Recently, the (ISC)² ThinkTank tackled the cloud. The webinar, “Security Practices for a More Secure Cloud,” featured panelists Kurt Hagerman, CISO of Armor, Raj Goel, CTO of Brainlink, and Keith Young, Info Security Officer of Montgomery County.
Thank you to our panelists for sharing their expertise – let’s continue the conversation, shall we?
Since cloud is becoming a hot commodity these days, how can a cloud provider assure would be customers that data is 100% secured day-in-and-day-out? I guess there can never be a guarantee. In line with this, how can a cloud provider show that all measures are done to keep data secure?
Kurt Hagerman, CISO, Armor Defense:
No cloud provider can guarantee 100% security of your data. They can only provide assurance to the extent of the security controls they manage and even then, only to the extent the tools they use are able to detect or prevent malicious activity. Remember that there is no such thing as “perfect security,” so there is no way to be 100% assured that your data is secure. The best assurance you can get from your cloud vendor would be their annual audit attestations, such as their PCI Attestation of Compliance, SSAE 16 SOC 2 Type II report.
A key point in today’s discussion was education. Can you identify where to get training to understand the cloud and security-related items that need to be addressed?
Keith Young, Info Security Officer, Montgomery County, MD:
There are several well-known cloud security training and certification programs available. Below is a list of some of the more popular programs available. Note that I do not endorse or recommend any specific program:
In addition, technical training programs for specific vendor clouds (Amazon, Google, Microsoft, etc.) are available from the vendors and third parties.
How does privacy fit into this shared responsibility? Almost all things are governed by contract itself but privacy has lot of regulations around it. How do you deal in a situation where contract is contradictory to regulation requirement?
Raj Goel, CTO, Brainlink
In almost all cases, safeguarding customer/client data is the responsibility of the entity the consumer does business with – e.g., you or your firm, and not the backend cloud providers.
I would read the appropriate privacy rules & regs, review the cloud vendor EULAs, TOS, contracts and their history. Some vendors have great sounding policies, but in practice have a poor security track record, whereas others are quite competent at it.
Most importantly, I would ensure that my team, staff, developers, etc. are using approved, secure practices. A cloud vendor’s agreements are worthless if your developers leave their databases unsecured (see Mexican voters leak, GOP voter database leak, MongoDB defaults) or if your developers leave their private keys in the code, in configuration files or on GitHub.
At least in the US, regulators hold the data custodian (e.g. you or your firm) and not their backend providers liable for data breaches. And as history has shown, a majority of the time (somewhere between 80-99%), the breach occurs due to internal insecure practices, organizational inertia or bad design.
This is NOT to suggest that cloud vendors are off the hook – I would be leery of jumping on the latest fad, or trusting new, young startups with my most sensitive data. I prefer to work with established vendors who have worked with larger companies, have teams of information security professionals and lawyers who are well versed in compliance.
For more on cloud security, register for (ISC)² Security Congress in Austin, Texas this September. Cloud Security is one of 11 tracks at the annual conference.