Businesses small, medium and large have all at some point considered the possibility and eligibility of moving to either a hybrid or full Cloud model. Adopting this approach has obvious business benefits – not only around cost, but also the greater flexibility in terms of data and application and information accessibility. A cloud business strategy and model allows you to work literally anywhere, and not be tied to a connection or desk in the office in order to obtain the information you need to perform the duties that your role dictates. The cloud also provides a number of access mechanisms with a wide range of acceptable platforms a user can leverage as a base to reach the applications and data they require.
However, the move to cloud, whilst appealing from the cost and flexibility perspective, is not entirely as clear cut as one would imagine. There are inevitable questions concerning security, disaster recovery, business continuity, ownership, regulatory requirements around where data must reside, encryption of data at rest and in transit, governance, and last but no means least, GDPR
Cloud adoption should factor in stability, security, and compliance
An excellent example of the potential downsides to a full cloud adoption from the security and performance perspective is the incident where IPM (Internet Performance Management) specialist Dyn was hit with a major DDoS attack that crippled major brands attached to it’s managed DNS infrastructure. The scale of the attack was at first limited to the East coast POPs, with the West coast remaining functional. However, this appeared to be nothing short of a test – a “first pass”, if you will. A company with an infrastructure the size of Dyn will always have their fair share of targeted DDoS attacks on a daily (if not hourly basis). However, this particular attack raised the bar in terms of capabilities owing to the sheer volume and scale.
A second attack was launched shortly afterwards. Now global in origin, it began impacting the West coast, adding significant delays to internet sites such as amazon and twitter to name a few. A third attack was launched, but evidently suppressed and terminated very quickly. Dyn reported that the attack was extremely sophisticated, involving a number of different vectors. The campaign enlisted tens of millions of ip addresses with a significant portion originating from devices infected with the Mirai botnet.
Curiously, webcams from Chinese electronics company Hangzhou Xiongmai appeared to have made up a significant portion of the hardware involved, and the impacted company swiftly begun the process of recalling equipment using its components that were leveraged in the attack. The company further denied that their cameras and associated technology accounted for a considerable portion of the devices used in the attack, and with the realisation that any infected IoT hardware could be used in a similar fashion, this claim could be seen as unfair and unjustified. However, with the quantity of customers that Hangzhou Xiongmai supplies components to, this is not beyond the realms of possibility.
Taking into account the scale of this attack, what are the downsides and ultimately, consequences of full cloud adoption ? If anything, this incident creates something of a showcase – the cloud is in fact volatile and vulnerable at any given point in time, and security is not guaranteed. It also highlights the fact that any potential incidents occurring in future can dramatically impact your platform and business model – even if you are not the chosen target of the attack. DDoS mitigation services can offer protection for your physically connected internet circuits and associated equipment, but this does not extend to infrastructure as a service that is outside of your control. Classic examples of this type of scenario are AWS and Azure.
Impact on cloud usage from the regulatory perspective
Moving to a cloud based environment is by no means a concept that should be immediately dismissed without validation, but it does need to be approached with caution, and carefully planned. For the business continuity side alone, it is a major coup in terms of the ability to be up and running again in a short space of time should an incident be declared – ranging from force majeure to more human factors such as transport strikes, or events that require physical intervention or area evacuation. Even an event such as building power failure would not be sufficient to fully derail a business that has its infrastructure in the cloud - the non geographical nature and associated capability of data centres and telco providers would mean that both of these business critical features could be placed anywhere from the virtual perspective. To the outside world, it’s business as usual.
So what’s stopping you from moving everything to the cloud if the benefits outweigh the risk ?
There are a number of prerequisites. Dependent on your business model and market (finance, for example) there may be a number of regulatory and compliance mandates that could either prevent the move completely, or mean that any potential cloud solution would need to be tailored to factor in and accommodate these requirements – both from an operational and security perspective. The resting place of data (think GDPR here) can also be a major factor in deciding which solution to leverage from a cloud provider, and if the legal requirement in terms of data location cannot be met, any potential proposal could fall at the first hurdle. Such an example of situations like this is Luxembourg, where the data location is dictated by jurisdiction and regulatory law.
Clearly, any business looking to adopt cloud technology would need to replicate the services that are in scope, and initiate the UAT processes. At the same time, legal and compliance should be engaged, and be consulted during the decision making process. Their input is essential at an early stage to determine the regulatory and legal requirements. Should any questions arise concerning these two areas, the answers can be obtained and mandatory criteria met whilst any proof of concept testing is running in an isolated environment.
Due diligence is essential during the discovery process
Due Diligence is an important step in the right direction when it comes to choosing a cloud provider. The purpose of this exercise is to evaluate best practices and key controls from an audit standpoint, and ensure that these align with your current business processes and objectives. Part of the Due Diligence process should be to verify that the cloud vendor is able to secure data, demonstrate and execute Cloud Security controls, and meet the scope of services that the interested party is looking to fulfill - in most cases, SOC 1 - 3 compliance is no longer “desirable”, but essential. The intended purpose of Due Diligence is to obtain assurance and evidence of key controls from a vendor before you engage in any further activity, so choosing the right partner is an important first step in the cloud process. The inevitable stumbling block related to Due Diligence when dealing with the larger vendors such as AWS and Azure is that they rarely entertain direct visits – unless your planned budget and spend warrants “special treatment”. Instead, they provide a wide array of published compliance and control materials (such as white papers) that cite their best practices, security model, and how their processes will secure your business interests, intellectual property, and other information.
Document reviews, proof of concept and a trial period are proven ways to gain as much insight into how a cloud vendor operates as possible. Each one of these exercises is key to mitigating the underlying risk to your organisation. As with everything else related to technology and exposed to the internet, moving your data to the cloud will invariably introduce an element of risk. It’s important that the required or relevant controls are examined, with a full risk assessment performed around the security and integrity of the data considered to be in scope. In some cases, it may be necessary to involve external counsel, which could delay any planned move if the migration of data without the necessary regulatory approval has not been obtained.
Can your compliance and regulatory needs can be met ?
As part of the Due Diligence process, organisations should review the certifications presented by cloud providers. As an example, AWS publishes a risk and compliance document that describes its approach to risk management practices and cloud security controls. Dependant on your requirements, AWS also provides certification evidence in accordance with ISO 9001, HIPAA, and PCIDSS standards. It also provides other certification that may be in scope for your specific requirements. However, be aware that certain technologies and interfaces provided by AWS may not covered – here is a list of what is covered along with the aligned frameworks.
During the analysis, ensure that particular attention is paid to which services your compliance requirement applies to. As an example, services from AWS such as EC2, S3 and Redshift are certified for use with data subject to HIPAA controls, but not all service offerings meet this specific criteria. If your organisation does not fall into the health sector, then HIPAA as a compliance standard would not apply. The same can be applied to PCIDSS – if you are not processing credit card payments or other transaction based information, then this would not fit into your control requirements from an audit perspective.
Governance is not simply “set and forget”
The remaining item is governance. This is a hugely important part of the control process around securing data that is held remotely – particularly that which is stored in multi-tenant environments. Is important to remember that governance isn’t actually a product, but an ongoing process of scheduled reviews to ensure that the relevant processes are being followed and the service still provides the required level of compliance and control from the risk perspective.
An excellent example of governance can be found here courtesy of the Cloud Security Alliance. Below is taken from their website, which is a superb resource that I would encourage anyone looking for guidance on governance and controls to read.
As a framework, the CSA CCM provides organisations with the needed structure, detail and clarity relating to information security tailored to the cloud industry. The CSA CCM strengthens existing information security control environments by emphasising business information security control requirements, reduces and identifies consistent security threats and vulnerabilities in the cloud, provides standardised security and operational risk management, and seeks to normalise security expectations, cloud taxonomy and terminology, and security measures implemented in the cloud.
The topics of compliance, and governance should be on the radar for anyone looking to move from a traditionally physical data centre to AWS or Azure from the cloud computing perspective. Not only do you need to ensure that your data and intellectual property is secured, but you also need to be aware of the potential regulatory requirements and associated controls that may be applicable to your data dependant on location and jurisdiction. You'll notice that I have only “mentioned” GDPR in this article. This is intentional - this topic deserves an article of its own owing to the complexity and level of work required in order to achieve certified compliance.