Show
Cloud computing offers potential benefits including cost savings and improved business outcomes for organisations. However, there are a variety of information security risks that need to be carefully considered. Risks will vary depending on the sensitivity of the data to be stored or processed, and how the chosen cloud vendor (also referred to as a cloud service provider) has implemented their specific cloud services. This discussion paper assists organisations to perform a risk assessment to determine the viability of using cloud computing services. This publication provides an overview of cloud computing and associated benefits. Most importantly, this publication provides a list of thought provoking questions to help organisations understand the risks that need to be considered when using cloud computing. Developing a risk assessment helps senior business representatives make an informed decision as to whether cloud computing is currently suitable to meet their business goals with an acceptable level of risk. The questions in this publication address the following topics: The Australian Cyber Security Centre (ACSC) strongly encourages both senior managers and technical staff to work through this list of questions together. The questions are intended to provoke discussion and help organisations identify and manage relevant information security risks associated with the evolving field of cloud computing. In particular, the risk assessment needs to seriously consider the potential risks involved in handing over control of your data to an external vendor. Risks may increase if the vendor operates offshore. This publication complements the advice on cloud computing in the Information Security Manual (ISM). The ACSC recommends against outsourcing information technology services and functions outside of Australia, unless organisations are dealing with data that is all publicly available. The ACSC strongly encourages organisations to choose either a locally owned vendor or a foreign owned vendor that is located in Australia and stores, processes and manages sensitive data only within Australian borders. Note that foreign owned vendors operating in Australia may be subject to foreign laws such as a foreign government’s lawful access to data held by the vendor. Cloud computing as a delivery model for IT services is defined by the National Institute of Standards and Technology (NIST) as ‘a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction’. NIST specify five characteristics of cloud computing:
There are three cloud service models. A non-exhaustive list of example vendor services is provided to help the reader understand the cloud service models. Inclusion of an example vendor service does not imply the ACSC’s support of the service.
A vendor adding the words ‘cloud’ or ‘as a Service’ to the names of their products and services does not automatically mean that the vendor is selling cloud computing as per the NIST definition. There are four cloud deployment models:
Overview of business drivers to adopt cloud computingCloud computing has the potential to help organisations leverage modern technologies such as computer virtualisation and worldwide internet connectivity. Some of the key business drivers are:
There may be good business reasons to move publicly available data to the public cloud. If properly designed, a vendor’s spare network bandwidth and spare computing capacity automatically helps to mitigate some types of distributed denial of service (DDoS) attacks. Technologies such as ‘anycast’ and international Content Delivery Networks (CDN) can help to mitigate DDoS attacks by geographically distributing the network traffic and computer processing around the world. These technologies to improve the availability and business continuity of publicly available data are prohibitively expensive for every organisation to build themselves, though are relatively inexpensive to rent from vendors. Although the availability of an organisation’s website may not be affected by a DDoS attack, the organisation may have to pay for the computer processing and network bandwidth consumed by the DDoS attack. Organisations using cloud computing to store or process publicly available data such as a public website may not be concerned about confidentiality. However, the organisation’s risk assessment should consider the availability and integrity of the public data, including reputational and other damage if the organisation’s system is offline, or is compromised and distributes misleading information or malicious content. To enable an organisation to focus on their core business, the acquisition and maintenance of specialist IT staff, computing software and hardware used to store and process data can be outsourced to a vendor. However, the organisation is still ultimately responsible for the protection of their data. Risk managementA risk management process must be used to balance the benefits of cloud computing with the security risks associated with the organisation handing over control to a vendor. A risk assessment should consider whether the organisation is willing to trust their reputation, business continuity, and data to a vendor that may insecurely transmit, store and process the organisation’s data. The contract between a vendor and their customer must address mitigations to governance and security risks, and cover who has access to the customer’s data and the security measures used to protect the customer’s data. Vendor’s responses to important security considerations must be captured in the Service Level Agreement or other contract, otherwise the customer only has vendor promises and marketing claims that can be hard to verify and may be unenforceable. In some cases it may be impractical or impossible for a customer to personally verify whether the vendor is adhering to the contract, requiring the customer to rely on third party audits including certifications instead of simply putting blind faith in the vendor. Customers should consider which of the vendor’s certifications are useful and relevant, how much the certification increases the customer’s confidence in the vendor, what associated documents the customer can request from the vendor, and whether the contents of the documents are of high quality. For example, Statement on Auditing Standards (SAS) 70 Type II, superseded by a new standard in 2011, can involve the vendor deciding which aspects of their business are to be covered, and an independent accountant checking only these aspects. Therefore, customers should ask vendors exactly what aspects are covered. For vendors advertising ISO/IEC 27001 compliance, customers should ask to review a copy of the Statement of Applicability, a copy of the latest external auditor’s report, and the results of recent internal audits. Overview of cloud computing security considerationsThis section provides a non-exhaustive list of cloud computing security considerations, with each security consideration discussed in more detailed later in this publication. Not meeting any of the following security considerations does not necessarily mean that cloud computing cannot be used, it simply means that the security consideration requires additional contemplation to determine if the associated risk is acceptable. Maintaining availability and business functionality
Protecting data from unauthorised access by a third party
Protecting data from unauthorised access by the vendor’s customers
Protecting data from unauthorised access by rogue vendor employees
Handling security incidents
Detailed cloud computing security considerationsThis section provides a detailed list of security considerations that organisations can discuss both internally and with vendors that are transparent about their security measures. Some examples are provided to demonstrate that the security considerations are not theoretical. Questions are provided to provoke thought and discussion, rather than to be used simply as a checklist. Answers to these questions will assist organisations to develop a risk assessment and make an informed decision regarding whether the organisation’s proposed use of cloud computing has an acceptable level of risk. It is unlikely that any single vendor will provide suitable answers to all of the questions, so organisations should decide which questions are most relevant based on the organisation’s intended use of cloud computing. Maintaining availability and business functionalityAnswers to the following questions can reveal mitigations to help manage the risk of business functionality being negatively impacted by the vendor’s cloud services becoming unavailable:
Protecting data from unauthorised access by a third partyAnswers to the following questions can reveal mitigations to help manage the risk of unauthorised access to data by a third party:
Protecting data from unauthorised access by the vendor’s customersAnswers to the following questions can reveal mitigations to help manage the risk of unauthorised access to data by the vendor’s other customers:
Protecting data from unauthorised access by rogue vendor employeesAnswers to the following questions can reveal mitigations to help manage the risk of unauthorised access to data by rogue vendor employees:
Handling security incidentsAnswers to the following questions can reveal a vendor’s ability to handle security incidents:
Further informationThe Information Security Manual is a cyber security framework that organisations can apply to protect their systems and data from cyber threats. The advice in the Strategies to Mitigate Cyber Security Incidents, along with its Essential Eight, complements this framework. Further information on cloud computing is available from the following sources: Contact detailsIf you have any questions regarding this guidance you can write to us or call us on 1300 CYBER1 (1300 292 371). |