This post is a summary of the guidance provided in version 3 of the Cloud Security Alliance document Security Guidance for Critical Areas of Focus in Cloud Computing v3.0. The CSA guidance remains one of the best around providing actionable security guidance for businesses adopting a multi-tenant cloud service environment.
Overall document summary:
- The Cloud Security guidance document is organized into 14 domains.
- The 14 cloud security domains are Cloud Architecture, Governance and Enterprise Risk Management, Legal: Contracts and Electronic Discovery, Compliance and Audit, Information Management and Data Security, Portability and Interoperability, Traditional Security, Business Continuity and Disaster Recovery, Data Center Operations, Incident Response, Notification and Remediation, Application Security, Encryption and Key Management, Identity and Access Management, Virtualization, and Security as a Service
- The different cloud deployment models are: private, public, community, or hybrid models
- Assets that need security in the cloud fall in two categories: Data or Applications/functions/processes. Parts or all assets can move to the cloud or live in your own data center.
- Hosting options could include internal (on-premise), external (dedicated or shared cloud infrastucture), or combined (e.g. data can live on-prem while application can move to the cloud).
- Assess the CIA (Confidentiality, Integrity, Availability) requirements for the asset and how the risk varies if part or the entire asset moves to the cloud.
- In summary, know the assets moving to the cloud, determine your risk tolerance, and figure out the acceptable cloud deployment and service models
Domain 1: Cloud Computing Architecture Framework
This domain provides the conceptual architecture framework for the rest of cloud security guidance in other domains.
- Cloud Computing definition: Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly orchestrated, provisioned, implemented and decommissioned, and scaled up or down to provide an on-demand utility-like model of allocation and consumption.
- NIST Special Publication 500-292 on Cloud Computing Reference Architecture is a great reference resource.
- Six essential characteristics of cloud computing are: Broad Network Access, Rapid Elasticity, Measured Service, On-Demand Self-Service, Resource Pooling, and Multi-Tenancy.
- Broad network access is defined as a capability that is available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, laptops, and PDA’s) as well as other traditional or cloud-based software services.
- Rapid elasticity is defined as the capability that can be rapidly and elastically provisioned — in some cases automatically — to quickly scale out; and rapidly released to quickly scale in. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be purchased in any quantity at any time.
- Measured service is when Cloud systems automatically control and optimize resource usage by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, or active user accounts)
- On-demand self-service is a capability where a consumer can unilaterally provision computing capabilities such as server time and network storage as needed automatically without requiring human interaction with a service provider.
- Resource pooling is when the provider’s computing resources are pooled to serve multiple consumers using a multitenant model with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. Examples of resources include storage, processing, memory, network bandwidth, and virtual machines.
- Multi-Tenancy is defined as usage of same resources or application by multiple consumers that may belong to the same organization or different organization. These services leverage shared infrastructure, data, metadata, services, and applications across many different consumers. This characteristic defines the security need for policy-driven enforcement, segmentation, isolation, and governance.
- The three cloud service models are: Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS). IaaS is the foundation of all cloud services, with PaaS building upon IaaS, and SaaS in turn building upon PaaS. These three are often referred to as the “SPI model” which refers to Software, Platform, or Infrastructure (as a Service) respectively.
- Infrastucture as a Service (IaaS): The IaaS model delivers computer infrastructure (typically a platform virtualization environment) as a service, along with raw storage and networking. Rather than purchasing servers, software, data-center space, or network equipment, clients instead buy those resources as a fully outsourced service.
- Amazon’s AWS EC2 infrastructure as a service offering, as an example, includes vendor responsibility for security up to the hypervisor, meaning they can only address security controls such as physical security, environmental security, and virtualization security. The consumer, in turn, is responsible for security controls that relate to the IT system (instance) including the operating system, applications, and data.
- The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls).
- Software as a service (SaaS): The SaaS model is sometimes referred to as “on-demand software”, a software delivery model in which software and its associated data are hosted centrally (typically in the (Internet) cloud) and are typically accessed by users using a thin client, normally using a web browser over the Internet.
- The inverse is true for Salesforce.com’s customer resource management (CRM) SaaS offering. Because Salesforce.com provides the entire “stack,” the provider is not only responsible for the physical and environmental security controls, but it must also address the security controls on the infrastructure, the applications, and the data. This alleviates much of the consumer’s direct operational responsibility.
- The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities with the possible exception of limited user-specific application configuration settings.
- Platform as a service (PaaS): The PaaS model is the delivery of a computing platform and solution stack as a service. PaaS offerings facilitate deployment of applications without the cost and complexity of buying and managing the underlying hardware and software and provisioning hosting capabilities. This provides all of the facilities required to support the complete life cycle of building and delivering web applications and services entirely available from the Internet.
- The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly application hosting environment configurations.
- Infrastucture as a Service (IaaS): The IaaS model delivers computer infrastructure (typically a platform virtualization environment) as a service, along with raw storage and networking. Rather than purchasing servers, software, data-center space, or network equipment, clients instead buy those resources as a fully outsourced service.
- The four cloud deployment models are: Public, Private, Hybrid, and Community
- Public cloud: In this model, the cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services.
- Private Cloud: In this model, the cloud infrastructure is operated solely for a single organization. It may be managed by the organization or by a third party and may be located on-premise or off-premise.
- Community Cloud: In this model, the cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, or compliance considerations).
- Hybrid Cloud: In this model, the cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load-balancing between clouds).
- A key consideration of the model is the physical location of assets, resources, and information; but also by whom they are being consumed; and who is responsible for their governance, security, and compliance with policies and standards.
- The key takeaway for security architecture is that the lower down the stack the cloud service provider stops, the more security capabilities and management consumers are responsible for implementing and managing themselves. The ability to comply with any requirement (regulatory or otherwise) is a direct result of the service and deployment model utilized and the design, deployment, and management of the resources in scope.
- An organization’s security posture is characterized by the maturity, effectiveness, and completeness of the risk-adjusted security controls implemented. These controls are implemented in one or more layers ranging from the facilities (physical security), to the network infrastructure (network security), to the IT systems (system security), all the way to the information and applications (application security). Additionally, controls are implemented at the people and process levels, such as separation of duties and change management, respectively. Following are some sample security controls:
- Application security controls: SDLC, Binary analysis, Scanners, web application firewalls, transactional security
- Information security controls: DLP, CMF, database activity monitoring, encryption
- Management security controls: GRC, IAM, VA/VM, patch management, configuration management, monitoring
- Network security controls: NIDS/NIPS, firewalls, DPI, Anti-DDoS, QoS, DNSSEC, OAuth
- Trusted computing security controls: Hardware and Software RoT and APIs
- Compute & Storage controls: Host-based firewalls, HIDS/HIPS, Integrity & file/log management, encryption, masking, tokenization
- Physical security controls: Physical plant security, CCTV, Guards
- NIST Special Publication 800-53 Revision 4 is an excellent reference for additional security and privacy controls
Domain 2: Cloud Governance & Enterprise Risk Management
In cloud computing, an important security consideration is the identification and implementation of the appropriate organizational structures, processes, and controls to maintain effective information security governance, risk management, and compliance.
- Advantages of Cloud Computing to an enterprise:
- Optimized resource utilization
- Cost savings for cloud computing tenants
- Transitioning of capital expenses
- (CAPEX) to operating expenses (OPEX)
- Dynamic scalability of IT power for clients
- Shortened life cycle development of new applications or deployments
- Shortened time requirements for new business implementation
- For many cloud deployments, a major element of governance will be the agreement between provider and customer. Security departments should be engaged during the establishment of Service Level Agreements (SLA’s) and contractual obligations to ensure that security requirements are contractually enforceable
- Projects like Cloud Audit or CSA STAR are excellent resources for more standardized governance methods for cloud computing
- Corporate governance is defined as the set of processes, technologies, customs, policies, laws, and institutions affecting the way an enterprise is directed, administered or controlled. The five basic principles of corporate governance are the following:
- Auditing supply chains
- Board and management structure and process
- Corporate responsibility and compliance
- Financial transparency and information disclosure
- Ownership structure and exercise of control rights
- Enterprise Risk Management (ERM): While every business faces uncertainity, if an organization can measure, manage, and mitigate that uncertainity, it can manage risk while creating opportunities for the organization and support its strategies and achieving its objectives. Specific to risk management and cloud computing, an organization has four choices:
- Risk Avoidance—exiting the activities giving rise to risk
- Risk Reduction—taking action to reduce the likelihood or impact related to the risk
- Risk Sharing or insurance—transferring or sharing a portion of the risk to finance it
- Risk Acceptance—no action is taken due to a cost/benefit decision
- Information Risk Management is defined as the process of identifying and understanding exposure to risk and capability of managing it, aligned with the risk appetite and tolerance of the data owner.
- Risk management is naturally a balancing process with the goal not necessarily to minimize uncertainty or variation, but rather the goal of maximizing value in line with risk appetite and strategy.
- When assessing a Cloud Provider, access their supply chain (service provider relationships and dependencies) to the extent possible. Assessment of third party service providers:
- should specifically target the provider’s incident management, business continuity and disaster recovery policies, and processes and procedures
- should include review of co-location and back-up facilities
- should include review of the provider’s internal assessments of conformance to its own policies and procedures and assessment of the provider’s metrics to provide reasonable information regarding the performance and effectiveness of its controls in these areas.
- should include Incident information that can be specified in contracts, SLAs, or other joint agreements, and can be communicated automatically or periodically, directly into reporting systems or delivered to key personnel.
- Adopt metrics to measure risk management performance (e.g., Security Content Automation Protocol (SCAP) , Cybersecurity Information Exchange Framework (CYBEX), or GRC-XML Risk and Control Taxonomy).
- Due to the on-demand provisioning and multi-tenant aspects of cloud computing, traditional forms of audit and assessment may not be available or may be modified. For example, some providers restrict vulnerability assessments and penetration testing, while others limit availability of audit logs and activity monitoring. If these are required per your internal policies, you may need to seek alternative assessment options, specific contractual exceptions, or an alternative provider better aligned with your risk management requirements.
Domain 3: Legal Issues, Contracts, and Electronic Discovery
This section provides general background on legal issues that can be raised by moving data to the cloud, some issues for consideration in a cloud services agreement, and the special issues presented by electronic discovery under Western litigation.
- Numerous laws, regulations, and other mandates require public and private organizations to protect the privacy of personal data and the security of information and computer systems.
- For Asia Pacific region, it is based on the Privacy and Security Guidelines of the Organization for Economic Cooperation and Development (OECD), and the Asia Pacific Economic Cooperation’s (APEC) Privacy Framework.
- For Europe, member states follow principles set forth in the 1995 European Union (EU) Data Protection Directive and the 2002 European Union ePrivacy Directive 2002/58/EC (as amended in 2009)
- Japan has the Personal Information Protection Act
- Organizations in the United States can be subject to security and privacy rules under the Gramm-Leach-Bliley Act (GLBA) or the Health Insurance Portability and Accountability Act of 1996 (HIPAA). PCI DSS applies to payment card data. Other regulations could include Children’s Online Privacy Protection Act of 1998 (“COPPA”), and any applications orders issued by the FTC. Local state laws like MA and CA laws could apply as well.
- Many countries have adopted data protection laws that follow the European Union model which states that the data controller (typically the entity that has the primary relationship with an individual) remains responsible for the collection and processing of personal data, even when third parties process the data. The data controller is required to ensure that any third party processing personal data on its behalf takes adequate technical and organizational security measures to safeguard the data.
- Contractual obligations: Even if a specific activity is not regulated, companies may have a contractual obligation to protect the personal information of their clients, contacts or employees, to ensure that the data are not used for secondary uses, and are not disclosed to third parties. This obligation may stem, for example, from the Terms and Conditions and Privacy Statement that a company post on its website.
- Data stewarship: Alternately, the company may have entered into contracts (such as service agreements) with its customers, in which it has made specific commitments to protect the data (personal data or company data), limit their use, ensure their security, use encryption, etc.
- Cross-border data transfers: Many laws, throughout the world, prohibit or restrict the transfer of information out of the country. It is important for a cloud user to know where the personal data of its employees, clients, and others will be located, so that it can address the specific restrictions that foreign data protection laws may impose.
- The nature of an organization’s business might be such that any relinquishment of control over the company data is restricted by law or creates serious security concerns and in-turn may prohibit the usage of cloud computing services.
- Cloud Audit and Cloud Trust Protocol are two mechanisms to automate monitoring and testing of cloud supply chains.
- Cloud service providers and their clients must carefully plan how they will be able to identify all documents that pertain to a case in order to be able to fulfill the stringent requirements imposed by the E-Discovery provisions of the Federal Rules of Civil Procedure, and the State equivalents to these laws.
Domain 4: Compliance and Audit Management
Delivering, measuring, and communicating compliance with a multitude of regulations across multiple jurisdictions is one of the largest challenges. Customers and providers alike need to understand and appreciate the differences and implications on existing compliance and audit standards, processes, and practices.
- A cloud consumer can be challenged to show auditors that the organization is in compliance. Understanding the interaction of cloud computing and the regulatory environment is a key component of any cloud strategy.
- Corporate Governance is defined as the balance of control between stakeholders, directors and managers of an organization providing consistent management, cohesive application of policies, guidance and controls, and enabling effective decision-making
- Enterprise Risk Management is defined as the methods and processes (framework) used by organizations to balance decisionmaking based on identifying particular events or circumstances relevant to the organization’s objectives (risks and opportunities), assessing them in terms of likelihood and magnitude of impact, determining a response strategy, and monitoring progress to protect and create value for their stakeholders
- Compliance and Audit Assurance is defined as awareness and adherence to corporate obligations (e.g., corporate social responsibility, ethics, applicable laws, regulations, contracts, strategies and policies) by assessing the state of compliance, assessing the risks and potential costs of non-compliance against the costs to achieve compliance, and hence prioritize, fund, and initiate any corrective actions deemed necessary
- Compliance can be defined as the awareness and adherence to obligations (e.g., corporate social responsibility, applicable laws, ethical guidelines), including the assessment and prioritization of corrective actions deemed necessary and appropriate.
- In general, compliance is focused on aligning with external requirements (e.g., law, regulation, industry standards) while governance is focused on aligning with internal requirements (e.g., board decisions, corporate policy).
- Many organizations use a maturity model (e.g., CMM, PTQM) as a framework for analyzing process effectiveness. In some cases, a more statistical approach to risk management is adopted (e.g., Basel and Solvency accords for financial services) and as the field matures more specialized models for risk can be adopted as appropriate for the function or line of business. For cloud, these practices will need to be revised and enhanced.
- Determine how existing compliance requirements will be impacted by the use of cloud services, for each workload (i.e., set of applications and data), in particular as they relate to information security. As with any outsourced solution, organizations need to understand which of their cloud partners are and should be processing regulated information. Examples of impacted policies and procedures include activity reporting, logging, data retention, incident response, controls testing, and privacy policies.
- Understand the contractual responsibilities of each party. Particularly important is chained requirements and obligations – not just the customer to their direct cloud provider, but between the end customer and the provider’s cloud provider.
- For enterprises, request the cloud Provider’s SSAE 16 SOC2 or ISAE 3402 Type 2 report. These will provide a recognizable starting point of reference for auditors and assessors. The SSAE 16 is the auditing standard to supercedes the previous SAS 70 report. Both SSAE 16 and ISAE 3402 have two kinds of reports: type I which documents the ‘snapshot’ of the org’s controls while type II documents it over a period of time (typically 6 months).
Domain 5: Information Management and Data Security
As companies transition to cloud computing, the traditional methods of securing data are challenged by cloud-based architectures. Elasticity, multi-tenancy, new physical and logical architectures, and abstracted controls require new data security strategies.
- Infrastructure as a Service (IaaS) for public or private cloud, generally includes the following storage options:
- Raw storage: This includes the physical media where data is stored. May be mapped for direct access in certain private cloud configurations.
- Volume storage: This includes volumes attached to IaaS instances, typically as a virtual hard drive. Volumes often use data dispersion to support resiliency and security.
- Object storage: Object storage is sometimes referred to as file storage. Rather than a virtual hard drive, object storage is more like a file share accessed via API’s or web interface.
- Content Delivery Network: Content is stored in object storage, which is then distributed to multiple geographically distributed nodes to improve Internet consumption speeds.
- Platform as a Service (PaaS) provides a very wide range of storage options:
- Database as a Service. A multitenant database architecture that is directly consumable as a service. Users consume the database via APIs or direct SQL calls, depending on the offering. Each customer’s data is segregated and isolated from other tenants. Databases may be relational, flat, or any other common structure.
- Hadoop/MapReduce/Big Data as a Service. Big Data is data whose large scale, broad distribution, heterogeneity, and currency/timeliness require the use of new technical architectures and analytics. Hadoop and other Big Data applications may be offered as a cloud platform. Data is typically stored in Object Storage or another distributed file system. Data typically needs to be close to the processing environment, and may be moved temporally as needed for processing.
- Application storage. Application storage includes any storage options built into a PaaS application platform and consumable via API’s that doesn’t fall into other storage categories.
- Platform as a Service (PaaS) consumes and relies on a wide range of storage options:
- Databases: Information and content may be directly stored in the database (as text or binary objects) or as files referenced by the database. The database itself may be a collection of IaaS instances sharing common back-end storage.
- Object/File Storage: Files or other data are stored in object storage, but only accessed via the PaaS API.
- Volume Storage: Data may be stored in IaaS volumes attached to instances dedicated to providing the PaaS service.
- Software as a Service (SaaS) storage is always accessed via a web-based user interface or client/server application. SaaS may provide:
- Information Storage and Management. Data is entered into the system via the web interface and stored within the SaaS application (usually a back-end database). Some SaaS services offer data set upload options, or PaaS API’s.
- Content/File Storage. File-based content is stored within the SaaS application (e.g., reports, image files, documents) and made accessible via the web-based user interface.
- Software as a Service (SaaS) may consume the following:
- Databases. Like PaaS, a large number of SaaS services rely on database back-ends, even for file storage.
- Object/File Storage. Files or other data are stored in object storage, but only accessed via the SaaS application.
- Volume Storage. Data may be stored in IaaS volumes attached to instances dedicated to providing the SaaS service.
- Information Dispersion or Data Dispersion is a technique that uses data fragmentation to improve data security. In a fragmentation scheme, a file f is split into n fragments; all of these are signed and distributed to n remote servers. The user then can reconstruct f by accessing m arbitrarily chosen fragments. An adversary has to compromise m cloud nodes in order to retrieve m fragments of the file f, and then has to break the encryption mechanism being used. Such algorithms are called Information Dispersal Algorithms (IDA).
- Understand who can access the data in the cloud and how can they access it (device and channel). This includes the functions of View/access the data, including creating, copying, file transfers, dissemination, and other exchanges of information
- Identify the functions that can be performed with the data, by a given actor (person or system) and a particular location. Map who can access, who can process (perform a transaction on the data: update it; use it in a business processing transaction), and who can store it (hold the data in a file, database, etc.).
- Monitor for large internal data migrations with Database Activity Monitoring (DAM) and File Activity Monitoring (FAM) controls. When large datasets are pulled, monitoring for such behavior can help manage unapproved data moving to cloud services.
- Monitor for data moving to the cloud with URL filtering (web content security gateways) and Data Loss Prevention (DLP). URL filtering allows you to monitor (and prevent) users connecting to unauthorized cloud services. For example, the user can allow corporate private data to go to an approved cloud service but block the same content from migrating to an unapproved service.
- The following are encryption options for protecting sensitive data in a cloud environment
|Cloud Service Model
|Security Risks mitigated
|Infrastructure as a Service (IaaS)
|Volume storage encryption
|1. Protects volumes from snapshot cloning/exposure
2. Protects volumes from being explored by the cloud provider (and private cloud admins)
3. Protects volumes from being exposed by physical loss of drives (more for compliance than a real-world security issue)
|1. Instance-managed encryption: The encryption engine runs within the instance, and the key is stored in the volume but protected by a passphrase or keypair
2. Externally managed encryption: The encryption engine runs in the instance, but the keys are managed externally and issued to the instance on request.
3. Proxy encryption: In this model, the volume is connected to a special instance or appliance/software, and then connects your instance to the encryption instance. The proxy handles all crypto operations and may keep keys either onboard or external.
|Object storage encryption
|Protects against many of the same risks as volume storage. It also allows implementation of Virtual Private Storage (VPS), which allows only those with encryption keys to read the data.
|1. File/Folder encryption and Enterprise Digital Rights Management. Use standard file/folder encryption tools or EDRM to encrypt the data before placing in object storage.
2. Client/Application encryption. When object storage is used as the back-end for an application (including mobile applications), encrypt the data using an encryption engine embedded in the application or client.
3. Proxy encryption. Data passes through an encryption proxy before being sent to object storage.
|Platform as a Service (PaaS)
|1. Client/application encryption. Data is encrypted in the PaaS application or the client accessing the platform. When using application encryption, keys should be stored external to the application whenever possible.
2. Database encryption. Data is encrypted in the database using encryption built in and supported by the database platform.
3. Proxy encryption. Data passes through an encryption proxy before being sent to the platform.
4. Other. Additional options may include API’s built into the platform, external encryption services, and other variations
|Software as a Service (SaaS)
|It is recommended to use per-customer keys when possible to better enforce multi-tenancy isolation. If encryption is needed for SaaS, try to identify a provider that offers native encryption. Use proxy encryption if that isn’t available and /or trust levels must be assured.
1. Provider-managed encryption. Data is encrypted in the SaaS application and generally managed by the provider.
2. Proxy encryption. Data passes through an encryption proxy before being sent to the SaaS application.
Domain 6: Interoperability and Portability
Interoperability and Portability allows you to scale a service across multiple disparate providers on a global scale and have that system operate and appear as one system. At the other end, Interoperability and Portability allows the easy movement of data and applications from one platform to another, or from one service provider to another.
- In a cloud computing eco-system the components may well come from different sources, both cloud and traditional, public and private cloud implementations (known as hybrid-cloud). Interoperability mandates that those components should be replaceable by new or different components from different providers and continue to work, as should the exchange of data between systems.
- The degree to which interoperability can be achieved or maintained when considering a cloud project often will depend on the degree to which a cloud provider uses open, or published, architectures and standard protocols and standard API’s. Though many vendors claim of “open” and “standards based” cloud provisionioning, there are propriety hooks and extensions (e.g. Eucalyptus) and enhancements that can impede both interoperability and portability.
- Portability defines the ease of ability to which application components are moved and reused elsewhere regardless of provider, platform, OS, infrastructure, location, storage, the format of data, or API’s.
- Moving services to the cloud is a form of outsourcing; the golden rule of outsourcing is “understand up-front and plan for how to exit the contract”. Portability (and to an extent interoperability) should therefore be a key criterion of any organizations strategy to move into cloud services, allowing for a viable exit strategy to be developed.
- The following are the interoperability recommendations:
- Hardware – Physical Computer Hardware: Whenever possible, use virtualization to remove many hardware level concerns
- Physical Network Devices: To maintain interoperability the Network physical hardware and network & security abstraction should be in virtual domain. As far as possible API’s should have the same functionally.
- Virtualization: Using open virtualization formats such as Distributed Management Task Force OVF to help ensure interoperability. The reason is that distinct differences exist between common hypervisors (such as ZEN, VMware and others).
- Frameworks: Use open and published API’s to ensure the broadest support for interoperability between components and to facilitate migrating applications and data should changing a service provider become necessary.
- When possible, use platform components with a standard syntax, open API’s, and open standards, e.g. Open Cloud Computing Interface (OCCI)
- Storage: Store unstructured data in an established portable format. Assess the need for encryption for the data in transit. Check for compatible database systems and assess conversion requirements if needed.
- Perform regular data extractions and backups to a format that is usable without the SaaS provider for example.
- Security: The following are important items to consider for interoperable security in a cloud environment:
- Use SAML or WS-Security for authentication so the controls can be interoperable with other standards-based systems.
- Developing internal IAM system to support SAML assertions and internal system to accept SAML will aid future portability of system to the cloud.
- Encrypting data before it is placed into the cloud will ensure that it cannot be accessed inappropriately within cloud environments
- Encryption keys should be escrowed locally, and when possible maintained locally
- When encryption keys are in use, investigate how and where keys are stored to ensure access to existing encrypted data is retained.
- Understand your responsibilities and liabilities should a compromise occur due to unanticipated “gaps” in protection methods offered by your service provider.
- Log file information should be handled with the same level of security as all other data moving to the cloud.
Domain 7: Traditional Security, Business Continuity, and Disaster Recovery
An effective traditional security program flows from a well-developed series of risk assessments, vulnerability analysis, BCP/DR policies, processes, and procedures that are reviewed and tested on a regular basis.