Best Practice for Cloud Security and Privacy

Alan Bennett | August 2, 2011

While the hype is overwhelming. It’s worth pointing out that the roadmap towards migrating into the cloud is not straightforward.

There are a range of factors that all organisations have to consider – particularly public sector organisations and those in highly regulated sectors of the economy.

Organisational issues such as non-standardised processes, devolved management of ICT and a high level of investment in legacy systems that are not virtualised or impossible to virtualise are significant inhibitors in migrating to cloud services.

Regulatory and security concerns are also valid considerations – such as whether the security of the cloud provider is auditable and clearly documented or whether data or information access provisions of a foreign jurisdiction could apply.

The mission criticality of systems might also make some organisations nervous about cloud delivery models.

Finally and most importantly, organisations need to way up what’s up available in the market and whether it suits their business requirements.

Critical to that decision-making process is a consideration of risk.

This chart plots a series of risks factors, both internal and external against the likelihood of them occurring (frequency) and the potential impact on an organisations operations.

This is obviously not something new to cloud – all ICT decision-making needs to factor in risk.

Some of these risks are external factors completely out of your control – like pandemics, natural disasters, power failures or security attacks.

They are however things that can be managed through adequate business continuity and disaster recovery measures, and strong security responses.

Internal factors such as compliance risk; human error; plant, hardware or software failure or planned downtime are things that are infinitely controllable through good processes.

However, in cloud, as in outsourcing – you rely on the processes, procedures and protocols of someone else and this is where the industry needs to do a lot of work to improve the standards, contractual arrangements and service levels to gain the trust of clients 

There is however, an increasing range of guidance from the industry and government that is helping to assess these risk factors and enable organisations to make informed choices about cloud.

Within the Australian Government, AGIMO has published its Cloud Strategic Directions Paper and established the Cloud Information Community to share information on cloud across government both Federal and State.

The Federal Defence Signals Directorate has also published 51 considerations for Government agencies to think about as part of their assessment of cloud options. 

The considerations focus very heavily on the risks associated with having functions delivered from external providers, under three real topic areas: the availability of data and business functionality; protecting data from unauthorised access by a Third Party, or the vendor’s customers or rogue vendor employees; and the handling of security incidents. 

Other non-cloud specific standards come into play, such the Protective Security Manual from the Attorney-General’s portfolio, ASIO’s processes for certifying physical security; and DSD’s Information Security Manual and process for certifying secure services such as gateways and hardware.

The United States Government has also established the FedRAMP process to assess and authorise cloud services; and the Standards Acceleration to Jumpstart the Adoption of Cloud Computing initiative to seed the standards development around cloud for government and demonstrate and document use cases for cloud systems in government to improve adoption.

Outside of Government use specifically, the Australian Prudential Regulation Authority (APRA) wrote to members of the financial services sector with specific guidance on how it’s published standards and guides are applicable in the context of cloud. 

Interestingly a lot of APRA’s comments related to similar issues raised in the DSD considerations for Government – particularly security, data privacy and data sovereignty issues.

Other regulatory issues that are likely to emerge include the fairness and transparency of contractual terms and conditions; the impact of emissions regulation and carbon pricing; and the application of the Privacy regime.

The industry is also starting to respond with initiatives such as the Cloud Security Alliance and the AIIA Cloud Taskforce which is looking at addressing specifically privacy and security issues.

As I mentioned on the last slide, earlier this year, the DSD published a list of 51 considerations on cloud computing.

The considerations focus very heavily on the risks associated with having functions delivered from external providers, under three real topic areas: the availability of data and business functionality; protecting data from unauthorised access by a Third Party, or the vendor’s customers or rogue vendor employees; and the handling of security incidents.

A lot of the list boils down to making sure agencies have done their own homework; ensured the provider has adequate business continuity and security arrangements to meet their requirements; and is transparent on how and where the service is provisioned.

It is certainly a useful document for government and the non-government specific criteria could actually be a really useful checklist for other industry sectors who have similar concerns around security, the location of the data and the ability to migrate data in-house or to other providers.

We have been actively developing our cloud services offering to Government. This service will be launched next week.

As part of this process I have asked my team to go through the DSD considerations and ensure that we have an adequate and detailed answer for each consideration.

I’m pleased to say that we can adequately address the majority of technical considerations and feel that we would be able to work through some of the other issues as part of the contractual discussion with the client.

In developing our service for Government we have focused on ensuring strict security and privacy controls across all facets of the service, including:
•       Providing network access via a DSD-certified gateway;
•       Supporting multi-factor authentication and identity management;
•       Audited security both internal and by the client;
•       Strict application admin access controls;
•       Hosting in a secure data centre environment with strong and standards-compliant physical security measures and security operations centre-led protection measures;
•       Data hosted on-shore and managed by local security cleared personnel; and
•       Data encryption and data cleansing measures.

So ultimately for HP, in addressing best practice we have focused on:

•   Designing secure and scalable infrastructure hosted out of named secure and government certified data centres, behind a certified secure gateway;

•   Local hosting and local support to meet requirements for data security, privacy and sovereignty;

•   Compliance with government requirements and delivering measureable outcomes in regards to energy efficiency and Green IT;

•   Service Level’s for resource deployment for confidence; and

•   Openness and transparency through standard and transparent contract terms & conditions, delivery operations, and transaction management and standardised pricing per server & per terabyte (TB).