Behind every cloud, there should be a security lining

As organisations increasingly migrate to IT services and products located in the cloud, the security of such systems becomes an important issue.  Whether security risks are actually higher in a cloud environment is debatable. There is no doubt, however, that the perceived loss of control associated with using cloud IT services carries significant concern about the risk of unauthorised system access or loss of data.

What security issues do I need to consider before choosing a cloud service offering?

In evaluating the security capability of a cloud service offering, organisations need to consider several distinct but interrelated security issues, including:

  • Data security – Consider what mechanisms the cloud service provider uses to protect data at rest (i.e. held in storage), data in transit (i.e. data being transferred over a network and data in process (i.e. data in memory being used by an application).  Ideally, data at rest should be encrypted in storage.  This may, however, depend on the sensitivity of the data.  There are also a range of standards for encrypting data in transit like SSL, VPN using IPsec, Transport Layer Security or SFTP.
  • Application security – Application security will usually depend on the nature of the service being offered by the cloud provider.  For Infrastructure as a Service (IaaS) more responsibility will potentially rest with the customer for encryption in storage.  For Software as a Service (SaaS) responsibility is likely to be with the cloud provider because they control the data and application.  Security mechanisms to consider include; firewalls, VPNs to limit application access and denial of service defences.
  • Network security – If a vendor does not have certification concerning network security, you should at least confirm whether the vendor has identity and access controls, vulnerability patching, network segmentation, traffic filtering, intrusion detection or prevention and logging and notification.
  • Physical security – Consider whether the provider has sufficient physical security like infrastructure in secure areas, protection against external and environmental threats like floods, equipment and personnel security controls, back up electricity, gas and water supplies.

How do I make sure the promised security will be provided and maintained?

It is unrealistic to seek guarantees that there will be no security failures.  However, you can expect cloud service providers to comply with specific standards in maintaining security and contractual agreements should be drafted to reflect this.

There are several options available when drafting security provisions:

  • Legal Standards like best or reasonable endeavours or negligence are frequently used but applying these to IT security can be problematic.  Often parties will use imprecise wording like ‘industry best practice’ and will seek to define what this means in the contract.  However, this approach will not necessarily result in a clear, definitive standard and can lead to dispute.
  • Fortunately, there are a range of Industry Standards – industry recognised and well-defined objective standards – that parties can use. Potentially the most widely recognised security standards are those published by the International Organisation for Standardisation and the International Electrotechnical Commission, ISO/IEC 27000.  The primary standards are 27001 and 27002 with 27001 specifying requirements on information security management systems and 27002 describing a series of controls that address specific elements of security managements systems.  In addition, ISO/IEC 27017 provides guidance for cloud service providers on security and ISO/IEC 27018 on the protection of personal information in public clouds.

Aside from broad standards there are other standards which an organisation should consider, depending on their industry sector or regulatory obligations.  For example, the Payment Card Industry Data Security Standard (PCI-DSS) mandated by the credit card industry identifies the minimum-security controls needed to protect customer cardholder data.  In the United States, the Health Insurance Portability and Accountability Act (HIPAA) imposes confidentiality and security requirements for health information on U.S. health care providers and often appears in U.S. vendor agreements.

  • Even with appropriate contractual obligations in place, organisations should consider imposing verification mechanisms to ensure those obligations are being fulfilled, whether through the provision of certifications or audits by independent third parties.  For example, there are a range of certifications based on ISO/IEC 27000 like the DigicCert certification.

Where do I go for more information?

For additional information concerning cloud security the Australian government’s lead agency on cybersecurity, the Australian Signals Directorate provides useful guidance on IT security and publishes the concerning cloud security which is available here.

If you have any queries or would like further information regarding this article, please contact:

Simon McDonald
Partner
M: 0402 843 198
E: smcdonald@pageseager.com.au

Raya Barcelon
Lawyer
M: 0414 202 704
E: rbarcelon@pageseager.com.au

Published: 16 June 2017

Copyright © 2016 Page Seager. Privacy Statement Privacy Policy