With organizations producing -- and responsible for -- more data than ever before, the cloud has proven a viable data management option. But don't expect to just send your data to the provider and be done with it -- cloud computing data security is as much your responsibility as it is theirs.
Do [your cloud providers] have processes and procedures in place to make sure people are not accessing information they should not be seeing?
During sessions on this topic at Compliance Week 2012, held in Washington, D.C., this week, experts said doing your homework on your needs, as well as on cloud providers' business models, are key to ensuring cloud computing data security.
"I think it's a challenge for all organizations just even knowing where all of your information is, and knowing what's sensitive and not sensitive," said David Cass, a senior vice president and CISO at Amsterdam-based publisher Elsevier B.V., during a presentation titled "Integrating Cloud Computing Into Your Data Security Program."
"You want to make sure that you're moving the right data sets to the cloud, and the security controls are going to reflect the sensitivity of the data that you're putting there," Cass said.
Compliance Week 2012 presenters stressed the importance of researching potential cloud providers to get detailed information on their security policies. You can start by asking about the controls they have in place to handle a security incident and what kind of training is required of their security team.
This extends to detailed information about the cloud providers' regulatory and business processes, including plans for business continuity, disaster recovery and encryption. While this sometimes makes for a long, multiyear contract development process, it's much better than the alternative, presenters warned.
"I need to know exactly that these guys know what's going on, because I'm ultimately responsible at the end of the day," Cass said. "Do they have processes and procedures in place to make sure people are not accessing information they should not be seeing?"
Michael Garson, former chief compliance officer and technology control officer at Alcatel-Lucent subsidiary LGS Innovations LLC in Herndon, Va., came up with a mnemonic device for organizations moving to the cloud, and it's easy to remember: C-L-O-U-D-S. Here's how it breaks down:
- C – Collect and understand your data privacy requirements, and know what kind of data you're generating against these requirements.
- L – Look at the cloud providers' infrastructure, policy and procedures to get a roadmap of how they are providing services.
- O- Organize contract clauses to determine how the provider will handle your information.
- U – Ask yourself, "How are YOU going to audit and monitor the cloud provider to ensure it is following the contract?"
- D – Disseminate this information to your personnel, because your employees need to know where information is going and what's needed to protect it.
- S – Become familiar with the cloud provider's strategy around educating its service personnel.
"The biggest thing we had to do was understand how people in their company had access to our information data at rest and data in transit," Garson said. "You've got to be careful with some of those things, and understand, 'How do I handle that risk? And can I handle that risk?'"
Several presenters suggested developing a cloud computing risk assessment when hammering out a contract.
Laurel Geise, chief compliance and information security officer at Santa Ana, Calif.-based CoreLogic Inc., said her organization has an extensive "external cloud risk management process." When a business unit requests to use a cloud provider, CoreLogic employs a cloud computing risk assessment form to gather initial data on the request. The form includes questions such as:
- What is the purpose of using the cloud in this capacity?
- What kind of data do you want to put there?
- What are the risks?
That information is then provided to the IT department, where discussions revolve around which specific controls should be in place.
"We take all of that information, and then the IT group provides us with a risk report where they give us recommendations," Geise said. "I have never seen any report go through that did not have some stipulations of working with that particular provider."
More on cloud security
If the cloud plan is ultimately approved by management, it's sent to the information security department to develop an audit plan. The audit team focuses on making sure the stipulations were implemented by the cloud provider, and several audits are scheduled, Geise said.
"I have to report every quarter to the enterprise risk management committee, and I have to report to the audit risk management committee every quarter," Geise said. "They want to see reports on what is going to the cloud, what are the audit plans, what are the stipulations."
It does not end there, however -- continued training and awareness is necessary. Every business line is required to meet with Geise annually to go over the status of its corporate compliance and information security programs. She then reports that information to executives.
"I've found that extremely effective in getting people's attention -- I think it gives our executive management some peace of mind that the business leaders are so engaged in our program, Geise said.
By building the compliance requirements into the cloud provider contract yourself, you can make it more likely that all of your data security and compliance regulation bases are covered.
"You can't outsource your responsibility to meet your requirements," said Christina Ayiotis, an adjunct faculty member in the department of computer science at The George Washington University in Washington, D.C. "You always own the responsibility of complying with what the requirement is."