Schneier on Security
A blog covering security and security technology.
« Database of 12 Million Apple UDIDs Leaked |
| Hacking Marathon Races »
September 6, 2012
CSOs/CISOs Wanted: Cloud Security Questions
I'm trying to separate cloud security hype from reality. To that end, I'd like to talk to a few big corporate CSOs or CISOs about their cloud security worries, requirements, etc. If you're willing to talk, please contact me via e-mail. Eventually I will share the results of this inquiry. Thank you.
Posted on September 6, 2012 at 12:31 PM
• 30 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I'm not a CSO (I'm a CTO), but one surprising issue with Cloud security is insurance. Our company, like many, has comprehensive insurance that covers data breaches, data theft, etc. But when planning to move email into a cloud-based provider, we found that the insurers had never considered such a possibility. The policies were written assuming ownership of the physical device on which the data resided. Even though the top-tier hardened cloud storage datacenter was much more secure than the closet in our office, insurance-wise, it was no dice.
We found another provider, but it took a lot of searching. Cloud is great, but some industries are behind the times.
I'm Head of Tech for a small integrator/consultancy.
The one concern which has come out of a number of discussions which we've had with clients about moving to cloud services is not knowing when your data is being investigated.
If you own the kit and it's physically sat in our offices, the police or government decide to investigate you and you find out the moment the actually want access to your data, you immediately stop doing what you shouldn't be.
If your services are hosted or cloud based, the vendor offering the service can easily be compelled to make your data available to the police or government without your knowledge, thus you may continue to do whatever sparked their interest, worsening your predicament.
(at the risk of adding to the FUD)
""" Even though the top-tier hardened cloud storage datacenter was much more secure than the closet in our office, ..."""
More secure for whom?
You have your clients security goals, your own, and now also your cloud providers. They're unlikely to be identical, and may even conflict.
I am not a CSO/CISO, but have some suggestions as to things to ask. (This is from a European perspective...)
In some industries in particular the public cloud is a non-starter because they have to protect their data. What is left is "private clouds", which interestingly pose some unexpected difficulties when working with classified data. For example, suddenly you need to make sure data and applications that traditionally may only need to stay on different servers now need to stay on different hardware used to host the virtualized servers, and possibly still needs to stay in different physical network segments. So what you end up with is a set of private clouds, not just one and a significant VM placement management problem.
Of course, some organizations just do not bother, decreasing security massively by putting everything into one private cloud, even when "physical separation" is a regulatory requirement. They hope that different VMs on the same hardware is "physical separation". Should I ever be called as an expert witness on this, I will have to call that wishful thinking.
I am sure there are others, but "loss of control" in various forms is basically the main thing in the public cloud.
Possible loss-of-control issues: inability to do reliable deletion, inability to detect access by the cloud provider (and 3rd parties, like law enforcement mentioned by Sean), inability to really assess redundancy level and reliability and loss of flexibility in that area, strong dependence on the cloud provider to survive, no reliable protection of keys and certificates in the cloud (making VPN no/less of a solution and invalidating disk encryption), and increased dependency of communication to the "cloud" working.
The issue I see is that in most cases the cloud provider is an additional attack vector. Even if the closet in your office is gone, all data can still be attacked from there. Also, the cloud provider is "all eggs in one basket" for the insurer, as they have a cluster risk if they start insuring things placed there. And attacking a cloud provider would be much more attractive if more and more critical data ends up in there. If it gets large enough, bribes an attacker can pay potentially get very large.
Also remember (missing from my list above), that with the cloud you have total loss of control over the level of loyalty (the only reliable prevention factor for data-loss) of the people operating the IT.
Sean/Hal: Your comments show that you aren't planning to encrypt *yourself* whatever is stored externally, so external host can pass the info on to whomever without being a security issue to you. I hope it's not my account info you are planning to be so irresponsible with.
@ Bruce re: Sean's comment
A while back, a guy came on a hacker forum asking advice related to the link below. In it, FBI hits a hosting company with a few problematic customers & seizes all their servers, putting plenty of legit companies out of business. (One was a card processor that just passed PCI compliance. Ouch.)
So, what the guy asked was, should we include in our disaster planning the seizure of IT infrastructure at random time by US Govt? It was an interesting question. Their actions show they aren't careful about what they grab & don't care what effect they have on you. Your company doesn't even have to be very shady itself. The "virtual" nature of the cloud may help prevent problems by seizures, as that's just pause then copy. However, illegal searches & eavesdropping may become much easier.
Any thoughts on FBI as a threat to business assets to be factored into disaster planning? I figure even non-hosting providers might be at risk if their machines are "hosting" criminal content via malware.
But when planning to move email into a cloud-based provider, we found that the insurers had never considered such a possibility
You do not say one things that might have been of importance , that is by "email" do you mean all email both internal and external or just external?
As has been seen with civil law actions in the US internal email is regarded as prime ground for evidence as most users don't think twice about what goes into an "internal email" where as generaly they do about external email. This is partly due to the users mentality that sees Email as being "just like a phone" or even "more secure than a "chat at the water cooler".
One aspect of "cloud" that most CSOs/CISOs don't tend to think about is "backup security". That is what is the actual mechanism the cloud supplier uses and what it does with the backups over time. Especialy when a large number of "private cloud" suppliers use other cloud suppliers for "disaster recovery" and "availability" reasons.
Even if the "data owner" uses encryption they are leaving themselves wide open to both civil and criminal law. As the data is in effect visable to the court in a locked container the court will simply ask for the keys, or more simply tell the data. owner to provide the plain text. The fact that the data owner will probably have in effect destroyed the keys at some point as they were nolonger considered valid does not cut it in court. This vastly complicates "key managment" which few if any organisations get even remotly close to being done correctly.
Another issue that many senior managers get wrong is the implicit assumption that,
Physical security = Information security
It does not, and whilst you may be able to "view the physical premises" prior to contract you won't be able to "view the information security of all systems on the premises" at any point.
From an "information security" perspective your system "in the closet" might actually be more secure than a system "in your cloud providers old cold war nuclear bunker".
Another issue that usually neither the data owner or the cloud provider have any control over is connectivity or "network loss". That is what happens when "builder sam" puts the JCB / back hoe through the network cables or power cables? Or as has happened some small fury rodent chews through a cable in some distant culvert?
Due to "cometative efficiencies" all infrastructures are becoming more brittle with time and "cascade failures" etc are more common. The further apart a data owner and a cloud provider are physicaly the much greater the chance that connectivity will be reliant on a single point of failure that is outside either parties ability to control even with binding legal contracts.
Peter Gutman documented the mess in New Zealand a few years back when the power supplier lost one high voltage supply cable of a supply system that had originaly had "fault tolerance" and "preventative maintanence" but since "competition" had cut back on PM and had not kept FT in line with the increase of demand. The result was when the cable was lost the load was thrown onto other cables which failed very shortly there after and turned the place into a ghost town for many months... It turns out the "owners" had gone through a legal liability limitation process so whilst there were contracts there was nothing to back them up...
Contracts are not worth the paper they are written on unless there are assets and people to reliably back them up...
Not a CSO but an auditor (and currently studying a lot of cloud documents):
1) In outsourcing it is already very difficult to assess if the company you outsourced to is "working for you and not just for itself". Even if the company is in your country and you can go and do site audits. This will become even more difficult with cloud ("outsourcing on steroids").
2) If you read the security documents of AWS or Azure it all boils down to: "you just have to trust that our administrators won't do bad things to your data".
3) It will be difficult to investigate incidents because it will be hard to get detailed technical logs. Especially with "software as a service".
4) Does a cloud party have the same incentives as you have? Will they announce it quickly if they've been compromised, or will they try to keep it hidden? Contracts are useless for this alignement of goals. There has to be "real" trust for this.
@TimH Good luck encrypting Office 365 or Google Apps.
In fact, I'm keen to hear how you would approach that? Besides avoiding those platforms of course.
Contracts are useless for this alignement of goals. There has to be "real" trust for this.
Many years ago a family friend (who is sadly nolonger with us) who used to be responsible for training accountants and those legal proffessionals who wished to work in that area of business told me that under no circumstances should any business relationship be based on trust.
He went on to explain that all contracts have two foundations exchange of equitable benifts and enforcable liability. He also explained that without liability there was no incentive to perform to contract, likewise if the liability was not enforcable. He also indicated that to ensure performance the liability cost to the non performing party should if possible be atleast three times the total of the value of the benifit, any loss incured and any cost of enforcing the liability.
Obviously you would think it would be difficult to get such contracts signed, but I have when involved with subcontracting seen contracts worded in such a way that the subcontractor bears any cost penalties for the whole contract even though they might only have one or two percent of the contract value. And yes people did sign them (I was not one of them), often however they could not have met the liability even with insurance so there was little point in having the terms in the contract.
I work in the CISO team of a very large company that had separate divisions that make, sell and use "clouds" so we see all sides of this debate. My main fear is the complexity, technical, legal and logistical. It always begins simple, for example hosting a static web site in a cloud. Then "they" want a "small" enhancement that requires interacting with a back end database and SSO with multiple applications, some internal and some in other clouds. The resulting spaghetti is always so complex that it is impossible to "prove" secure. (I mean prove in an engineering sense of "> xx%" rather than in a mathematical sense.)
I understand Google is mostly excluded from government cloud contracts in many European states because they do not store the data inside the jurisdiction of the state.
In general, Europeans do not trust the US government with protecting the privacy of European citizens and companies more than they trust the Russian or Chinese governments. Actually, no state will trust another in this respect (remember the UK involvement in ECHELON).
I am the effective CISO for an academic medical center in the U.S. We're under immense pressure to move to the public cloud, but bound by HIPAA. The biggest limiting factor is that we haven't found a cloud partner who will sign a Business Associate's Agreement, so we can't move in that direction.
AWS is a great example, they will "enable HIPAA compliance" but won't sign a BAA because they don't want to be in the healthcare business.
I also wonder how partially US-based cloud services are perceived in Europe; I understand privacy laws are more rigorous there than in the U.S. (In addition to Winter's comments.)
As an IT tech on a newspaper the cloud is a nightmare in every aspect.
In Sweden we have a strong constitutional law regarding confidentiality of sources etc.
Moving data such as articles, email and source information away from our physical location and protection is a huge step to take. The risks are gigantic and implications on how the law and any SLAs signed for the cloud service are more then fuzzy.
For example if a Swedish newspaper decides to move their email to a cloud own by an US company with their servers located in the UK.
Which law protects the source data? What good do a promise from the cloud provider do when a US agency asks for the data content? What legal responsibilities do the newspaper have when they placed data which are bound to protect in the hands of a foreign state?
Linode 'cloud' hosting was pwned through customer portal a while back. This let the attacker reboot/alter any vps they wanted and cleaned out numerous ppl hosting bitcoind on it
Some ideas on questions for CISOs
1. What is your favorite golf course?
2. Have you ever played Pebble Beach?
3. On a long par 3, are you more likely to lay up with a 3 iron, or try drive the green with a wood?
4. If you have firewalls and SSL do you really need anything else for the Cloud?
Here is the look from the opposite side on the Wired story - http://www.dallasnews.com/business/headlines/... which seems to imply that FBI actually knew what they were doing and some of the "innocent bystanders" actually fled the country after the raid.
@Sort of CISO: One example I can give you is Swiss Residents Customer Data in Swiss Banks: It may not leave Swiss soil, and that includes encrypted links. Anybody violating this (really "anybody", does not have to be a Bank employee, for example, say you find a printout with this data in the trash) is subject to criminal liability.
That is probably the most strict legal privacy requirement I have ever heard of. As to the mind-set: Basically all people I have talked to about this feel that in particular the US will data-mine any and all data it gets its hands on for political, intelligence and commercial purpose and will just ignore any protection laws. So the acceptance to storing personal data on foreign servers is basically zero. What most people here do not realize is that it is already happening and they just have not been told.
I cannot fathom any scenario where a 3rd party SaaS or "cloud" service provider could ever staunch my various concerns about information security, enhanced attack vectors, data integrity, availability over the public internet, etc...my greatest fear about "cloud INFOSEC" is a fellow exec with a copy of "ComputerWorld" in his hand and the words, "...hey, what's our CLOUD strategy?..." on his/her lips. If it's core to my business's success, I refuse to outsource it, period. It's all about competitive advantage now, cloud equals unacceptable risk, voluntarily inducing risk to the business dilutes our competitive advantage(s). How is that smart?
I'm not a CISO, but I play one on the Internet.
@ Secret CISO,
It's all about competitive advantage now, cloud equals unacceptable risk, voluntarily inducing risk to the business dilutes our competitive advantage(s). How is that smart?
Err whilst "for the company" it is all about competitive advantage that is not true of certain types of shareholders and non owning company officers, for them it's all about next quaters figures and looking like "go get" leaders.
So "short term thinking" and "who cares about the future I'll have moved on thinking" are actually the norm in publicly quoted stock companies where the average life of rising execs is 18months or less.
The trick is to get in start a project and get out before it becomes "meaningfull" in terms of bottom line. You say what a wonderfull success it is to get the next immediate job. What happens after you've left indicates if you continue to claim it as your success or your successors failings. With this jump quick mentality you can never be found to have failed, thus you must be a success...
It is one of the reasons the US has over 8% unemployment and is still in recession, there is actually no substance to public companies (in the US or many other western countries either). It is in effect a confidence trick and the short term thinkers don't care because it's only the next quaters figures that count therefore resiliance, preventative maintanence, R&D, security etc etc etc get "made efficient" by "cost restructuring" and the company becomes so fragile it becomes weaker than "an Emperors finest gossomer suit".
When I first heard about "cloud hosting" I thought it was something different than the old "store your files on the Internet" schtick from 1995, or "store your files on CompuServe" from 1985. Maybe, say, an encrypted file system that used software RAID, except it sent virtual disk slices to five or more remote sites, which might be run by entirely different hosting companies. No server would have more than 1/5 of the data, and it'd be encrypted anyway.
Being a data Neanderthal, I guess I'll stick to RAID, a fallback server, and off-site backup rotation...
I'm the CIO for a tiny consulting company. Our clients are small and huge firms - one is a cloud computing provider. They are deploying thousands of physical servers with OpenStack now across multiple locations. They are a large ISP for both residential and businesses.
My concerns about Cloud computing are many. Most have been touched on already.
* Physical location
* Legal jurisdictions
* Liability for us AND the cloud provider
* Shared disks
* Shared servers
* Shared networking - vlans are not secure
* Lack of control over who shares infrastructure
Our insurance does not cover clouds.
Our lawyers worry about jurisdiction issues when data can be stored in 3 different states, each with different laws.
Our clients are mostly clueless about these issues since marketing is usually the first to push "cloud-think" and they see it as a way to bypass our security controls - ok, that isn't really what they see. They think we take too long and want a new campaign going in a few days. The marketing and sales people don't understand the liabilities.
We are in the USA, so there is a tiny risk that some government agency will physically remove the storage or servers that our company shares with other companies. This means that cheap cloud server needs to be 2 or 3 cheap cloud servers in different providers to reduce the risk of "data disappearance by government." A real disaster like a tornado can be understood by clients, but if the govmt takes the server, clients will assume guilt first.
I am amazed at the number of responses already deciding what the business should do. IMHO we should be informing the business of the residual risks present with moving to the cloud. Let them decide and take on the liability.
We are all moving to the cloud in one shape or another, so we just need to ensure we have the proper controls in place before business moves with us or without us.
I think many of these comments are correct, and there's a lot of work to do with respect to mitigating the risk out there with cloud computing.
However, I would like to point out that these are essentially the same things that corporations said about connecting to the Internet. "You want to allow other people -- and you don't even know who they are -- to talk to some of our computers?"
Everything they warned about has come true. Companies (and governments) have been hacked. Loss of confidentiality, integrity, and availability all over the place. Malware propogating, dogs and cats living together, real "wrath of God" kind of stuff. :)
Even with all of the risks out there, though, I think most would agree that connecting to the Internet that was something that had to be done, and the risks had to be mitigated. I think cloud computing is similar. The promise of being able to use computing power from a huge shared pool, and not buy a bunch of machines and build a huge IT department? The promise of only buying what you use and instant scale-up? The promise of agents that can invoke these services on your behalf?
There's a lot of risk, but I think there's a lot of reward, too.
I'm an ISO in the financial sector.
My job is to articulate the risks to the business heads in a way they understand and can act on. It's their risk appetite not mine, although I give a recommendation.
The approach is to understand what we're in for via a set of due diligence questions, which I've embedded into the processes of other depts. Procurement (who handle contracts), Legal (who handle wordings) and also Project Office (whose PMs draft requirements and select providers etc)
A sample is as follows, it's not rocket science. :)
Questions for Cloud Provider:
Q1 What is your information security policy?
Q2 Can The Company audit you against your information security policy?
Q3a What encryption do you use for data in motion?
Q3b What encryption do you use for data at rest, and who creates and holds the keys?
Q4 Can your staff see our data?
Q5 Do you vet all your staff and to what degree?
Q6 Do you have third parties who can access our data?
Q7 What level of security and controls do you have over your infrastructure?
Q8 Can we use your compliance reports?
Q9 What would happen if you run out of capacity?
Q10 What would happen in the event of a data leak?
Q11 Would you know if you leaked any of our data?
Q12 What protection do you offer against data leakage? (USB sticks, CD Roms, back-up tapes, email, web…)
Q13 What are the top 3 scenarios where data *loss* can occur?
Q14 What happens to our data when we stop using your service?
Q15 Is The Company data held in an open standard or a proprietary one of the service provider?
Q16 How long will our data be available for retrieval after we stop using your service?
Q17 Who do we contact when it all goes wrong?
Q18 What is your equipment disposal policy?
Q19 What happens to our data if you cease trading?
Q20 What auditing and reporting do you have that we can access?
Q21 What country will any legal action arising from a dispute take place in?
Q22 Please describe the demarcation of Intellectual Property (i.e. who owns what?)
Q23 Please identify who (organisation, provider, shared) has operational responsibility for each layer network, storage, server, VM, App, Data
Q24 In what countries is the primary and back-up data held?
Q25 Does the government of the countries hosting the data or where the service provider is incorporated have legislation which grants it unfettered access?
Q26 Does the contract permit us to get physical access to the data?
Q27 Are the Data Centres FIPS 140-2 certified or Sarbanes-Oxley compliant or IFRS compliant?
Questions for ourselves:
Q1 What is the asset that we are worried about protecting? (e.g. cash, intellectual property, PII?)
Q2. What data are we willing to trust to the cloud/service provider?
Q3. If the solution invites 3rd party to create content, is the main trust issue with them or the service provider?
Q4. Who else could also provide this service if we had to migrate?
Q5. What in-house support is required in order to use the external service?
Q6. Is Legal and Compliance satisfied that this service is compatible with our obligations?
Q7. Do we have an exit strategy?
Q8. For personal information, who is the Data Controller?
Q9. How to ensure leavers process can prevent unlawful access post departure?
Q10. Are we clear on exactly how the vendor generates its revenue (e.g. does not seek to monetise our data)?
Q11. Is the content owner engaged in the process?
@Bruce you have my email if you want more info.
Sean: Office 365 or Google Apps are bad examples, since there are user-computer-hosted FOSS apps available that do the same job.
Any examples of must-use only-cloud apps?
I am amazed at the people that rely on gmail or yahoo to hold their email and contact stuff without any backup to a PC. So easy to set up T-bird or OE to grabbitall using POP.
It becomes a cost benefit discussion for Office 365 versus hosting your own environment in the cloud which you could encrypt with all the support costs etc. and then it's not likely you would be able to match the resilience cost effectively for smaller scale deployments.
To answer your question, I don't believe there is a must use cloud app.
If forced to, rolling your own and putting that in the cloud is always an option, again at a far higher cost.
I guess the trade-off is giving up full control of your data for the cost efficiency.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.