Forget onions and think Russian Dolls
I feel the likening of providing information assurance and security to the layers of an onion can be improved on by likening this to the wooden Russian Doll. To get to the centre we unlock the larger dolls working from the outside in, a simple process but if we introduce locking mechanisms at each layer the task becomes more difficult. The more complex the locks, the more difficult the task; until becomes impossible to complete the puzzle. The essence of this principle is the provision of controls at different layers of the security model to protect your data. A key factor is the location where your data will be stored, managed, and processed; which will enable you to identify and understand the legal and regulatory requirements necessary to protect your data from unauthorised accessed; and understand when data can be accessed by statutory or regulatory bodies. Whilst knowing where your data sits can help you need to understand compliance within individual territories, determining legal jurisdiction may be more complex than this as it takes into account data location, user location etc. Therefore seeking specialist advice is a must (UK central government departments wishing to make use of an offshore cloud data storage or management service, need agreement from HMG’s Cabinet Office).
Data Centre Security
A Service Provider’s premises need physical protection against a range of threats and attack vectors; including the segregation of Service Provider employees who do not support your service form those that do. So ask the questions about perimeter and building controls; but also ask the questions about internal segregation controls too.
Data at Rest Protection
Data at rest protections all about technical controls, and in particular data encryption; so ask yourself are their sufficient controls to prevent unauthorised access to your data, and to prevent its negligent disclosure/disposal? Also ask, how is data separated between different customers; how does the Service Provider ensure that its employees do not gain access to your data; and what level of encryption is applied to your data?
This comes down to ensuring that your organisation’s data, processed by the service, is not retained by the Service Provider inappropriately; is not made available to others, where service resources are reused; and is not lost or disclosed on end-of-life equipment. Therefore you need to be confident that data is erased when resources are moved or re-provisioned; and that storage media which has your data is sanitised and/or securely destroyed.
Put simply, how will storage media and other equipment which has been used to process your data, be handled/disposed of at the end of its useful life? This question may also be broadened to include; and how will media and equipment be handled and disposed of at the end of contract? In all instances media and equipment should be disposed of so that it does not compromise the security of the service or data; the process fully documented; and should be coupled with the sanitisation requirements above.
Physical Resilience and Availability
At the project initiation phase the importance of the service to your organisation should have been established, in terms of acceptable levels of downtime. This will help when selecting from the varying levels of service resilience on offer, to support your organisation’s ability to continue operations in the face of failures, incidents or attacks. So read through the information and sales blurb; asking questions where you need to, to ensure that the level of resilience meets your defined availability level. Whilst it may seem attractive to over-egg the level of resilience required, remember this will come with a potentially considerable price tag over the lifetime of a contract. This said any best-endeavours service support should be considered as no guaranteed service support
As mentioned in previous posts, there a number of implementation approaches: Service Provider assertions that they control access to media and storage devices; employ encryption and/or physical security controls to protect data at rest; and supporting evidence availability levels; Independent Validation of Assertions from an array of security standards, with supporting certification mechanisms which may be used to support a Service Provider’s assertions; Contractual obligations and Service Level Agreements (SLAs) to provide a mechanism of enforcement and compensation. Enforcement of the required security standards, and compensation where these standards are not met, will focus the mind of your selected Service Provider, so ensure your requirements are clearly defined; Correctly configured and deployed products, used in accordance with appropriate security procedures, to provide assured protection. The service provider however must demonstrate that key management and operational procedures are in place, used and audited; and Independent implementation testing to demonstrate that that technical, physical and procedural security controls deployed by Service Providers are effective and prevent (or contribute to the prevention of) unauthorised access to your data. However it is important to ensure the appropriate implementation approach is selected and properly documented. You should evaluate the evidence and draw conclusions on whether the assertions, and reputation of the Service Provider, provide sufficient confidence. In the case of independent validation, the assessment scope and resultant validation must include the facility where your data is to be stored. Also these standards differ in terms of the level inspection and testing of individual controls – so ensure the Service Provider’s certification covers your areas of risk appropriately. Because remember, inadequately protecting data (in relation to statutory and regulatory requirements) could lead to reputational damage to your organisation, and or legal and regulatory sanctions/penalties against it.