisation may be disadvantaged. This might mean it becomes a less appealing choice for potential new and highly skilled employees for other parts of the organisation, who perhaps demand BYOD as standard along with the flexibility it brings.

Commercially, robust security and resilience is becoming a must have and increasingly organisations are being asked to demonstrate and prove themselves in these areas. Businesses that have worked with Her Majesty’s Government and the Public Sector will be familiar with their extensive security requirements for instance, but others are now finding that if they want to grow their business, the onus is on them to be able to prove their security credentials. This pressure is coming from larger organisations not just public bodies, as they realise how important it is for their supply chain to be resilient. Again this is a real stumbling block if you simply do not have the in-house skills to handle a project like ISO27001 certification or compliance. So the risks that are immediately apparent in terms of what might happen to a business without the appropriate level of security skill are actually more convoluted than they first appear.

A perception of security as a business enabler is one that many security professionals have tried to promote for a long time and the idea of growing a business within its Risk Appetite is common sense. For too long the perception of Security has been that Security will just say no to innovation, change and anything even vaguely risky-sounding. It is disappointing to think that just as the paradigm looks ripe to shift (in the right direction) that it is being stymied by a lack of high level skills. All of these challenges presuppose the organisation has the budget to be able to employ the skilled person they need.

Physical Security like manned guarding has been on the outsource list for many years, Information Security has not always been viewed the same way.  Depending on the level of challenge, size of organisation and actual (not perceived) threat and risk, there may be a viable alternative to a full time senior technical security person, through outsourcing. Perhaps if the challenge is to get through a particular project then the high level skillset may only be required at certain times, not constantly. If there is a tipping point at which the need for the skills is justified commercially this may come a lot sooner if there is an opportunity of filling the gap without actually having to finance an FTE with all of the cost that entails. Given the difficulty in sourcing the high level skills, the best talent is following the money, leaving many organisations in an uncertain security vacuum.  Outsourcing may be the solution on either a project or buy as you need type basis. It may provide a much more cost effective solution to a convoluted set of challenges that are not showing any sign of going away or simplifying. It may also mean a level of skill and experience far in excess of that which may have been within budget for an FTE.

Of course, making sure you are certain of your partner in any outsourcing endeavour is vital and due diligence on potential suppliers is vital. As a rough guide here are some questions you should be asking.

  • Does my partner understand my organisation and its business drivers and growth imperatives?
  • Can they provide qualifications, certifications, track record, references, case studies and a cultural fit?
  • Are they flexible enough for my needs? Are they able to flex up and down as required or am I going to be rigidly contracted to a number of days per month?
  • Do we have specialist or generalist needs?
  • Do we want access to an expert individual or a team of experts?
  • Do we want Strategy, Policy, Risk skills?
  • Do we want our partner to be capable of working successfully with C-level stakeholders or at the ‘coalface’ or both?

Out-sourcing and Risk

Recently we have been reminded frequently about the growth in outsourced services; Computer Weekly’s recent report showed the continued growing appetite for outsourcing across the globe http://www.computerweekly.com/news/2240151385/Shared-services-take-up-fastest-in-growing-market) and both PwC (http://www.pwc.com/gx/en/information-security-survey/giss.jhtml) and CIF (http://www.cloudindustryforum.org/) have lately demonstrated the growth in these markets.  If you are entrusting someone else with your information and information processing facilities clearly this has some implications for your security.  But what are they…?

Can you see and understand the whole Risk picture?

Well, first of all not all arrangements with external parties are equal.  Clearly the persons hosting your hotel reservation and train fare booking systems are important, but probably not as important as those hosting your critical business systems and client information.  Security is a risk based discipline and before you start making decisions about what security controls you should and should not put in place you should risk assess the third party.  Examples of things you should consider include the type and sensitivity of the data, the extent and maturity of their existing security controls, any legal and regulatory requirements you or your clients are required to meet and the impact of not having access to your information and information processing facilities would have.

Any agreement with a third party involving their access to your information and information processing facilities should be comprehensive and (as a minimum) include the physical and logical controls you expect to be maintained around your assets, the requirements you expect of their personnel (if you vet your staff then you might think it pertinent to make sure they do their’s?), incident and weakness reporting procedures to you, their procedures for access to and segregation of your assets, applicable SLAs and your right to audit them.  And once you have entered in to agreement with them make sure you enforce your right to audit!

If your outsourcing strategy does or may include the use of Cloud based services read our short guide to Cloud security

Cloud post #2 – The Revenge

Growth in the ‘usage of Cloud services’ is in growth what do we think about that? Assess the real risks and don’t cloud the security issues.

OK so there aren’t any actual sharks and the leader does have a shameless pun, but it is an addendum, or part 2, to our original Cloud blog post which you can read here if you haven’t already. (It will open in a new window so you won’t lose you place)

Reading a survey from CIF last week (here), its clear to see that the number or at least the percentage of organisations using Cloud services, is increasing. This includes the public sector, perhaps an enlightened reader can tell us how much of that is driven in UK by G-Cloud.

However, its clear that the research term ‘Use of Cloud services’ could be a bit misleading. There are variations in service types – Platform services, Software Services and Infrastructure services and they are not all in growth.

Geographical references beyond ‘Europe’ are not available in the report, which makes it difficult to deep dive on the cause. However, according to the PWC Global State of Information Security Survey – in terms of ‘Government’, as we had noted Public Sector increased interest, IaaS is over-indexing in terms of uptake on this particular service type.

‘Global’ vs. ‘Government’ vs. ‘Europe’ Cloud Service % of organisations taking this service. Source PWC Global State of Information Security 2012

The same source highlights security concerns amongst Cloud users and if we refer these back to some of the points made in our original blog, the security policies of the data end location is clearly a very important and sensitive issue, this comes through with over 30% of respondents flagging this up and making it the top security threat in this survey.

One of the other things we highlighted back in January was the ability to be able to audit the data centre where your organisation’s data is held, this also comes through as a concern from Cloud users, including ‘Government’ users.

What is the greatest risk to your Cloud computing strategy? ‘Government’ vs. ‘Global’

Being able to audit where your data goes or is moved to, as well as fixing the end points for moving your data are very important, as we said back in January. Whether this is achievable if going through a ‘broker’ style relationship for instance, is debatable. In these situations, the cost model the driver and so wherever the broker can source will be where the data sits or is moved to and this may not mean all of the data  is in the same place either. Specifying end points, for instance, in a service level agreement may start to push the price up and so it is crucial you understand just what your risk appetite is in terms of what you will allow to happen to your data. Disturbingly, as a footnote to all the security issues highlighted in the PWC data, the CIF survey  identified that 1 in 5 respondents were expecting to put their IT security services in the Cloud…

The CIF report states “One sign of the immaturity of the cloud market is reflected in terms of contractual process, as barely half (52 per cent) of cloud users negotiated the legal terms of their contract with their cloud service provider (CSP), with larger organisations more likely to do so. This also infers an evolution of the culture that led to the click-thru agreement online more than a business critical supply agreement.”

Its clear then that  organisations need to go into the Cloud with its eyes wide open and armed with a comprehensive Risk Assessment.  Whilst it’s easy to label security consultants as Luddites who want to hold back the tide of progress, it is in fact not true. We are realists who want businesses to protect themselves, their clients, their supply chain and their employees and progress into the future securely.

The safest place to keep your data…”Cloud” or “Train”..?

How will “Cloud” compete with “Train”?

We all know that the Cloud is the place to store all your data right? We used to think that “Train” was the best place to store our data and some traditionalists, such as the person who left the Olympic Security plans on Train” clearly think it’s still the best data storage option. Of course, there is also “Taxi”  – still popular but you can only get your data to go on a maximum 20 mile round trip, so it’s a bit limited really. Not as limited as “Pub” though this is a data storage concept that is still hanging around after all these years.

“I found this on the back seat of a Taxi.”

OK,  joking aside, are businesses and organisations going into the Cloud fully armed with information? If they aren’t, then they may as well stick with Train and Taxi. We have put together a guide to help inform, dispel some myths – as we see them, and give some real clarity and guidance. With sincere thanks to our gifted and expert Consultants.

SC Magazine published an interesting piece just before Christmas on Cloud computing (http://www.scmagazineuk.com/loglogic-the-public-Cloud-will-be-breached-next-year/article/219907/).

Amongst the issues identified in the article were:

  • That Cloud-based infrastructure has a distinctive threat profile (right);
  • That the answer to Cloud security is through compliance and standards (to a degree); and
  • That Cloud service providers should be regulated by an independent body (we don’t agree).

These three assertions are worth some further digging and clarification.

The distinguishing threats relating to Cloud services have been well publicised but here is a quick run-down of our top Cloud-based information security threats:

I.            System Complexity – Public Cloud services offered by providers have a serious underlying complication—subscribing organisations typically share components and resources with other subscribers that are unknown to them. Threats to network and computing infrastructures continue to increase each year and have become more sophisticated. Having to share an infrastructure with unknown outside parties can be a major drawback for some applications and requires a high level of assurance for the strength of the security mechanisms used for logical separation.

II.            Shared Multi-tenancy – While not unique to Cloud computing, logical separation is a non-trivial problem that is exacerbated by the scale of Cloud computing.  An attacker could also pose as a subscriber to exploit vulnerabilities from within the Cloud environment to gain unauthorized access.

III.            The Internet – Applications and data that were previously accessed from the confines an organisation’s network, but moved to the Cloud, must now face increased risk from network threats that were previously defended against at the perimeter of the organisation’s network and from new threats that target the exposed end-points.

IV.            Compliance – When information crosses borders the governing legal, privacy, and regulatory regimes can be ambiguous and raise a variety of concerns. Consequently, constraints on the trans-border flow of sensitive data, as well as the requirements on the protection afforded the data, have become the subject of national and regional privacy and security laws and regulations. Among the concerns to be addressed are whether the laws in the jurisdiction where the data was collected permit the flow, whether those laws continue to apply to the data post transfer, and whether the laws at the destination present additional risks or benefits.

V.            Loss of control – Remote administrative access as the single means of managing the assets of the organisation held in the Cloud also increases risk, compared with a traditional data centre, where administrative access to platforms can be restricted to direct or internal connections

VI.            Mechanism cracking – With Cloud computing, a task that would take five days to run on a single computer takes only 20 minutes to accomplish on a cluster of 400 virtual machines. Because cryptography is used widely in authentication, data confidentiality and integrity, and other security mechanisms, these mechanisms become, in effect, less effective with the availability of cryptographic key cracking Cloud services. Granted this isn’t just a Cloud based threat – traditional types of system are also possible targets.

VII.            Insider Access / Threat – Data processed or stored outside the confines of an organisation, its firewall, and other security controls bring with it an inherent level of risk. The insider security threat is a well-known issue for most organisations and, despite the name, applies as well to outsourced Cloud services. With the Cloud, insider threats go beyond those posed by current or former employees to include contractors, organisational affiliates, and other parties that have received access to an organisation’s networks, systems, and data to carry out or facilitate operations. Incidents may involve various types of fraud, sabotage of information resources, and theft of confidential information. Incidents may also be caused unintentionally—for instance, a bank employee sending out sensitive customer information to the wrong Google mail account.

VIII.            Data Ownership – The organisation’s ownership rights over the data must be firmly established in the service contract to enable a basis for trust. The continuing controversy over privacy and data ownership rights for social networking users illustrates the impact that ambiguous terms can have on the parties involved. Ideally, the contract should state clearly that the organisation retains ownership over all its data; that the Cloud provider acquires no rights or licenses through the agreement to use the data for its own purposes, including intellectual property rights or licenses; and that the Cloud provider does not acquire and may not claim any ownership interest in the data.

IX.            Data Sanitisation – The data sanitisation practices that a Cloud provider implements have obvious implications for security. Sanitisation is the removal of sensitive data from a storage device, including servers, in various situations, such as when a storage device is removed from service or moved elsewhere to be stored. Data sanitisation also applies to backup copies made for recovery and restoration of service, and also residual data remaining upon termination of service. In a Cloud computing environment, data from one subscriber is physically combined with the data of other subscribers, which can complicate matters. For instance, many examples exist of researchers obtaining used drives from online auctions and other sources and recovering large amounts of sensitive information from them.

So what is the answer to these Cloud-based security conundrums?  Compliance with information security standards as Mr Churchward* suggests.  Well, in part is the rather cryptic answer to that one, I think.  There are some very good information security standards and control sets out there (COBIT, ISO/IEC27001:2005 and the UK government’s HMG Information Assurance Standards being just some examples).  However, every experienced information security professional will know or have known at least one organisation for which the having the standard is the means as well as the ends and that frustratingly they maintain a visage of information security competency when the assessor arrives for their next audit but that in-between audits security is just a byword for inconvenience.  So if

The sight of a Cloud services provider brandishing a given security certification is not sufficient assurance, what is?  We suggest these three steps to Cloud contractual heaven:

  1. The right to audit.  And then do it.  And don’t pick a service provider who is based a 36 hour flight away unless you – and your management – are prepared to send someone to their data centre to do the audit!
  2. Talk to prospective service providers about the threats above.  If they are coy, defensive, or babble techno-speak make sure you are content to receive the same level of effrontery when you have a query, business interruption scenario or concern about your data.
  3. Does the would-be service provider sub-contract out its storage, security, administration or anything else?  The very flexibility of Cloud-based services means your data or responsibility of your data can be syndicated out by your nominal provider in the blink of an eye.  You wouldn’t sub-contract out your office space so readily would you…?

On the point of standards, it is probably worth clarifying a couple of points for the unwary arising from the SC Magazine article:

  • ISO/IEC27001:2005 is the international (not just UK) standard for Information Security Management Systems.  ISO/IEC27002:2005 is the accompanying guidance for the implementation of the security controls listed in Annex A of ISO/IEC27001:2005;
  • Neither ISO/IEC27001:2005 or ISO/IEC27002:2005 mention Cloud computing however most of the 133 controls are or could be applicable to a Cloud computing environment.  The explicit inclusion of reference to Cloud services is amongst proposals for changes to the Standard in the future; and
  • There are already two approved international standards for Cloud-based technology relevant to security (http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=53458 and http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=59388), though they are definitely for the propeller-heads amongst you!!

And what of Mr Churchward’s* assertion that “we need something externally policed, not self-certified, and a recognised industry body”?  Well, I am not sure we agree insomuch as regulatory, and enforcement bodies already exist for all sorts of activities relating to information security, Cloud-based or otherwise, and it seems an unnecessary burden to introduce another.  Bodies with an interest in maintaining and improving Cloud security include statutory regulators such as the Information Commissioner’s Office (ICO), and indeed the Irish Data Protection Commissioner is currently working with one well-known international Cloud operation (Facebook) to improve their compliance arrangements (http://dataprotection.ie/viewdoc.asp?DocID=1175&m=f).

So to wrap up, we recommend that organisations considering entering in to agreements with Cloud service providers:

Conduct appropriate due diligence before doing so, including a full risk assessment, considering the risks laid out above;

  1. Make sure that they have the right contractual security clauses in place falling out from the risk assessment (e.g. if data sanitisation is a major issue for your organisation, make sure it is robustly referenced in the contract); and
  2. Ensure that your external service providers, including Cloud operators, are part of your audit and assurance programme (this programme should also be risk based – looking at the higher priority areas more frequently and in more depth).

www.advent-IM.co.uk

*LogLogic CEO Guy Churchward – quoted in SC Magazine article