The Microsoft approach to cloud transparency – Part III

Welcome! Please comment and leave me a note telling me what you like and what you'd like to see more of. Sign up to my RSS Feed!

Thank you for joining us again for the continuation of the paper I authored for Microsoft about  its approach to security of Cloud offering, including using the Cloud Security Alliance (CSA) Security, Trust & Assurance Registry (STAR).

Let me know what you think!

 

The Microsoft approach to cloud transparency

Using the Cloud Security Alliance’s Security, Trust & Assurance Registry (STAR)

 

Part III – Privacy

As part of the security risk assessment, a privacy review needs to be considered to ascertain potential risks to the data and operations in the cloud. Today, the notion of privacy goes beyond the traditional description of customer data and extends into organizational privacy, which includes most intellectual property constraints; that is, the

know-how, know-why, and know-when of organizations. As more and more organizations become knowledge-based, the intellectual property values that they generate increase. In fact, intellectual property value is often a significant part of an organization‘s value.

Confidentiality and integrity

Similarly, concerns about confidentiality (who can see the data) and integrity (who can modify the data) are important to include in any evaluation. Generally, the more access points to the data, the more complicated the risk profile creation process. Although many regulatory frameworks focus on confidentiality, others such as Sarbanes-Oxley focus almost exclusively on the integrity of data that is used to produce report financial statements.

Reliability

In many cloud computing environments, the data flow that moves information into and out of the cloud must be considered. Sometimes multiple carriers are involved, and oftentimes access beyond the carrier must be evaluated. For example, a failure at a communications service provider can cause delay and affect the reliability of cloud-based data and services. Any additional service provider must be evaluated and assessed for risk.

Auditing, assurance, and attestation

Many organizations are experienced in traditional application and data deployment activities, such as auditing and assessments. In a cloud deployment, the need for some of these activities becomes even more acute at the same time that the activities themselves become more complex.

Embedded in the cloud concept, and especially in public cloud deployment, is a lack of physical control by the organization that owns the data. Physical controls must be considered to protect the disk drives, the systems, and even the data centers in which data resides. Such considerations also apply to software environments in which cloud services components are deployed.

In addition, obtaining permissions for the purpose of satisfying requirements for resiliency testing, penetration testing, and regular vulnerability scanning can be a challenge in cloud deployments.

It can also be a challenge to address and satisfy requirements for independent validation of controls. Cloud providers are typically reluctant to approve many types of testing in a shared infrastructure because of the impact that testing could have on other customers.

 Frequently, an organization intending to engage in cloud deployment does not

know how to evaluate risks or how to choose a cloud provider that mitigates risks.

 

For certain regulatory frameworks, auditing is a requirement.  Frequently, cloud customers are faced with challenges that threaten or appear to deny the many benefits of cloud adoption and deployment.

 

Join us again next week for Part IV of the Microsoft approach to cloud  transparency.

The Microsoft approach to cloud transparency – Part II

As we mentioned last week, please find here the continuation of the paper I authored for Microsoft about  its approach to security of Cloud offering, including using the Cloud Security Alliance (CSA) Security, Trust & Assurance Registry (STAR).

Let me know what you think!

 

The Microsoft approach to cloud transparency

Using the Cloud Security Alliance’s Security, Trust & Assurance Registry (STAR)

 

Part II – Cloud assurance challenges

Having a good grasp of risk management is important in today’s information security and privacy landscape.

When working with cloud computing providers such as Windows Azure and cloud-provided services such as Office 365 and Microsoft Dynamics CRM, it is important to understand that risk assessments need to consider the dynamic nature of cloud computing.

An organization needs to consider performing a full-scope risk assessment that looks at several criteria whenever a new initiative is underway. Cloud computing is no different. Some of the more prominent criteria that typically interest organizations that are considering cloud computing deployments are discussed in the following sections.

Security

There are many security dimensions to consider in cloud computing scenarios.

Layers

When evaluating controls in cloud computing, it is important to consider the entire services stack of the cloud service provider. Many different organizations may be involved in providing infrastructure and application services, which increases the risk of misalignment. A disruption of any one layer in the cloud stack, or in the customer- defined last mile of connectivity, could compromise the delivery of the cloud service and have negative impacts. As a result, customers should evaluate how their service provider operates and understand the underlying infrastructure and platforms of the service as well as the actual applications.

Secure data destruction or erasure

Many organizations have policies that require data to be deleted when it is no longer needed, or after a fixed interval. At times, these policies mandate that data deletion be attested to, which may take the form of a statement that the data has been destroyed in a manner that prevents its reconstruction.

Many cloud providers cannot easily attest to such deletion, partially because of the way cloud data is rapidly replicated and relocated on many disk drives, servers, and data centers. Although the assumption may be that such data is overwritten in its “original” or prior location, the possibility frequently exists that a determined forensic process (or attack) could retrieve such data.

Data loss

Cloud computing in its current multi-tenant form is relatively new, and many deploying organizations are concerned with the maturity of the tools used by providers to host and manage their data.

Microsoft stands out from newer entrants to the market because of its experience in related technology platforms (such as Hotmail®, MSN®, and others), as many as twenty years in some cases.

Beyond the typical risk of data loss on disk drives, the existence of additional tools such as hypervisors, virtual machine managers, new operating and storage environments, and rapidly deployed applications introduce additional stability and redundancy factors that must be included in data loss considerations.

 

Thank you for reading this Part II of the Microsoft Approach to Cloud Transparency.  Please join again next week for the continuation, in Part III