- Email: [email protected]
Cloud computing – A question of trust
CLOUD COMPUTING
Cloud computing - A question of trust Catherine Everett Both the Jericho Forum and the newly-established Cloud Security Alliance (CSA) have grabbed many a headline lately in their respective attempts to assuage some of the widespread information security concerns around cloud computing. The question is, are such initiatives enough? The multifarious risks posed by the new IT delivery model, ranging from a potential lack of awareness of where data is held to possible insider threats and vendor lock-in, have been well documented. One of the key promises of cloud is the speed and ease with which organisations can temporarily access additional compute resources if required – so-called ‘cloud-bursting’. However, there is a tension between this, and the need for due diligence via mechanisms such as auditing, which inevitably take time. Whether data owners purchase $150 worth of processing capacity for the day or spend millions of dollars on a fiveyear IT outsourcing contract, they still have ultimate responsibility for their corporate information. And it is they that will be held to account if things go wrong and they find themselves in breach of the current morass of legislation and regulations in this area.
“One of the key promises of cloud is the speed and ease with which organisations can temporarily access additional compute resources if required – so-called ‘cloud-bursting.” But while such considerations are currently acting as a break on cloud adoption among large enterprises beyond a few commodity services such as email security or departmental CRM, the same is not necessarily true of small to medium-sized businesses, which are often less aware of the risks. June 2009
The need for assurance Nonetheless as Gerry O’Neill, chief executive of the Institute of Information Security Professionals (IISP) points out: “It only takes a couple of incidents to undermine confidence. So you have to ask – where does the assurance come from? That’s key – a fundamental building block.” But today there is little such assurance. Instead what there is, are various frameworks for defining cloud models and for helping organisations to ask the right questions. The CSA, for example, has produced its Security Guidance for Critical Areas of Focus in Cloud Computing. g1 The 84-page document, which was produced in about four months by around 60 expert contributors, is intended to provide security practitioners with guidelines for discussing issues such as risk management, portability and disaster recovery with their suppliers. The goal, indicates Nils Puhlmann, co-founder of the CSA and chief security officer at Qualys, which provides hosted vulnerability management and policy compliance services, is first to offer “education and second, transparency”. “You can’t ask providers to make all information public as it’s anti-competitive and unfair. But you can ask what things are expected and what should be made transparent. If you have that, you can ask vendors to show you evidence of what they’re doing in x or y area. It’s about risk awareness,” he says. The next step for the CSA is to have workingg groups g p focusingg on hot button
topics such as identity management generate more detailed recommendations. These will be fed into version 2.0 of its document - a graphics-based report providing guidance that can be used not only by customers but also by vendors as to what should be included in their offerings.
Secure business-tobusiness collaboration The Jericho Forum, on the other hand, has devised a cloud cube model, which defines different flavours of cloud and raises issues that organisations should think about if wishing to exploit them. Its ultimate aim, however, is to move the debate beyond the current focus on one-to-one cloud vendor-to-customer relationships and on to secure businessto-business collaboration. This means finding ways to ensure that providers can pass data securely and seamlessly between themselves in order to process a given task from end-to-end. Andrew Yeomans, a member of the Jericho’s Forum’s board of management, says: “There’s a subtle difference in architecture, but for most cloud providers, it’s not the end game.” As a result, much work still needs to be done around developing suitable identity and authorisation controls as well as open and interchangeable file formats for secure data exchange – the latter area being one in which the Open Group standards body is currently working. Another tack that one of the Jericho Forum working group’s is taking, however, is to devise self-assessment criteria for vendors to evaluate whether their offerings, which include cloud, match the organisation’s deperimeterisation and collaboration-oriented architectures framework specifications. Due to the riskk of dishonesty inherent in self-assessment exercises,, however,, when the checklist is
Computer Fraud & Security
5
CLOUD COMPUTING released later this year, feedback mechanisms will be put in place under which any bogus claims may be challenged. But the guidelines are also expected to be employed by user organisations when writing their requests for proposals, in a move Yeomans believes will break “the deadlock between suppliers saying ‘users haven’t asked for it’ and users saying ‘you didn’t have it so we couldn’t ask’”. They could likewise form the basis of proposals for industry standards and be passed on to relevant bodies for ratification.
Formal accreditation What Yeomans is less certain of, however, is whether such self-certification activity is likely to develop into a more formal accreditation process. “We’re trying to steer a delicate line as we’re not an accreditation body. But you could hand it off to a third party, although it’s difficult to find someone suitable, or you could take the criteria and do it as a paid for service,” he says. The Jericho Forum and the CSA are now working together and have produced a document that provides best practice guidelines for cloud computing security. a single document, although the two are currently discussing possible areas in which they could collaborate. But opinion is mixed as to whether a formal accreditation process would actually provide large organisations in particular with the assurance required to participate seriously in the cloud world. The CSA and Qualys’ Puhlmann, for example, is against such a move as he believes it would stifle industry innovaa tion. “If you look at the business model of cloud computing, what drives it is creativity. Many vendors will try and offer things that are currently unimaginable, but trying to squeeze all that into one standard is very diff ficult and standards around security haven’t worked very well in the past,” he says. But other industry players disagree. Paul Dorey, chair of the IISP and director of the Security Faculty, which provides training and development services for chief securityy officers,, believes there 6
Computer Fraud & Security
will come a time when cloud services will need to have “some kind of accreditation stamp”.
Accreditation in three spheres This security-based accreditation would cover three key areas – technology, personnel and operations. Although there is precious little around at the moment, technology standards in key areas such as identity and authentication are likely to be driven by organisations such as the Jericho Forum, before being ratified by established bodies such as ISO.
“Opinion is mixed as to whether a formal accreditation process would actually provide large organisations in particular with the assurance required to participate seriously in the cloud world.” On the people side, the IISP has already come up with mechanisms for the formal accreditation of security professionals, while the operations element has workable solutions available too. This part of the equation could be tackled by tweaking ISO 27001 and using it as the default measurement standard within the framework of the Statement on Auditing Standard (SAS) 70. SAS 70 is already used as a means of auditing providers in the traditional outsourcing space and cuts down on the amount of time internal audit teams need to spend on checking out third party facilities. Indeed, according to Dorey, Security Faculty members in the three most security aware sectors of financial services, oil and gas and telecommunications, were showing an interest in just this idea of fitting an acknowledged standard into SAS 70 during recent meetings. “There was a sense that they’re facing growing pressure and cloud is starting to happen on the edge rather than the mainstream. They believe that departments will migrate g into it and feel that theyy have to
ensure the controls and security measures are there to do it in a safe way,” he explains.
The need for co-ordination One of the problems at the moment, however, is that there is no single body coordinating the many, varied and subsequently fragmented activities that are going on in the cloud security space although an IISP meeting in Manchester in May did discuss setting up a working group to tackle just that issue. “We’re connected to everyone so we’re very active and by the end of the year, we ought to look to have some kind of draft available. Adoption of a full international standard takes years, but what matters is that someone produces useable material, which in this de facto world is likely to become standardised,” Dorey says.
A question of trust A subsequent future step might also be to set up an independent third party assurance body to accredit or kite mark cloud vendors as being secure as part of a confidence-building exercise. Should such action not take place, however, the market runs the risk of being discredited in the way described by Nobel Prizewinning economist George Akerlof in his famous paper, A Market for Lemons.2 In this document, Akerlof outlines how people learned over time not to trust second hand car salesmen. This was because they had no means of judging for themselves whether a given car was a ‘lemon’ and, therefore, all too often ended up purchasing over-priced rubbish. This, in turn, damaged the market for higher priced, quality automobiles as they were perceived as too expensive to take a chance on.
“Although one provider may offer a wonderfully secure servv ice and another may not, if the latter charges half the price, the majority of organisations will opt for it as they have no real way y of telling g the difference.” June 2009
GLOBAL ID MANAGEMENT And the same theory applies to the cloud sector. As Tim Watson, head of the computer forensics and security group at De Montfort University, points out, although one provider may offer a wonderfully secure service and another may not, if the latter charges half the price, the majority of organisations will opt for it as they have no real way of telling the difference. The problem with this situation is that, over time, as publicity over information security breaches continues to mount, the entire sector could well fall into disrepute.
“But with an independent assurance body you can trust, the market suddenly changes because you can tell the difference between good and poor quality. So it’s important just from a pragmatic economic perspective,” Watson concludes.
References 1. Security Guidance for Critical Areas of Focus in Cloud Computing, Cloud Security Alliance, April 2009
2. George Akerlof, ‘A Market for Lemons’, The Quarterly Journal of Economics, Vol. 84, No. 3. (Aug., 1970), pp. 488500 < www.jstor.org/pss/1879431>
About the author Catherine Everett is a freelancer who has been writing about business and technology issues since 1992. Special areas of focus include information security, management issues, skills and high-end software.
Addressing global ID management challenges Gary R. Gordon, executive director, Center for Applied Identity Management Research Suzanne Barber, director and Professor, The University of Texas at Austin
Solving the identity management challenges requires greater collaboration across all aspects of society. There is a need for society to take a more horizontal approach Identity management is a maturing field, but still very much a work in progress. than vertical when innovating to manage Organisations and their leaders are becoming more aware of the role that it identities. Public/private collaborations plays in mission critical areas of their entities and the interactions of all the comprised of government, industry and individuals and organisations the entity touches. academia are necessary in order for these issues to be fully addressed. When raised to the world stage, collaborative efforts Faced with threats from cybercrimiDefining identity are critical in facilitating commerce, creatnals, attacks on computer systems, management ing interactions among governments and the potential for breaches of personal especially in combating the growing threats identifier information (PII) and the Identity management has been from cybercriminals. need to protect access to information described as a hard problem, which is and facilities, these organisations are both complex and broad. This makes it turning more and more to identity difficult to come to a consensus on key “Managing the challenges associated with identity management solutions to mitigate the definitions. management also demands a current and anticipated threats. One comprehensive definition describes holistic approach.” The need to know who someone is identity management as a set of poliand whether (or how much) of a risk cies, processes, tools, connectivities and they present, with accuracy and in real social contracts protecting the creation, Cross disciplinary study and research time, is the underlying identity manmaintenance, use and termination of an is also essential. Because of the complex agement tenet for trusted interactions identity. Based on this definition, idenand multi-faceted aspects of identity in both the physical and digital worlds. tity management encompasses several management, collaboration from diverse The identification challenge impacts areas including risk management, due disciplines such as computer and electriindividuals, government, commerce diligence, granting documents and crecal engineering, informatics, law, policy, and national security. It is the key dentials, information security, informacriminal justice, and business is vital. component for digital transactions and tion assurance, access control, privilege Managing the challenges associated interactions. management, authentication and policy with identity management also demands management. g a holistic approach. pp There are a number June 2009
Computer Fraud & Security
7
Cloud computing - A question of trust Catherine Everett Both the Jericho Forum and the newly-established Cloud Security Alliance (CSA) have grabbed many a headline lately in their respective attempts to assuage some of the widespread information security concerns around cloud computing. The question is, are such initiatives enough? The multifarious risks posed by the new IT delivery model, ranging from a potential lack of awareness of where data is held to possible insider threats and vendor lock-in, have been well documented. One of the key promises of cloud is the speed and ease with which organisations can temporarily access additional compute resources if required – so-called ‘cloud-bursting’. However, there is a tension between this, and the need for due diligence via mechanisms such as auditing, which inevitably take time. Whether data owners purchase $150 worth of processing capacity for the day or spend millions of dollars on a fiveyear IT outsourcing contract, they still have ultimate responsibility for their corporate information. And it is they that will be held to account if things go wrong and they find themselves in breach of the current morass of legislation and regulations in this area.
“One of the key promises of cloud is the speed and ease with which organisations can temporarily access additional compute resources if required – so-called ‘cloud-bursting.” But while such considerations are currently acting as a break on cloud adoption among large enterprises beyond a few commodity services such as email security or departmental CRM, the same is not necessarily true of small to medium-sized businesses, which are often less aware of the risks. June 2009
The need for assurance Nonetheless as Gerry O’Neill, chief executive of the Institute of Information Security Professionals (IISP) points out: “It only takes a couple of incidents to undermine confidence. So you have to ask – where does the assurance come from? That’s key – a fundamental building block.” But today there is little such assurance. Instead what there is, are various frameworks for defining cloud models and for helping organisations to ask the right questions. The CSA, for example, has produced its Security Guidance for Critical Areas of Focus in Cloud Computing. g1 The 84-page document, which was produced in about four months by around 60 expert contributors, is intended to provide security practitioners with guidelines for discussing issues such as risk management, portability and disaster recovery with their suppliers. The goal, indicates Nils Puhlmann, co-founder of the CSA and chief security officer at Qualys, which provides hosted vulnerability management and policy compliance services, is first to offer “education and second, transparency”. “You can’t ask providers to make all information public as it’s anti-competitive and unfair. But you can ask what things are expected and what should be made transparent. If you have that, you can ask vendors to show you evidence of what they’re doing in x or y area. It’s about risk awareness,” he says. The next step for the CSA is to have workingg groups g p focusingg on hot button
topics such as identity management generate more detailed recommendations. These will be fed into version 2.0 of its document - a graphics-based report providing guidance that can be used not only by customers but also by vendors as to what should be included in their offerings.
Secure business-tobusiness collaboration The Jericho Forum, on the other hand, has devised a cloud cube model, which defines different flavours of cloud and raises issues that organisations should think about if wishing to exploit them. Its ultimate aim, however, is to move the debate beyond the current focus on one-to-one cloud vendor-to-customer relationships and on to secure businessto-business collaboration. This means finding ways to ensure that providers can pass data securely and seamlessly between themselves in order to process a given task from end-to-end. Andrew Yeomans, a member of the Jericho’s Forum’s board of management, says: “There’s a subtle difference in architecture, but for most cloud providers, it’s not the end game.” As a result, much work still needs to be done around developing suitable identity and authorisation controls as well as open and interchangeable file formats for secure data exchange – the latter area being one in which the Open Group standards body is currently working. Another tack that one of the Jericho Forum working group’s is taking, however, is to devise self-assessment criteria for vendors to evaluate whether their offerings, which include cloud, match the organisation’s deperimeterisation and collaboration-oriented architectures framework specifications. Due to the riskk of dishonesty inherent in self-assessment exercises,, however,, when the checklist is
Computer Fraud & Security
5
CLOUD COMPUTING released later this year, feedback mechanisms will be put in place under which any bogus claims may be challenged. But the guidelines are also expected to be employed by user organisations when writing their requests for proposals, in a move Yeomans believes will break “the deadlock between suppliers saying ‘users haven’t asked for it’ and users saying ‘you didn’t have it so we couldn’t ask’”. They could likewise form the basis of proposals for industry standards and be passed on to relevant bodies for ratification.
Formal accreditation What Yeomans is less certain of, however, is whether such self-certification activity is likely to develop into a more formal accreditation process. “We’re trying to steer a delicate line as we’re not an accreditation body. But you could hand it off to a third party, although it’s difficult to find someone suitable, or you could take the criteria and do it as a paid for service,” he says. The Jericho Forum and the CSA are now working together and have produced a document that provides best practice guidelines for cloud computing security. a single document, although the two are currently discussing possible areas in which they could collaborate. But opinion is mixed as to whether a formal accreditation process would actually provide large organisations in particular with the assurance required to participate seriously in the cloud world. The CSA and Qualys’ Puhlmann, for example, is against such a move as he believes it would stifle industry innovaa tion. “If you look at the business model of cloud computing, what drives it is creativity. Many vendors will try and offer things that are currently unimaginable, but trying to squeeze all that into one standard is very diff ficult and standards around security haven’t worked very well in the past,” he says. But other industry players disagree. Paul Dorey, chair of the IISP and director of the Security Faculty, which provides training and development services for chief securityy officers,, believes there 6
Computer Fraud & Security
will come a time when cloud services will need to have “some kind of accreditation stamp”.
Accreditation in three spheres This security-based accreditation would cover three key areas – technology, personnel and operations. Although there is precious little around at the moment, technology standards in key areas such as identity and authentication are likely to be driven by organisations such as the Jericho Forum, before being ratified by established bodies such as ISO.
“Opinion is mixed as to whether a formal accreditation process would actually provide large organisations in particular with the assurance required to participate seriously in the cloud world.” On the people side, the IISP has already come up with mechanisms for the formal accreditation of security professionals, while the operations element has workable solutions available too. This part of the equation could be tackled by tweaking ISO 27001 and using it as the default measurement standard within the framework of the Statement on Auditing Standard (SAS) 70. SAS 70 is already used as a means of auditing providers in the traditional outsourcing space and cuts down on the amount of time internal audit teams need to spend on checking out third party facilities. Indeed, according to Dorey, Security Faculty members in the three most security aware sectors of financial services, oil and gas and telecommunications, were showing an interest in just this idea of fitting an acknowledged standard into SAS 70 during recent meetings. “There was a sense that they’re facing growing pressure and cloud is starting to happen on the edge rather than the mainstream. They believe that departments will migrate g into it and feel that theyy have to
ensure the controls and security measures are there to do it in a safe way,” he explains.
The need for co-ordination One of the problems at the moment, however, is that there is no single body coordinating the many, varied and subsequently fragmented activities that are going on in the cloud security space although an IISP meeting in Manchester in May did discuss setting up a working group to tackle just that issue. “We’re connected to everyone so we’re very active and by the end of the year, we ought to look to have some kind of draft available. Adoption of a full international standard takes years, but what matters is that someone produces useable material, which in this de facto world is likely to become standardised,” Dorey says.
A question of trust A subsequent future step might also be to set up an independent third party assurance body to accredit or kite mark cloud vendors as being secure as part of a confidence-building exercise. Should such action not take place, however, the market runs the risk of being discredited in the way described by Nobel Prizewinning economist George Akerlof in his famous paper, A Market for Lemons.2 In this document, Akerlof outlines how people learned over time not to trust second hand car salesmen. This was because they had no means of judging for themselves whether a given car was a ‘lemon’ and, therefore, all too often ended up purchasing over-priced rubbish. This, in turn, damaged the market for higher priced, quality automobiles as they were perceived as too expensive to take a chance on.
“Although one provider may offer a wonderfully secure servv ice and another may not, if the latter charges half the price, the majority of organisations will opt for it as they have no real way y of telling g the difference.” June 2009
GLOBAL ID MANAGEMENT And the same theory applies to the cloud sector. As Tim Watson, head of the computer forensics and security group at De Montfort University, points out, although one provider may offer a wonderfully secure service and another may not, if the latter charges half the price, the majority of organisations will opt for it as they have no real way of telling the difference. The problem with this situation is that, over time, as publicity over information security breaches continues to mount, the entire sector could well fall into disrepute.
“But with an independent assurance body you can trust, the market suddenly changes because you can tell the difference between good and poor quality. So it’s important just from a pragmatic economic perspective,” Watson concludes.
References 1. Security Guidance for Critical Areas of Focus in Cloud Computing, Cloud Security Alliance, April 2009
2. George Akerlof, ‘A Market for Lemons’, The Quarterly Journal of Economics, Vol. 84, No. 3. (Aug., 1970), pp. 488500 < www.jstor.org/pss/1879431>
About the author Catherine Everett is a freelancer who has been writing about business and technology issues since 1992. Special areas of focus include information security, management issues, skills and high-end software.
Addressing global ID management challenges Gary R. Gordon, executive director, Center for Applied Identity Management Research Suzanne Barber, director and Professor, The University of Texas at Austin
Solving the identity management challenges requires greater collaboration across all aspects of society. There is a need for society to take a more horizontal approach Identity management is a maturing field, but still very much a work in progress. than vertical when innovating to manage Organisations and their leaders are becoming more aware of the role that it identities. Public/private collaborations plays in mission critical areas of their entities and the interactions of all the comprised of government, industry and individuals and organisations the entity touches. academia are necessary in order for these issues to be fully addressed. When raised to the world stage, collaborative efforts Faced with threats from cybercrimiDefining identity are critical in facilitating commerce, creatnals, attacks on computer systems, management ing interactions among governments and the potential for breaches of personal especially in combating the growing threats identifier information (PII) and the Identity management has been from cybercriminals. need to protect access to information described as a hard problem, which is and facilities, these organisations are both complex and broad. This makes it turning more and more to identity difficult to come to a consensus on key “Managing the challenges associated with identity management solutions to mitigate the definitions. management also demands a current and anticipated threats. One comprehensive definition describes holistic approach.” The need to know who someone is identity management as a set of poliand whether (or how much) of a risk cies, processes, tools, connectivities and they present, with accuracy and in real social contracts protecting the creation, Cross disciplinary study and research time, is the underlying identity manmaintenance, use and termination of an is also essential. Because of the complex agement tenet for trusted interactions identity. Based on this definition, idenand multi-faceted aspects of identity in both the physical and digital worlds. tity management encompasses several management, collaboration from diverse The identification challenge impacts areas including risk management, due disciplines such as computer and electriindividuals, government, commerce diligence, granting documents and crecal engineering, informatics, law, policy, and national security. It is the key dentials, information security, informacriminal justice, and business is vital. component for digital transactions and tion assurance, access control, privilege Managing the challenges associated interactions. management, authentication and policy with identity management also demands management. g a holistic approach. pp There are a number June 2009
Computer Fraud & Security
7