Security is often described as being like an onion - it's got to be provided in layers, such that even if a miscreant manages to get past one or two barriers, there are still several more that could repel him (or her). When a company consumes compute resources over a cloud, there are even more layers required, as the bank's IT and security departments are a few steps removed from the data and applications they're charged with protecting.
Security is the biggest concern bank customers express about cloud computing. "It's letting go of that data - they're very concerned that we have the appropriate processes in place," says David Malcom, director of datacenter operations at Computer Services, Inc.
The first layer of clous security is vendor vetting, the contract and the service level agreement. "Customers want to see that background documentation to feel we've gone through the process of having our environment certified," Malcom says.
Vendors should be certified in SAS 70, PCI security guidelines and SSAE 16, which some people regard as the new SAS 70. A legal agreement should stipulate how quickly the vendor is to report suspected security incidents. It's also important to establish up front who owns the data. "Data destruction and backup happen to be two of the biggest issues inside the cloud," says Jon Ramsey, chief technology officer of Dell SecureWorks. "If the vendor owns the data, they could say, it's not your data, I don't have to destroy it. But if it's my data and I say you have to destroy it, whatever destroy means in this context, then they would probably be obligated to do it. Data lifecycle management is easier to enforce legally when you own the data."
The second basic cloud security layer is access control. "You want to make sure you're following good, basic blocking and tackling around identity management, such as using strong user names and passwords," Ramsey says. Intel and IBM both offer identity management programs for cloud implementations. Dell is about to close an acquisition of Quest Software, which has identity and access management capability.
Tsion Gonen, chief strategy officer at data protection company SafeNet, points out that a balance needs to be struck between usability and security with authentication. "You want to provide security but you also don't want to drive users crazy," he observes.
The third layer is network security. A firewall is of course essential; cloud providers can often offer more. "Our preferred approach is for customers to have dedicated network connections into our facilities, so that even though we're hosting their data in a cloud, it's not like it's public and you have to develop procedures around keeping everybody on the internet away from the data," says Malcom. CSI will provide virtual dedicated networks for each customer, so that there are true firewall rules in place to separate traffic going between different sets of customers, Malcom says.
The fourth layer is encryption. "If you can, I would highly recommend encrypting the data you put in the cloud and not letting the cloud service provider have access to the key with which you encrypted the data," Ramsey says. "That solves a whole host of problems. If the data is backed up, it's backed up and encrypted, no one can get it. If it's accidentally or purposely moved offshore and you're a U.S. regulated bank, you could say it's encrypted so you could follow things like Safe Harbor." PCI rules require encryption for data at rest.
"We're in an age where by definition you cannot assume you will be able to completely seal the perimeter," Gonen points out. "Someone will get through the door, and if he doesn't get through the door he'll get through the window. He will get to the asset you're trying to protect. That asset in most if not all cases is a piece of data." His company's approach is to encrypt all data so that cybercriminals won't be able to use it if they do manage to steal it.
Encryption can also help with the issue of snapshotting: cloud providers such as Amazon tend to replicate data to other locations using frequent snapshots for backup purposes. "How do you know that there aren't unauthorized snapshots in the cloud? That's not a question of losing data, it's a question of governance," Gonen notes. If the data is encrypted, no one else can touch it, regardless of how much it's duplicated.
The fifth layer is incident response. "Customers want to understand procedurally how we take action when we find incidents and how we set up logical separation [between customers' data]," Malcom says. "Every customer is different, some customers inherently trust the relationship with CSI, but most have some degree of skepticism when it comes to outsourcing their data."
"Trust but verify" is the mantra here. Make sure the cloud vendor can provide all of the security layers that are promised.