Cloud Security and Privacy Considerations
CIA Triad + Privacy
- Cloud computing also has the same security goals of confidentiality, integrity, and availability
- adds individual privacy as well
- ensures respect of the rights of confidentiality not only of own organization but also of the individuals whose PII is stored, processed, and transmitted
Governance
Cloud computing governance helps an organization work through existing and planned cloud relationships to ensure that they comply with security, legal, business, and other constraints.
- designed to get potential vendors, manage relationships, and oversee cloud operations
Auditability
- auditability is an important component of governance
- cloud contracts should specify that the customer has the right to audit the cloud provider directly or through a third-party
Regulatory Oversight
- Ensure cloud providers support ability to remain compliant with regulations
- HIPPA, FERPA, PCI DSS, etc.
- some regulations provider specific provisions about how to ensure third-party providers remain complaint
- e.g.,
- using only certified providers
- requiring written agreements with providers that handling data will be consistent with regulations
- e.g.,
Cloud Security Considerations
- Data protection
- storing data on cloud is essentially storing on the internet
- configuration mistakes can have terrible consequences
- protect data with access controls and encryption
- have disaster recovery plans
- Patching
- CSP should have clear patch management policy
- how often patches are released
- how quickly CSP will respond to critical vulnerabilities
- consider how easy it is to apply patches
- have a plan for testing and deploying patches
- cloud infrastructure is very complex
- you don’t have control over underlying infra
- CSP should have clear patch management policy