nBy Varun Carlay, CISSP, CCSP
nnOne of the top objectives of any government agency or an enterprise is tonkeep the ubiquitous confidentiality, integrity & availability (CIA)nrequirements of their agency intact for stakeholders, regulatory bodies andnfederal agencies. In the event of a data breach, data owners are heldnresponsible and senior management ultimately accountable through thenstringent data regulations that are now prevalent in most economies. Asnmajor data breach incidents and ransomware attacks continue to makenheadlines, cybersecurity decision makers must evaluate what kind of securityncontrols and mechanisms a Cloud Service Provider (CSP) should have in placento safeguard assets of significant intrinsic value to the enterprise. So,nlet’s examine the kind of security controls CSPs should ideally put in placento support confidentiality, integrity, and availability requirements of yournsensitive workloads.n
nn
nnProtection design principles for phases of the data life cyclen
nn
nnWhile it’s imperative to store data securely in cloud, it’s equallynimportant to ensure CSPs adhere to secure design principles at every phasenof the data lifecycle. Typical data lifecycles include these phases: create,nstore, use, share, archive and destroy. For data protection, primarilynencryption comes to our rescue and is fundamental requirement to managenworkloads in the cloud. Therefore, sensitive workloads need to be encryptednusing encryption keys. To manage encryption keys, CSPs must offer keynmanagement solutions. You should ideally backup your encryption keys to anhardware security module vault service, with an option to replicate thenencryption keys across cloud regions (across geographic locations) tonsafeguard against major disaster situations causing the entire region to gondown. All enterprise grade cloud providers offer services to storenencryption keys on highly available and durable hardware security modulesn(HSMs) that meet Federal Information Processing Standards (FIPS) 140-2nSecurity Level 3 security certification.n
nnNow, let’s talk about the primary distinction when it comes to data disposalnmethods. In a legacy environment, the customer has full control over theirninfrastructure, making follow-on data disposal options quitenstraightforward. However, in the cloud, customers need to ensure that theirnCSP follows proven data disposal techniques, like Cryptographic Erasuren(Crypto-shredding), and adhere to well-known media sanitization standardsnlike NIST SP 800-88r1 and DoD standards. CSPs should have optimal processesnthat ensure adherence to compliant data disposal techniques like degaussingndecommissioned mechanical hard drives and then physically destroying themnwith mechanical shredders.
nnData Protection – at rest and in transit
nn
nnYou can choose multiple storage options in a public cloud environmentndepending on your application requirements. All major cloud providers offernhigh availability SLAs across storage options. Regardless of storage type,ndata must be encrypted both at rest and in transit. To minimize the risk ofnaccidental or malicious deletion of data, cloud customers need to follow thenPrinciple of Least Privilege which can be rather easily enforced using cloudnidentity and access management (IAM) – generally a built-in service. Cloudnservice providers should ideally encrypt all storage block volumes usingnvalid ciphers like AES with 256-bit keys, encrypt data in file storage andnin object storage. Securing keys based on NIST’s cryptographic keynmanagement recommendations, enforcing default encryption and the use ofnstrong ciphers with adequate key length are among the best defenses againstnvarious forms of attack, including insider threats and to alleviate thenconsequences of ransomware attacks to a significant extent.n
nn
nData breach incidents, legal repercussions and penalties
nn
nnSecurity is a shared responsibility when you move to cloud, but the dynamicsnchange when it comes to real data breach incidents. In a real-worldnincident, the data owner or controller (ex: an entity in a governmentnorganization or an enterprise) is likely to be held accountable and thusnface legal repercussions from regulatory agencies, not necessarily the CSP.nThis has been the case in several recent ransomware incidents. As a cloudncustomer – you should ask for data processing agreements (DPAs) and reviewnthem against your business requirements. Ideally, CSPs should drive securitynin the cloud and have default controls in place to enforce and autocorrectnmisconfigured settings.n
nn
nTrust but verify: Attestation, accreditation, compliance
nn
nnAs per the Cloud Security Alliance (CSA), the Security, Trust, Assurance,nand Risk (STAR) Registry is a publicly accessible registry that documentsnsecurity and privacy controls provided by popular cloud computing offerings.nThe CSA also developed the Cloud Assessment Initiative Questionnaire (CAIQ),na standard template for CSPs to accurately describe their securitynpractices. You should ideally review your CSP’s CAIQ at the start of ancontract and at regular intervals.n
nnAlso, as cloud adoption decisions depend largely on your regulatorynrequirements, check your CSP’s third-party attestations and evaluate hownthese reports adhere to your compliance requirements. Third-partynattestations provide an independent view of security, privacy and compliancencontrols implemented by the CSP and thus will assist in your compliancenreporting. Finally, as a potential cloud customer, would you like to keepninvesting time and resources maintaining regulatory requirements andnpreparing for audits or would you rather move your workloads to annenvironment which is already compliant? Think, Cloud!n
nnFor more on tackling governance, risk and compliance (GRC) in the cloud,nISC2 offers a Skill-Builder program to help. For more information, visit:nnhttps://www.isc2.org/professional-development/skill-builders/governance-risk-and-compliancenn
]]>