By Varun Carlay, CISSP, CCSP
One of the top objectives of any government agency or an enterprise is to keep the ubiquitous confidentiality, integrity & availability (CIA) requirements of their agency intact for stakeholders, regulatory bodies and federal agencies. In the event of a data breach, data owners are held responsible and senior management ultimately accountable through the stringent data regulations that are now prevalent in most economies. As major data breach incidents and ransomware attacks continue to make headlines, cybersecurity decision makers must evaluate what kind of security controls and mechanisms a Cloud Service Provider (CSP) should have in place to safeguard assets of significant intrinsic value to the enterprise. So, let’s examine the kind of security controls CSPs should ideally put in place to support confidentiality, integrity, and availability requirements of your sensitive workloads.
Protection design principles for phases of the data life cycle
While it’s imperative to store data securely in cloud, it’s equally important to ensure CSPs adhere to secure design principles at every phase of the data lifecycle. Typical data lifecycles include these phases: create, store, use, share, archive and destroy. For data protection, primarily encryption comes to our rescue and is fundamental requirement to manage workloads in the cloud. Therefore, sensitive workloads need to be encrypted using encryption keys. To manage encryption keys, CSPs must offer key management solutions. You should ideally backup your encryption keys to a hardware security module vault service, with an option to replicate the encryption keys across cloud regions (across geographic locations) to safeguard against major disaster situations causing the entire region to go down. All enterprise grade cloud providers offer services to store encryption keys on highly available and durable hardware security modules (HSMs) that meet Federal Information Processing Standards (FIPS) 140-2 Security Level 3 security certification.
Now, let’s talk about the primary distinction when it comes to data disposal methods. In a legacy environment, the customer has full control over their infrastructure, making follow-on data disposal options quite straightforward. However, in the cloud, customers need to ensure that their CSP follows proven data disposal techniques, like Cryptographic Erasure (Crypto-shredding), and adhere to well-known media sanitization standards like NIST SP 800-88r1 and DoD standards. CSPs should have optimal processes that ensure adherence to compliant data disposal techniques like degaussing decommissioned mechanical hard drives and then physically destroying them with mechanical shredders.
Data Protection - at rest and in transit
You can choose multiple storage options in a public cloud environment depending on your application requirements. All major cloud providers offer high availability SLAs across storage options. Regardless of storage type, data must be encrypted both at rest and in transit. To minimize the risk of accidental or malicious deletion of data, cloud customers need to follow the Principle of Least Privilege which can be rather easily enforced using cloud identity and access management (IAM) – generally a built-in service. Cloud service providers should ideally encrypt all storage block volumes using valid ciphers like AES with 256-bit keys, encrypt data in file storage and in object storage. Securing keys based on NIST’s cryptographic key management recommendations, enforcing default encryption and the use of strong ciphers with adequate key length are among the best defenses against various forms of attack, including insider threats and to alleviate the consequences of ransomware attacks to a significant extent.
Data breach incidents, legal repercussions and penalties
Security is a shared responsibility when you move to cloud, but the dynamics change when it comes to real data breach incidents. In a real-world incident, the data owner or controller (ex: an entity in a government organization or an enterprise) is likely to be held accountable and thus face legal repercussions from regulatory agencies, not necessarily the CSP. This has been the case in several recent ransomware incidents. As a cloud customer – you should ask for data processing agreements (DPAs) and review them against your business requirements. Ideally, CSPs should drive security in the cloud and have default controls in place to enforce and autocorrect misconfigured settings.
Trust but verify: Attestation, accreditation, compliance
As per the Cloud Security Alliance (CSA), the Security, Trust, Assurance, and Risk (STAR) Registry is a publicly accessible registry that documents security and privacy controls provided by popular cloud computing offerings. The CSA also developed the Cloud Assessment Initiative Questionnaire (CAIQ), a standard template for CSPs to accurately describe their security practices. You should ideally review your CSP’s CAIQ at the start of a contract and at regular intervals.
Also, as cloud adoption decisions depend largely on your regulatory requirements, check your CSP’s third-party attestations and evaluate how these reports adhere to your compliance requirements. Third-party attestations provide an independent view of security, privacy and compliance controls implemented by the CSP and thus will assist in your compliance reporting. Finally, as a potential cloud customer, would you like to keep investing time and resources maintaining regulatory requirements and preparing for audits or would you rather move your workloads to an environment which is already compliant? Think, Cloud!
For more on tackling governance, risk and compliance (GRC) in the cloud, ISC2 offers a Skill-Builder program to help. For more information, visit: https://www.isc2.org/professional-development/skill-builders/governance-risk-and-compliance