Mitigating security risks requires a range of measures to be used in combination, in order to provide the end-to-end security discussed above.This publication is not intended to give a detailed description of the technical measures available, and readerswith more technical expertise may well be aware of other measures that are appropriate in their particular situation.
Security – like other aspects of data protection – is not something that should be added on as an afterthought. Security should be built into an organisation’s infrastructure andbecome part of how the organisation does business in every respect. Moving to the cloud does not solve the problem if an organisation’s existing security architecture and infrastructure is not up to standard; it just adds another element that must be addressed.
Most cloud providers are acutely aware that security has to be a high priority, both for them and their customers. They typically stress the degree to which they take security seriously, and it is often claimed that their security is likely to be considerably better than in most small organisations and some larger ones. This is quite possibly true, but cloud providers may also be a more tempting target, and breaches leading to unauthorised access, as we have seen, undoubtedly do occur.
Cloud security must cover all the elements of the seventh data protection principle, not just preventing unauthorised access but also preventing accidental loss of, or damage to, personal data. Many cloud providers offer indications of the level of service they aim to provide – and may historically have provided – but few are likely to offer unequivocal guarantees. The risk of service non-availability, its potential consequences, and the options for mitigating any damage, must therefore be assessed.
Given that most cloud providers are likely to be Data Processors, the requirement of Schedule 1, Part II, Paragraph 11 of the Data Protection Act must be taken into account. This states that:
Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller must, in order to comply with the seventh principle –
(a) choose a data processor providing sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out, and
(b) take reasonable steps to ensure compliance with those measures.
While physical inspection of a cloud provider’s security measures is unlikely to be practical, all reasonable steps must be taken to verify that the provider’s security measures up. This should be done by someone with an appropriate level of technical expertise, who is able to ask the right questions and understand the implications of the answers. Without that, it is much more likely that a Data Controller would be penalised should a breach occur.
Areas to assess include checking howaccess rights are authorised and how users are authenticated, background checks and segregation of dutiesfor the cloud provider’s personnel, physical access monitoring and segregation of data.
While the security offered by providers is of course crucial, security of cloud-based systems must start at the customer or Data Controller end, and there is a range of support and advice available at different technical levels. Having got its own house in order, the Data Controller should then carry out due diligence on the security provisions made by the cloud provider.
It is worth pointing out that, in the cloud, security must be managed differently. On an internal server it may be possible to rely heavily on perimeter defences. However, many security products cannot be deployed in a shared environment, and other organisations may be using less secure applications that are within the perimeter of the cloud provider and endanger valuable data. Application-level and ‘instance’ security should therefore be considered. This could include: firewall or antivirus software that operates within each instance;ensuring that system services are run only where necessary; intrusion detection/prevention systems;and integrity checking or change monitoring software.
Where data is stored partly in the cloud and partly in-house, proper classification of data is vitally important to determine what can safely be stored where, in accordance with legislation, standards, security concerns and the value of the asset.
In June 2014 the UK Government introduced its Cyber Essentials4 scheme. This sets out the basic controls that all organisations of any size should implement to counter the most common internet-based security threats. It concentrates on five key areas:
• Firewalls & gateways
• Secure configuration
• Access control
• Malware protection
• Patch management
Many organisations will, of course, have already identified these as being necessary and taken steps to address them. None of them are new or surprising issues, so there is no real excuse for failing to implement appropriate measures. What the Cyber Essentials scheme does offer is a means of proving that the necessary steps have been taken, through external assessment.
The scheme is intended to be affordable, even for small organisations. There are two levels of assessment.The basic certificate involves completion of a questionnaire which is externally reviewedbefore the certificate is awarded. The more advanced Cyber Essentials Plus is based on more costly external testing.In each case the certificate – which must be renewed annually – entitles the organisation to display a logo.
It is worth bearing in mind that the seventh data protection principle requires security measures to be technical and organisational. While most of the basic controls in Cyber Essentials are at the technical end, access control clearly has a large organisational component.
Access controls must apply both to the systems that allow users to access cloud applications and to the cloud applications themselves. The seventh data protection principle requires protection against unauthorised access. There are many ways of authorising access, but the allocation of logon credentials that then determine the information the user can view or manipulate, has to be a key element. Access privileges should be carefully thought out, so that users see no more information than they need to, and do not have access to functions that are not relevant to them.
This is especially true in the cloud, where the user’s location may be less well controlled. It is often worth considering additional precautions – if these are available – such as two-factor authentication, rigorous processes that require good authentication for password recovery or modification, restrictions on the IP addresses from which the application may be accessed, and/or restrictions on the times of day at which any given user is permitted to log-in.
Good segmentation of the data in the cloud system, so that users are restricted in what they can view or modify– and especially what they can download, print or export – also helps to reduce risks. Access to administrative functions must, of course, receive particular attention, and live monitoring of activity in order to flag up unusual behaviour before it is too late, should also be considered. (The key security weakness in the BPAS case described above was a failure to replace the default administrator password.)
Controlling access via personal devices, through a BYOD policy, is particularly important if there is any possibility that confidential personal data may be taken from the cloud and stored on the device. This could be, for example, in the form of emails or information in attachments. Spreadsheets used as informal small databases are a particular hazard. Strict access controls to the device are also essential if the cloud application requires a logon which can be ‘remembered’ by the device. A BYOD policy should prohibit access to such cloud services by any personal devices that are not secured by the most appropriate access controls available. The Data Controller should also reserve the right to verify the presence of access controls at reasonable opportunities.
This is not just a hypothetical risk.A survey5 in June 2014 found that 75% of consumers that use social media on mobile devices are automatically logged into their accounts, and even 23% of mobile banking users are automatically logged in. These risks may be acceptable for individuals to choose to take with their own data, but the figures emphasise that employers cannot assume that individuals have taken an appropriate approach to the security of personal devices on which corporate data may be held or accessed.
It is quite likely that personal devices may occasionally, or regularly, be used by others with the permission of the owner. In this case it is essential that these additional users are unable to access any data derived from, or held by, cloud applications. Ideally the device should provide for individual logons and allow only authorised users to access confidential data and associated applications. Again, reservation of the right to verify that these conditions are met may be a reasonable condition of permitting access from the device to corporate cloud data.
There are, of course, many sources of security guidance. Two that are pitched at a more detailed technical level than Cyber Essentials are from the Information Commissioner and the Open Web Application Security Project (OWASP).
The Information Commissioner produced a report in May 2014 – Protecting personal data in online services: learning from the mistakesof others6. The report analyses the root causes of security breaches in online systems that have been investigated by the ICO. It identifies eight common vulnerabilities that should, as a matter of course, be addressed. The issues it covers are:
• Software updates
• SQL injection
• Unnecessary services
• Decommissioning of software or services
• Password storage
• Configuration of SSL and TLS
• Inappropriate locations for processing data
• Default credentials.
The OWASP Top Ten is an analysis, updated every three years, of the current most important vulnerabilities in web-based systems and the measures that should be taken to prevent them. The 2013 Top Ten covers:
• Broken Authentication and Session Management
• Cross-Site Scripting (XSS)
• Insecure Direct Object References
• Security Misconfiguration
• Sensitive Data Exposure
• Missing Function Level Access Control
• Cross-Site Request Forgery (CSRF)
• Using Components with Known Vulnerabilities
There is clear overlap between this list and the Information Commissioner’s, and many of the points are also relevant to the Cyber Essentials controls. It is worth taking a broad view, rather than relying on just one source to identify the security areas that should be given attention.
Regular independent vulnerability assessmentsand intrusion testing to ensure that applications are protected – from well-documented threats as a minimum – is worth considering.
ISO27001: Information security management
The key international standard on information security is the ISO27000 series, available in the UK from the British Standards Institute.
ISO27001 is the overall framework for information security management, and can be externally certified. It sets out a number of controls that should be in place. Many are directly relevant to cloud computing, including for example:
• System acquisition, development and maintenance (control A.14)
• Access control (control A.9)
• Information transfer (control A.13.2)
• Information security in supplier relationships (control A.15.1)
• Privacy and protection of personally identifiable information (control A.18.1.4)
• Has the cloud provider been externally certified, or just self-assessed as compliant?
• Are the credentials of the certifying company satisfactory?
• Does the ISO27001 certificate apply to the issues that concern the data that is intended to be placed in the cloud application, as set out in the supplier’s ISO27001 Statement of Applicability?
Data ‘in transit’
Data is almost inevitably more at risk when it is ‘in transit’ rather than ‘at rest’, which is why information transfer merits a specific control in ISO27001. Many of the Information Commissioner’s monetary penalties have involved data going astray in transit (in a range of situations, not always in the context of cloud computing).
When considering a cloud provider’s security claims, it is important to check whether these apply equally to data at rest (i.e. while stored on the provider’s servers) and data in transit, both between the customer and the cloud provider, and between the cloud provider and any subcontractors that may provide part of the service.
Government agencies, or organisations that have close dealings with government, may also want to review the cloud provider’s offering against the HMG Security Framework7, as well as taking into account the ‘cloud first’ policy.
The security framework mandates clear accountability for the management of risk, and specifically in relation to information:
• “Staff who are well trained to exercise good judgement, take responsibility and be accountable for the information they handle, including all partner information.
• “Mechanisms and processes to ensure assets are properly classified and appropriately protected.
• “Confidence that security controls are effective and that systems and services can protect the information they carry. There will be an overarching programme of information assurance driven by the Board.”
In August 2014, CESG (the National Technical Authority for Information Assurance) published draft guidance on cloud security risk management, listing 14 cloud security principles and setting out in some detail how they should be implemented.
• Principle 1: Data in transit protection
• Principle 2: Asset protection and resilience
• Principle 3: Separation between consumers
• Principle 4: Governance framework
• Principle 5: Operational security
• Principle 6: Personnel security
• Principle 7: Secure development
• Principle 8: Supply chain security
• Principle 9: Secure consumer management
• Principle 10: Identity and authentication
• Principle 11: External interface protection
• Principle 12: Secure service administration
• Principle 13: Audit information provision to consumers
• Principle 14: Secure use of the service by the consumer
Many of these principles will by now look familiar, as they appear in other schemes we have already referred to. In addition, the CESG guidance gives a useful summary of common approaches to implementing cloud security principles. These are not mutually exclusive and can – indeed often should – be used in combination. They are:
• Service provider assertion: The service provider describes how their service complies with the implementation objectives, but is unwilling (or unable) to provide independent validation of compliance.
• Contractual commitment: The service provider contractually commits to meet the implementation objectives.
• Independent validation of assertions: An independent third party reviews and confirms the service provider’s assertions. Service provider [should hold] certificate of compliance with a recognised standard. Certification and implementation of controls [should be] reviewed by a qualified individual.
• Independent testing of implementation: Independent testers demonstrate that controls are correctly implemented and objectives are met in practice. A suitably qualified individual [should review] the scope of testing.
• Assurance in the service design: A qualified security architect is involved in the design or review of the service architecture.
• Assurance in the service components: Independent assurance in the components of a service (such as the products, services, and individuals which a service uses).
In the government G-Cloud programme “cloud security principles [are] a fundamental part of G-Cloud security assurance to help buyers make pragmatic decisions based on relevant, transparent and available information”, according to a September 2014 announcement. Suppliers have to provide information about how their products’ security maps to the revised government security classification scheme.
COBIT is another framework for information technology management and governance. It is seen as a way to fulfil the requirements of regulatory regimes (such as the US Sarbanes-Oxley Act) for risk mitigation, monitoring and control. COBIT 5 was released in June 2012. It is published by ISACA (originally the Information Systems Audit and Control Association) and its components include:
• Framework, linking IT to business requirements
• Organisation-wide process descriptions that map to responsibility for different aspects of the process
• High-level control objectives
• Management guidelines that include measuring performance
• Maturity models to assess systems and address gaps.
ISAE3402 and SSAE16 (previously SAS70)
Many US organisations mention compliance with SSAE16 which replaced SAS70 (Statement on Auditing Standards: 70) in 2011. SSAE16 (Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization) is intended to provide a US standard that is compatible with the International Service Organisation Reporting Standard ISAE3402.
These are not security standards but are part of an auditing process for financial information. They do, however, examine risk management and clients can ask for additional issues, such as Data Protection Act compliance, to be taken into account.
The statement implies that the service organisation has been audited by an independent auditor and this audit may have examined issues relevant to Data Protection Act compliance.
Additional BYOD considerations
The Data Controller will not usually be able to control which other applications are installed on the device. There is therefore a risk that malicious or ill-behaved applications could introduce security vulnerabilities. Strict data and application segregation can mitigate these risks.
If data can be downloaded from the cloud to the device this is vulnerable to access by other users – with or without permission. Unwise behaviour by the device owner could result, for example, in the device being disposed of while still containing recoverable confidential information. It is also less likely that information that is updated on the device will be reliably backed up.
It is commonplace for devices – especially smartphones that are particularly vulnerable to loss or theft – to allow remote locking and wiping of all data. A device owner may be reluctant to provide the Data Controller with the codes necessary to carry out these operations, or to inform the Data Controller as soon as the device’s whereabouts are unknown. This is especially true if data is not segregated, so that the owner’s personal information would be wiped at the same time. This would argue for the use of company-issue phones wherever possible. An alternative is to require the device to use an application that ring-fences data acquired from the company’s systems, preventing it from being stored on the device, exported from it, or interfered with by other applications on the device.
Again, human factors must be taken into account. For example, a user who finds it onerous to enter a PIN or other security requirement each time they access the device, may be inclined to disengage the access controls after they have been authorised to use the device for accessing their employer’s data.
5 Commissioned by the software company Intercede.
6 This can be difficult to locate on the Information Commissioner’s website. At the time of writing it could be found via a news release dated 12 May 2014 at: https://ico.org.uk/media/for-organisations/documents/1042221/protecting-personal-data-in-online-services-learning-from-the-mistakes-of-others.pdf