Key considerations to minimize the impact of such effects include:
- Extending organizational practices on policies, procedures, and standards used for application development and service provisioning to the cloud and to the design, implementation, testing, use, and monitoring of deployed or engaged services. They will also require to implement audit mechanisms and tools to ensure the organizational practices are followed throughout the system lifecycle.
- Understanding the various types of laws and regulations that impose security and privacy obligations on the organization and potentially impacting cloud computing initiatives, particularly those involving data location, privacy and security controls, records management, and electronic discovery requirements.
- Reviewing and assessing the cloud provider’s offerings with respect to the organizational requirements to be met and ensure that the contract terms adequately meet the requirements.
- Ensuring that the cloud provider’s electronic discovery capabilities and processes do not compromise the privacy or security of data and applications.
- Ensuring that service arrangements have sufficient means to allow visibility into the security and privacy controls and processes employed by the cloud provider, and their performance over time.
- Establishing clear, exclusive ownership rights over data.
- Instituting a risk management program that is flexible enough to adapt to the constantly evolving and shifting risk landscape for the lifecycle of the system.
- Continuously monitoring the security state of the information system to support on-going risk management decisions.
- Understanding the underlying technologies that the cloud provider uses to provision services, including the implications that the technical controls involved have on the security and privacy of the system, over the full system lifecycle and across all system components.
- Ensuring that adequate safeguards are in place to secure authentication, authorization, and other identity and access management functions, and are suitable for the organization.
- Understanding virtualization and other logical isolation techniques that the cloud provider employs in its multi-tenant software architecture, and assess the risks involved for the organization.
- Evaluating the suitability of the cloud provider’s data management solutions for the organizational data concerned and the ability to control access to data, to secure data while at rest, in transit, and in use, and to sanitize data.
- Taking into consideration the risk of collating organizational data with that of other organizations whose threat profiles are high or whose data collectively represent significant concentrated value.
- Fully understanding and weighing the risks involved in cryptographic key management with the facilities available in the cloud environment and the processes established by the cloud provider.
- Understanding the contract provisions and procedures for availability, data backup and recovery, and disaster recovery, and ensuring that they meet the organization’s continuity and contingency planning requirements.
- Ensuring that during an intermediate or prolonged disruption or a serious disaster, critical operations can be immediately resumed, and that all operations can be eventually reinstituted in a timely and organized manner.
- Understanding the contract provisions and procedures for incident response and ensuring that they meet the requirements of the organization.
- Ensuring that the cloud provider has a transparent response process in place and sufficient mechanisms to share information during and after an incident.
- Ensuring that the organization can respond to incidents in a coordinated fashion with the cloud provider
These considerations should be made when planning, reviewing, negotiating, or initiating a public cloud service outsourcing arrangement.
References
Wayne Jansen, Timothy Grance, Guidelines on Security and Privacy in Public Cloud Computing Dec 2011
Cloud Controls Matrix, Version 1.2, Cloud Security Alliance, August 26, 2011
David Binning, Top Five Cloud Computing Security Issues, Computer Weekly, April 24, 2009
