printer friendly version

Hosted security services

You can’t escape the cloud. Today there isn’t an IT system out there, even when it comes to apps for a mobile device, that doesn’t have some link to cloud computing. Whether its storing your details in the cloud, running apps or full applications from the cloud, or even simply just backing up your data to a server ‘somewhere’, cloud is it.

In the security industry we’ve seen cloud services appear as hosting solutions, such as hosting your access control at an offsite provider. Remote monitoring is also a cloud service, but there are few organisations in South Africa that offer a fully hosted surveillance operation – the bandwidth and storage requirements would be too great. Not that VSaaS (video surveillance as a service) is all that successful overseas either.

Michael Horn, BU manager: Security, CA Southern Africa.

To give us some more information on the cloud and the associated security issues, Michael Horn, BU manager for security at CA Southern Africa elaborates on being secure out in the great wide Internet.

How secure is your data?

Data in the cloud refers to data while it is being transmitted, stored or processed by a cloud service provider (CSP). Encryption is one of the most effective data protection controls available today. Encryption integrity is based on the technologies and processes governing the cryptographic security services. It is a primary data (and application) protection technique.

For encryption to be useful, encryption keys must be properly managed and protected. The emergence of cloud computing – where critical customer and enterprise data could be held by third-party cloud providers in multi-tenant, shared computing and storage environments – highlights the need to call on encryption as a primary security control.

Storage, movement, and processing of digital information are commonly discussed in terms of ‘Data at Rest,’ ‘Data in Transit,’ and ‘Data in Use.’ The application of encryption mechanisms can similarly be considered for each of these states.

When enterprises and individuals move their data and applications to the cloud, protection of their confidential information e.g. company secrets, intellectual properties and sensitive information like personal identifiable information (PII), in transit, at rest, and in use, is critical. Inappropriate information disclosure could cost a data owner’s reputation, financial standing and impact their regulatory and legal compliance requirements.

When cryptography is used to protect valued data, the risk is transferred from the content to the keys. Once encryption has occurred, protection of cryptographic key material becomes paramount.

Questions to ask

Organisations should be asking CSP’s these questions before procuring their services:

• How does the CSP manage network and information security risks related to the cloud service?

• Which security tasks are carried out by the CSP, which type of security incidents are mitigated by the CSP (and which tasks and incidents remain under the responsibility of the customer)?

• How does the cloud service sustain disasters affecting data centres or connections, and which data is backed up where?

• How is security of the cloud service guaranteed when there are legal issues or administrative disputes?

• What practices does the CSP follow to ensure they have trusted personnel?

• How is customer data or processes protected from unauthorised physical and logical access?

• What data encryption and cryptographic management services are supported or supplied by the CSP?

• How does provider ensure software security and which software remains customer’s responsibility?

• How is access to the GUIs and APIs protected, and are their additional measures for administrators/high privilege roles (under the customer’s side)?

• How can the customer monitor the service, which logs are kept, and how can they be accessed, for example, when the customer needs to analyse an incident?

• Which standards make the cloud service portable and interoperable?

• How is increase of usage or peaks handled, and what are the corresponding costs?

• Which national legislation applies?

Is it legal under PoPI to store data offshore?

PoPI does not dictate where your customer data should reside geographically, however you need to beware of the jurisdictional control in the advent of a legal dispute. In order to determine which data is PII you will need to classify your data and understand where the data resides and flows through your organisation. Not all data needs to be encrypted, your data classification exercise will assist in identifying the PII information that requires encryption.

What do we need to do to safely make use of cloud services?

When assessing CSPs, enquire if they are planning on adopting the ISO/IEC 27018 code of practice for the protection of Personally Identifiable Information (PII) in public clouds acting as PII processors.

ISO 27018 is the first international set of privacy controls in the cloud, and Microsoft’s Azure is the first cloud computing platform to adopt ISO 27018.

CSP’s adopting ISO/IEC 27018 must operate under five key principles:

• Consent: CSPs must not use the personal data they receive for advertising and marketing unless expressly instructed to do so by the customer. Moreover, it must be possible for a customer to use the service without submitting to such use of its personal data for advertising or marketing.

• Control: Customers have explicit control of how their information is used.

• Transparency: CSPs must inform customers where their data resides, disclose the use of subcontractors to process PII and make clear commitments about how that data is handled.

• Communication: In case of a breach, CSPs should notify customers, and keep clear records about the incident and the response to it.

• Independent and yearly audit: A successful third-party audit of a CSP’s compliance documents the service’s conformance with the standard, and can then be relied upon by the customer to support their own regulatory obligations. To remain compliant, the CSP must subject itself to yearly third-party reviews.

For more information contact CA Southern Africa, +27 (0)11 417 8645, [email protected], www.caafrica.co.za

Share this article:

Further reading: