In February 2011, Adrian Davis, the principal research analyst at the Information Security Forum (ISF), announced to the audience at the (ISC)2 Leadership Conference what he believed were the seven deadly sins of cloud computing.
What are the Seven Deadly Sins?
Davis' presentation was based on a report by the ISF, entitled “Driving out the seven deadly sins of cloud computing.” While the ISF recognizes the advantages offered by cloud computing, namely reducing operational costs and increasing efficiency, cloud services can also expose an organization to information security risks, as well as threats to the confidentiality, integrity and availability of an organization's data. Although many organizations may be moving to the cloud in order to expand their IT infrastructure without a demanding investment, the ISF cautions decision makers to at least allow some consideration for information security investments.
According to Steve Durbin, the Global VP of ISF, “While the cost and efficiency benefits of cloud computing services are clear, organizations cannot afford to delay getting to grips with their information security implications. With users signing up to new cloud services daily – often ‘under the radar’ – it’s vital that organizations ensure their business is protected and not exposed to threats to information security, integrity, availability and confidentiality. As our report makes clear, we recommend that cloud service providers are treated like other external suppliers, such as an outsourcer or offshore provider, and should be covered by the same form of contract.”
The ISF's “seven deadly sins” of cloud computing apply to small and large organizations alike, as well as across the entire supply chain. They should be absolutely avoided when implementing cloud services. These “sins” are outlined below:
1. Ignorance – This is characterized as little or no management knowledge or approval of cloud computing. In many cases, few employees are aware that their organizations have adopted cloud computing. Sometimes, IT departments are unaware that cloud computing is being implemented at all. According to the ISF, it is essential to know that the organization has moved to the cloud, as well as the implications this will have on the business. Uncontrolled implementation of cloud computing without consideration of the risks that come along with it is a dangerous practice.
2. Ambiguity – This refers to ambiguity regarding contracts. For instance, contracts may be agreed upon without authorization, review or even defining security requirements. This may result in cloud services being implemented without identifying the risks, or without identifying or specifying the identities of all parties in the contract.
3. Doubt – Doubt arises when there is little or no assurance of the service provider's information security arrangements. If an organization is unable to audit their cloud service provider, then it is difficult to determine that all elements of the contract are being upheld. This may also include poor assessment, monitoring and reporting of the provider's security arrangements.
4. Trespass – This is the failure to consider the legality of placing data in the cloud. By storing data in the cloud, organizations may fail to consider privacy legislation, or data controller obligations. It is important for organizations to examine all the laws that could apply to the cloud service agreement. Organizations should consider geographical issuess and identify the laws and regulations that are being broken and those they are complying with. They should also be able to demonstrate that trespassing is not happening.
5. Disorder – This is the failure to ensure appropriate management of the classification, storage and destruction of data. Often, data is placed in the cloud solely because it is convenient and cost-effective, without the proper consideration for its sensitivity or criticality. As a result, inappropriate data is placed on service providers' systems without formalized access control procedures.
6. Conceit – This refers to the belief that the organization's infrastructure is ready to move to the cloud, when it isn't. This may be the case if enterprise-wide infrastructure is insufficient to support the secure use of cloud services. For instance, the organization lacks a corporate security architecture for cloud services, or there is no consistent approach to identity and access management (IAM).
7. Complacency – This is the assumption that cloud services are available on a 24/7 basis. However, experience tells us that a number of incidents can and do cause service outages. Critical services may be put at risk if an organization depends on a single network, especially if the cloud service provider lacks business continuity or disaster recovery plans.
According to Davis, “None of these sins are anyone’s fault. Organizations are making these mistakes every day, not the techies. People need to stop and think. They see the advantages and the promises [of cloud computing] – they don’t look at risk equations.”
The ISF's report also outlines strategies for dealing with the “sins” of cloud computing. These recommendations are briefly sketched out below:
1. Ignorance – Organizations should implement a purchasing policy that includes an information security risk assessment. Organizations should also introduce systems to automatically detect cloud service deployments.
2. Ambiguity – Organizations entering into contracts with cloud service providers need to be familiar with their terms and conditions and keep a copy of the end user license agreement (EULA).
3. Doubt – The ISF recommends that cloud service providers offer details regarding their information security architecture, security model, security testing, certifications and information security audits.
4. Trespass – Organizations ought to specify approved storage locations, and arrange for specific data protection controls that are aligned with privacy legislation.
5. Disorder – Organizations need to understand how the data they place in the cloud is being stored, backed up and destroyed. Before data is moved to the cloud, it needs to be classified and assessed. Data control procedures should be matched with the level of assurance the organization requires.
6. Conceit – An organization's corporate security architecture for cloud services must outline usage, integration with services (e.g. identity and access management) and security features (e.g. encryption).
7. Complacency – The business continuity and disaster recovery plans of the cloud service provider should satisfy the needs of the organization. Organizations should also consider the implications of eDiscovery requests on availability and confidentiality of data. Alternative arrangements should be outlined, if necessary.
What is the ISF?
Founded in 1989, the ISF is an independent, not-for-profit association of over three hundred organizations. It is involved in investigating, clarifying and resolving major information security issues. ISF members share in-depth knowledge and experience from their organizations, as well as through a research and work program. Through the ISF's confidential framework and forum, members are able to develop and implement cutting-edge information security strategies. The ISF is member-owned and operates democratically, being governed by an elected council and an executive body of members.
This article looks at the “seven deadly sins” of cloud computing, as identified by the Information Security Forum (ISF). These “sins” represent a framework for strategic and secure implementation of cloud computing solutions that consider the risks as well as the benefits of moving to the cloud. The “seven deadly sins,” are as follows: ignorance, ambiguity, doubt, trespass, disorder, conceit and complacency. This article defines each of the “sins” and describes some examples of each. Strategies for avoiding these downfalls are also briefly covered in the article.
CCSK Exam Preparation
In preparation for the Certificate of Cloud Security Knowledge (CCSK), a security professional should be comfortable with topics related to this post, including:
– Contract Enforceability (Domain 3)
– eDiscovery Considerations (Domain 3)
– Jurisdictions & Data Locations (Domain 3)
– Compliance Analysis Requirements (Domain 4)
– Business Continuity Management/Disaster Recovery (Domain 7)
– Recommended Provider Tools & Capabilities (Domain 9)
– Key Management Best Practices (Domain 11)