Security in the Cloud What nonprofits and libraries need to know to secure their online data Richard S. Collins - October 15, 2010 Security remains one of the biggest concerns with moving to the cloud. Understand the biggest threats in the cloud and get tips for assessing cloud provider security. Editor's note: Themes in this article are based on the 176-page whitepaper, Security Guidance for Critical Areas of Focus in Cloud Computing (PDF), which was published by the Cloud Security Alliance. "Nine out of 10 cloud computing users remain concerned about cloud security, yet 77% of businesses already use some form of cloud computing."Those findings come from a survey conducted by Harris Interactive for Novell, which asked 210 IT professionals — ranging from managers to CEOs — at organizations with more than 1,000 employees about their company's adoption of cloud computing.Security remains to be one of the largest concerns when considering a move of a system or application to the Internet, or the "cloud." In the TechSoup Global Cloud Computing Survey, 45% of respondents reported that data security concerns were a barrier to adopting a cloud-based system or application in their organization. Cloud security concerns are the essentially the same for nonprofits as for commercial enterprises. However, nonprofits may have fewer resources internally to manage and support both IT and cloud security. One big difference is that nonprofits and small-to-medium businesses may be too small to have leverage to negotiate with service providers like larger entities do. The City of Los Angeles moved to cloud services and was able to negotiate with Google to ensure a favorable contract this past year. For a small nonprofit, that's not as likely to be the case.Mapping Your Cloud Security RequirementsThere are currently three different levels or models of "cloud" usage, starting with the lowest-level of security burden to the greatest: software as a service (SaaS), platform as a service, and infrastructure as a service. Each of these models has different security implications that should be mapped to your requirements. And each provider of these services will likely have different security standards, processes, and systems, so it's important to do some research before selecting your cloud providers.Many organizations are already using SaaS and relying on the third-party service providers to cover more areas of security. For a smaller organization with no IT infrastructure in-house, this may be ideal since the offerings from the third-party provider are likely to be more secure than what they could provide on their own. If you are working with infrastructure service offerings or platform as a service, for example, more of the security burden needs to be handled and maintained by the organization directly. In other words, the higher the level of service in the cloud, the more security the consumer is responsible for implementing and managing on their own.Assessing Cloud Providers and SecurityWhen evaluating your move into the cloud, you should assess the providers you're considering. The factors you might want to compare include examining their supply chain; how they manage incidents and requests for service; and what policies, processes, and procedures they have in place for disaster recovery. Your assessment should also include whether they meet any compliance standards that apply to your organization. For example, if you house sensitive client data that includes records about their medical history, then you may be limited as to which cloud providers comply with regulations like the Health Insurance Portability and Accountability Act. Read more about HIPAA-compliance in this article, In Search of HIPAA-Compliant Software, where you can learn whether it applies to your organization.Make sure that you identify your critical data assets and discuss possible risk scenarios and plans to ensure that they're secure and accessible in an emergency. It's important to evaluate how they back up your data and how you can move your applications around.Operationally, it's good to include considerations about business continuity and disaster recovery plans for your systems and applications. Here are some more considerations when assessing any cloud provider:Look at backup plans and recovery time expectations carefully. For example, if they lose power at their datacenter, do they have backup power generators or do they house a backup of your data at a different site so it can be accessible to you in an emergency? If they need to recover your data, what's their estimated timeline to do so?It is important to understand how applications are compartmentalized and resources are distributed across the customer base and how this might impact you. What is included in the provider's technical response plan as well as their communications and legal response planning?What are the roles, responsibilities, and expectations between the provider and customer during an incident or emergency?What tools are in place to keep your data secure, prevent loss, and recover it in an emergency?How will your cloud service provider ensure encryption and key management is done in a multi-tenant environment to protect your data from a threat on another organization's data housed on the same servers as yours?How is the data stored and disposed of?Datacenter operations are often hard to evaluate because cloud providers are trying to manage many clients in a cost-effective way. As the end user, you need to ask the right questions to ensure that security concerns are addressed.Governance and Risk ManagementWhen looking at cloud solutions, organizations also need to consider governance and risk management.It's important to scrutinize the third-party providers' security capabilities and practices as well as their defined roles and responsibilities. Collaboration between your organization and the provider is essential. If possible, your IT or security department staff should be engaged with the provider during service-level agreement and contract negotiations to ensure security requirements are discussed and included. Any metrics and standards to measure performance and effectiveness can be included in the service-level agreements, especially around compliance and contract transparency. The provider should have processes to look at legal and electronic requirements for data management.Biggest Threats in the CloudThere are some great support organizations for cloud security available. One such organization is the Cloud Security Alliance (CSA).Formed in 2008 and 2009, the Cloud Security Alliance (CSA) is a nonprofit organization formed to promote the use of best practices for providing security assurance within cloud computing, and provide education on the uses of cloud computing to help secure all other forms of computing. The CSA provides guidance by framing the critical areas of focus to highlight areas of concern for cloud computing.In addition to providing guidance for cloud security, the CSA has defined the top threats in the cloud: Threat #1: Abuse and Nefarious Use of Cloud Computing. Anonymity in the Internet allows bad guys to attack. Spammers, key crackers, those hosting malicious data, botnets, captcha solving farms, and other abusers make for a variety of potential attacks threatening cloud solutions. Threat #2: Insecure Interfaces and APIs. Security for basic APIs needs to be in place. Authentication and access controls, encryption, and activity monitoring should be in place. Threat #3: Malicious Insiders. 70% of all IT breaches are inside jobs. How are cloud employees vetted and what level of access that they have to your data and information? How are employees monitored and managed. Threat #4: Shared Technology Issues. Virtualization and multi-tenancy computing open up great opportunities for inexpensive cloud expansion, but they need segregation and compartmentalization so applications remain safe from problems that may occur in other virtual instances. Threat #5: Data Loss or Leakage. Strong authorization and audit, proper encryption practices and key management, datacenter reliability, and proper data disposal and disaster recovery, will help protect your data from loss or leakage. Threat #6: Account or Service Hijacking. Phishing, fraud, and exploitation of vulnerabilities can be taken advantage of to hijack accounts or services. Protect credentials, install two-factor authentication, and monitor proactively in order to help prevent exploitation. Threat #7: Unknown Risk Profile. Proactive thinking and planning of "what-ifs" will help you prepare for secure cloud computing. Will version controls, code updates, security practices, and other needs be manageable internally? If not, are your third-party providers prepared to do all these things to provide for your security?ConclusionBy understanding your security concerns and needs up front, you can find a cloud provider to meet them and minimize your security risks. Make sure your provider offers transparent communications on their security measures and that your contracts address all of your concerns before moving any critical data to the cloud.Using the cloud can enhance your ability to secure your systems, by leveraging the capabilities of cloud service providers. You can improve your data protection, monitoring, incident response, and physical and logical security protections, but it is ultimately your organization's responsibility to understand the threats to your systems and ensure that the security controls needed are being put into place – whether on your own or through a cloud provider.Additional Cloud Security Resources TechSoup's Security Corner CloudSecurity.org Cloud Security: The Basics Cloud Computing Security Threats Come from InsideLearn more about cloud computing for your nonprofit or library on TechSoup's cloud page. This work is published under a Creative Commons Attribution-NonCommercial-NoDerivs 4.0 International License.