Satisfying security requirements is one of the biggest issues for companies moving their infrastructure into the cloud. Eleanor Reader finds out how organisations can ensure they have covered all the bases.
Without fail, security is always the number one concern for companies considering a move to the cloud.
“This is the very first question our clients ask. They’re very excited about cloud and what it can do for them and their business, but it’s always about security,” says Accenture Australia’s cloud lead, Alison Cairns.
That’s because moving systems to the cloud does not absolve the organisation of their compliance responsibilities, say Michael Barton, technical sales engineer and David Tait, technical sales lead at CSC Australia and Asia.
“They may be able to delegate technical, operational and security responsibilities to a cloud service provider (CSP), but they will remain accountable for the compliance of the system under the cloud service provider’s control.”
Defining a security policy
To ensure their compliance needs are met, the cloud customer must develop and provide complete security and compliance requirements to the CSP, and should assess the provider for compliance to their requirements.
Being clear about who is responsible for the security controls that are required in the cloud service, as well as the role of the client versus the CSP in performing compliance audits, is also essential.
“The client will usually retain audit compliance accountability and be responsible for the execution of the audit. The CSP should support the audit process for services they are responsible for. In some specific scenarios CSPs may be able to provide evidence that they have had the solution audited and certified as compliant,” say Barton and Tait.
When informing clients about what to include in a security assessment, Accenture guides them through five key areas. The number one thing to consider is what type of data they are moving to the cloud and how sensitive it is.
“Every piece of data has a different security requirement. There’s significant legislation around data sovereignty and data privacy and that needs to be cleared first, but it’s not terribly different compared to what they have to do on their own premise,” Cairns says.
Next up is privacy and protection services: “making sure that you have compliance for the cloud environment and the right processes and procedures by implementing the correct technology control,” she says.
Then there are simple issues to consider such as cloud identity and access management, which companies would also already have for their on-premise security controls, says Cairns.
Finally, there are factors such as the secure integration gateway – how the data is going to be moved around and what happens at different points when it is moved.
This can involve designing and implementing encryption solutions so the data can be securely connected to and sorted.
Barton and Tait say identity management integration between the SAP solutions and the client enterprise can be complex, especially if external users need to be provisioned and managed.
“Cloud identity and access management solutions are available to extend an enterprise’s existing identity services to the cloud and enable third-parties to be managed, and also enable an organisation to use multiple cloud services with the same identity framework.”
They add that ongoing verification that security controls are in place and working effectively is critical.
Questions to ask cloud vendors
The questions that need to be asked of the potential CSP will be shaped by the client’s requirements, but many of the questions go to the core of the cloud service, say CSC’s Barton and Tait.
The key characteristics, and questions that identify these, of the cloud service fall under the following categories:
Business first
Does the cloud service being offered align with the client’s business requirements (service-level agreement, price, scope and so on)?
Will the service be able to support the everchanging business landscape for the client?
Does the CSP have experience delivering to the client’s industry?
Data protection
How is the client’s data protected?
What resilience is available within region and across geographies?
Where is the client’s data domiciled?
Security
What security controls and processes are in place to protect the client’s data?
What certifications are maintained by the CSP?
What is the CSP’s broader security capability and experience?
Enterprise support
How does the client engage with the CSP for normal operations, escalation of service issues and changing service requirements?
Governance
How does the CSP ensure the cloud environments are appropriately managed and have all the processes to ensure the client’s business is not put at risk?
How does the CSP ensure the cloud environments maintain technical currency and continue to offer new and evolved services and products?
Operational excellence
How long has the CSP been providing cloud services, and how long have they been providing
IT services in general?
What is the CSP’s performance in relation to its service-level agreements?
Does the CSP have SAP certified integration solutions?
Does the CSP have broader expertise and experience that can be leveraged by the client?
Transparency
How does the client get clear visibility of scale, cost and health of their cloud deployment?
You’ve chosen a cloud provider, now what?
Security compliance reporting and transparency services provided by the CSP are one way to maintain visibility of threats, events and the general security posture of the cloud service, say Barton and Tait.
Another more formal option they recommend is to audit the provider.
“Clients can sometimes protect their data from access by the CSP’s staff by providing their own encryption solution (and manage the keys). This is typically appropriate for IaaS/PaaS solutions, but also for SaaS if the application layer is logically isolated for the specific client,” they say.
“CSPs that won’t engage in independent audits or won’t provide assurance of security control effectiveness may be concealing the fact that the expected security controls are not in place or effective.”
Accenture recommends their clients work with their cloud provider to develop a strategy and governance framework so they can make sure that they are going to get innovation without the risk. It’s about being proactive, rather than reactive, says Cairns.
“We’ve found user security discussions help people think through what they’re doing with cloud and they get the results they were expecting, both top line and bottom line, meaning they can do something innovative with the business by using cloud as well as getting the savings.”
Current requirements for Australian data sovereignty
Another critical issue when considering moving data into the cloud is data sovereignty.
A research report from the University of New South Wales Cyberspace Law and Policy Centre, ‘Data Sovereignty and the Cloud: A Board and Executive Officer’s Guide’ shines some light on the extremely complex data regulations in place in Australia today.
According to the report, data sovereignty refers to both specific data sovereignty laws limiting cross-border transfer, as well as the more general difficulty of complying with foreign legal requirements that may be more onerous, less clear, unknown to the user, or even in conflict with the user’s own country’s laws.
“The complexity of these various laws may make businesses reluctant to move to a cloud – especially a public cloud – where it cannot restrict the geographic location or jurisdictional control of its data,” the report says.
Australia’s information security law is compromised of federal, state and territory laws, administrative arrangements, judicial decisions and industry codes. Changes are due in 2014, however this makes evaluating the impact of cloud sovereignty issues very difficult, the report states.
New Australian Privacy Principles created by November 2012 amendments to the Privacy Act
1988 (Cth) now require the outsourced third party service provider to “comply with Australian law”, rather than make “reasonable efforts to ensure comparable security”.
Australian banks and insurance companies are regulated by the Australian Prudential Regulation Authority (APRA) and are required to consult with APRA in connection with outsourcing computing services offshore.
Other Australian businesses are required to comply with the Privacy Act and the National Privacy Principles, which prohibit the transfer of personal information to a third party outside Australia unless that country has equivalent privacy laws or the entity ensures appropriate protection for the data.
Australian registered organisations are required to verify that they store personal data only in countries with legal standards equivalent to Australia’s.
Government organisations in Australia are required to adhere to the requirements of the Australia Government Information Management Office (AGIMO). These agencies generally prefer to use data centres within Australia in order to maintain physical jurisdiction over their most sensitive data.
This article was originally published in Inside SAP Winter 2013.