As the business world has grown more familiar with cloud computing and appreciated its flexibility and cost-effectiveness, use of Software-as-a-Service (SaaS) applications such as Microsoft Office 365 and Salesforce.com have skyrocketed. It is important to know how to use any cloud-based service safely. Fortunately, it is not that difficult or different than traditional principles for safe computing.
When considering cloud security, it can be useful to group concepts into two general categories. The most important consideration is what policies are used to govern the cloud service. In a close second place, is the question of what technologies are employed to secure the cloud solution. The policy perspective only trumps the technology perspective in that policies can dictate what criteria the technology must possess, as well as how the technology is secured and used. In this article, we will be primarily be looking at sound security policies and supporting risk management frameworks.
Policies take many forms and can have different intents. For cloud security, policies can be divided into those that an organization chooses to follow and those they are required to follow.
Internal security policies may cover areas such as hardware and software purchasing standards, organizational requirements such as vendor certification, data integrity and disaster recovery plans, security concerns including matters such as password requirements and penetration testing, and user access controls such as the principle of least privilege.
Training on internal policies is essential to ensure everyone understands the risks related to cyber-security and how to safely operate in a cloud environment. Much of this training is the same type of information many of us are familiar with. We have all been taught not to click on email attachments without knowing who they came from and what they are. We know not to share our password with anyone or write it on a sticky note stuck to our monitor. These security training points and all the other best practices for safe computing are just as important when one is working in a cloud (SaaS) environment.
In addition to internal security policies, depending on the industry, there may be various government regulations that need to be followed. There are several standards that specifically apply to systems meant for government use. The following are perhaps the most relevant ones for the United States:
Risk Management Framework (RMF) is a National Institute of Standards and Technology (NIST) guide for managing risk in an organization. An organization therefore is the one to implement these guidelines, and there is no RMF certification of products as such. NIST guidance is commonly applied by public and private organizations and businesses for managing organizational risk and specification of security controls.
Security and Privacy Controls for Federal Information Systems and Organizations (SP 800-53 Rev. 4) is a security control catalog defining controls that should be applied to a system based on the security impact (categorization – high, moderate, low). While primarily intended for federal systems use, the catalog provides guidance that can be leveraged by any security sensitive organization.
NIST 800-53 is complemented by FedRAMP which defines controls for cloud service providers (CSPs) and hosted applications used by US Federal agencies. FedRAMP compliance is mandatory for many agencies providing a standardized approach to security for the cloud. Other governments have similar cloud compliance programs such as C5 in Germany.
Other industries will often have oversight and regulatory agencies that provide specific guidance and policies for security and risk management. For example, the Federal Energy Regulatory Commission (FERC) also provides security and risk recommendations, assistance, and leadership across the US power system.
As for international standards, the ISO/IEC 27000 family of information security management system (ISMS) standards help keep information assets secure. In particular, ISO 27001 is a risk management framework that can benefit any business or organization.
A risk management framework such as defined by NIST or ISO 27001 provides a solid security foundation. This is often complemented by individual industry policies or regulations. Your own security team, suppliers, and system integrators can offer further guidance on where they contribute to the overall picture. Specifically, for cloud services, all leading providers have security expertise and compliance to the appropriate individual standards listed above.