Roger Halbheer on Security » Cloud Computing

Office 365 Becomes First and Only Major Cloud Productivity Service to Comply With Leading EU and U.S. Standards for Data Protection and Security

Roger Halbheer — Fri, 16 Dec 2011 13:09:09 +0000

A long title but this was the title of the official press statement yesterday. Compliance is always a key question in the public cloud space. Therefore it is very important for us that we now achieved three things:

Office 365 is compliant with EU Model Clauses, Data Processing Agreements and ISO 27001 among other standards.
Office 365 is the first and only major cloud productivity service that enables HIPAA compliance.
The Office 365 Trust Center provides in-depth information about the privacy and security practices for Office 365 and was recently redesigned to be more accessible and easy to understand. The new site can be accessed at http://trust.office365.com.

If you are interested in the official press statement: http://www.microsoft.com/Presspass/press/2011/dec11/12-14O365CloudPR.mspx

Roger

Definition of Cloud Computing

Roger Halbheer — Fri, 16 Sep 2011 04:41:03 +0000

Just found this on http://news.yahoo.com/photos/new-adventures-of-queen-victoria-slideshow/20110914-naqv110914-gif-photo-050626492.html

Love that

Roger

Searchable Encryption for the Cloud–soon?

Roger Halbheer — Wed, 10 Aug 2011 11:41:04 +0000

This is a very interesting development. Encryption generally would solve a lot of problems around data sovereignty. So, encrypting the data, keeping the key and moving the data to the public cloud could basically address a lot of the risks. Today, it comes with a high price as the data which resides encrypted in the Cloud cannot be index (therefore is not searchable) nor can any operation be conducted.

The solution is homomorphic encryption, where a lot of research is done but it is still too slow. People at Microsoft Research now took a new angle on it: They took, what is already here and looked at the scenarios, which are already possible today.

The following article gives an interesting overview, what would be possible based on today’s research: A Cloud that Can’t Leak

Roger

Cloud Security in Office365

Roger Halbheer — Fri, 15 Jul 2011 08:12:29 +0000

You heard about the launch of Office365 recently and I hope you read the blog post on the application of the Cloud Computing Security Considerations to the private. cloud. If not, here it is: Security Considerations in a Private Cloud

To complete the series now, we released an additional paper on how these considerations can be applied to Office 365. It is not about the security features of Office 365. It is about how a the responsibilities between the customer and us can and shall be split. This is a really interesting paper in my opinion: Addressing Cloud Computing Security Considerations with Microsoft Office 365.

Additionally, we took a deeper look at the Cloud Security Alliance’ Cloud Control Matrix (CCM) at provided an answer for each question/control raised in this document: Standard Response to Request for Information – Security and Privacy.

These are all steps to provide you with the necessary transparency to get into the public cloud and on Office 365!

Roger

Security Considerations in a Private Cloud

Roger Halbheer — Fri, 24 Jun 2011 14:31:38 +0000

I am talking a lot about Cloud Security. There are a few observations I made:

Even though a lot of people are talking about the Cloud, there is still not too much knowledge about it. What is a private Cloud versus a public Cloud? What is Infrastructure as a Service, Platform as a Service, Application as a Service? And where are the key differences when it comes to risks?
A lot of businesses look at it as an all or nothing. This is simply a massive mistake. There are workloads (like your identity management) you will wait a really long time until you move it to the Cloud and keep on premise. There are others, you might want to move immediately to the public Cloud and some of it will stay in a private Cloud.
There is a lot of fear out there and not a lot of frameworks, which can help with to bring the whole discussion to rational level. Actually, there is a lot of material out there but not a lot, which is simple to read and consume.

That’s the reason, why Doug Cavit and me wrote the Cloud Computing Security Considerations about an year ago. We came up with 5 points to be considered, when looking at the Cloud from a security perspective:

Compliance and Risk Management: Organisations shifting part of their business to the cloud are still responsible for compliance, risk, and security management.

Identity and Access Management: Identities may come from different providers, and providers must be able to federate from on-premise to the cloud, as well as to enable collaboration across organisation and country borders.

Service Integrity: Cloud-based services should be engineered and operated with security in mind, and the operational processes should be integrated into the organisation’s security management.

Endpoint Integrity: As cloud-based services originate–and are then consumed–on-premise, the security, compliance, and integrity of the endpoint have to be part of any security consideration.

Information Protection: Cloud services require reliable processes for protecting information before, during, and after the transaction.

These five considerations are very well received and seem to work well for the customers to address part of the points above. The number 1 question I got, however, was: How can apply this to the different scenarios?

Therefore I am happy to announce, that we just released a paper to the web called: Addressing Cloud Computing Security Considerations with a Partner Private Cloud.

We show you how to split responsibilities between the partner and the customer and what the considerations mean for both sides – as always, your feedback is more than welcome!

Finally, stay tuned: In a few days, we will do the same with the public Cloud. This time, however focused on Office365. As soon as we go live with Office365, we will publish it.

Roger

Does the business really hate IT?

Roger Halbheer — Thu, 23 Jun 2011 12:55:27 +0000

Back at the times of outsourcing, there was real tension between IT and the business. Internal IT had the “comfortable” position of having a monopoly: The business used the internal IT and basically just had to pay the bill. Then times came, where the business was not satisfied anymore. That basically started with the time of the PC. IT was in kind of a losing position: If the decentralized IT worked, it was just what users expected, if it did not, users complained. Additionally, as IT was treated as an art rather than an engineering discipline (that’s the way it is still run in a lot of occasions), cost just grew, without a real need of rationalizing. IT is critical for all the businesses but the value is hard to measure (until you lose your mail server once for a day).

Then outsourcing came and everything was getting better – not really. A lot of companies outsourced a problem – they used the same people with the same attitude and outsourced everything to the outsourcing provider. But now they had a contract – and so did the outsourcer. There were (and still are) numerous meetings I have been in, where the customer and the outsourcer were fighting, whether applying a patch is part of the contract or not and whether patch management should be done more than every six months. Finally, the customer had to learn to become a customer as well and specify their needs.

Why do I write this? Because I see similar discussions today with the Cloud. Business is not satisfied with how internal IT delivers. They are too slow, too expensive and too unreliable – therefore the business is looking at the promises of the Cloud: Fast, reliable, inexpensive. What does it really mean for the business? For IT?

To me the business has to understand that if they move to the public cloud, there is a good chance that they have to adapt their business processes. Remember the huge ERP projects? It is not that different. This might be good as it forces the organization to clean up – but it shall be a conscious decision. Even for the part you are moving to the cloud, you still have to keep part of your responsibilities: You are still ultimately responsible for your compliance. You should keep your identity management in house and risk management for your business cannot be outsourced. You have to have a data classification, which is applied and lived – this is, how we described it in our Cloud Computing Security Considerations. Last but not least: You are the customer of a standardized service. Make sure you understand this as this will be a long-term partnership you are going for, with very, very limited flexibility of the final solution.
If you move to the private cloud, the situation is slightly different as you might have more influence on how your solution looks like but even the private cloud is not an outsourcing as you knew it – e.g. most probably you will not be able to tell the cloud provider how they will run their datacenters. You will run on your own OS-instances (does not necessarily mean your own hardware as the solution will most probably be virtualized) but even the question of the data location might have to be negotiated. And: It definitely costs more.
If you are an IT organization: Become a Cloud provider. Become the partner for your business in the Cloud. You business will want to have part of it in a private cloud – offer this in a way you can compete with third-parties as you will not be able to compete in the public cloud.

This decision has to be a strategic decision and not a decision taken because business does not like their own IT. For the internal IT it might be a threat (if you decide to sit and wait) or an opportunity if you take the strategic decision and opportunity.

Now, the reason for this post was actually in an article, which was sent to me: Why businesses move to the cloud: They hate IT

Roger

Who cares where your data is?

Roger Halbheer — Fri, 10 Jun 2011 11:51:04 +0000

Wow, I guess the reason for you clicking on the link is this statement – right? Well, “unfortunately” I cannot claim ownership of it. It was made by a Google representative during an interview in Australia: Google: Who cares where your data is?

To me, the whole Cloud discussion sometimes drives into interesting directions. I often feel that Cloud providers develop a solution and tell the world that the policy decisions were on purpose to protect the customers. Like some providers told the world in the past that you should not care how your data is protected. They take care of your security and you should just trust them – like banks. Nonsense! If you have to prove compliance, you will definitely want to understand how your data is protected and what controls are enforced in the Cloud environment. But as the industry – including the regulators – is still trying to understand the impact of the Cloud, it is a good time to drive such messages and sell the setup as “best practice”.

Things will change and outdated policies will be adopted to today’s reality but making a statement that you should not care where your data is, simply neglects some “minor” obligations you carry like protection of the privacy of the people you have data from… or the fact that you probably not want your state secrets in another country (even though I do not expect a country putting Top Secret material to the public cloud – yet).

Just because the Cloud provider does not know, where your data is does not mean that you shouldn’t care…

Roger

Cloud computing providers: Clueless about security?

Roger Halbheer — Wed, 04 May 2011 17:04:53 +0000

To me, one of the benefits of moving to the Cloud is security – obviously besides availability and costs.

Recent incidents made me doubt:

Amazon not only having significant downtime but in the same time losing customer data.
Sony’s game network being significantly compromised.

This is definitely not to blame them but I was heavily surprised. And then, I found this study by the Ponemon Institute: Cloud computing providers: Clueless about security?

If we look at this, it gives us a really scary picture of the industry – especially if I know how much effort we (and other Cloud provider) out into securing our customer’s data. If you look at the management summary, they say:

The majority of cloud computing providers surveyed do not believe their organization views the security of their cloud services as a competitive advantage. Further, they do not consider cloud computing security as one of their most important responsibilities and do not believe their products or services substantially protect and secure the confidential or sensitive information of their customers.

The majority of cloud providers believe it is their customer’s responsibility to secure the cloud and not their responsibility. They also say their systems and applications are not always evaluated for security threats prior to deployment to customers.

Buyer beware – on average providers of cloud computing technologies allocate10 percent or less of their operational resources to security and most do not have confidence that customers’ security requirements are being met.

Cloud providers in our study say the primary reasons why customers purchase cloud resources are lower cost and faster deployment of applications. In contrast, improved security or compliance with regulations is viewed as an unlikely reason for choosing cloud services.

The majority of cloud providers in our study admit they do not have dedicated security personnel to oversee the security of cloud applications, infrastructure or platforms.

Providers of private cloud resources appear to attach more importance and have a higher level of confidence in their organization’s ability to meet security objectives than providers of public and hybrid cloud solutions.

While security as a “true” service from the cloud is rarely offered to customers today, about one-third of the cloud providers in our study are considering such solutions as a new source of revenue sometime in the next two years.

What we should not think is, that the customer can just throw their data “over the wall” to the Cloud provider and then all the problems are solved. The customer still has obligations and as we state in our Cloud Computing Security Considerations paper:

Compliance and Risk Management: Organizations shifting part of their business to the cloud are still responsible for compliance, risk, and security management.

We are currently working on a series of papers for Private Clouds, Office 365 as well as Azure to show what still is the customer’s responsibility and what can be transferred to the Cloud Provider.

If you consider the points in the study above, it means that you have to do the due diligence and looking into what the provider does to secure your data. Process transparency is key in this respect!

Roger

Quit Worrying About Cloud Security?

Roger Halbheer — Fri, 04 Feb 2011 10:47:00 +0000

Well, it is not THAT easy but at least there are people starting to claim that it is not as hard as it seems to be sometimes. I stumbled across the following article: Why you can quit worrying about cloud security (thank you Jim), which makes a lot of interesting statements on how the US Federal Government should look at the cloud and in a lot of cases, they are in line with what Doug Cavit and me wrote in the Cloud Computing Security Considerations:

“We must push the envelope,” said James Williams, CIO at NASA’s Ames Research Center, which is developing the Nebula infrastructure as a service offering for the entire agency. “It’s not so much about making the cloud secure but about using the cloud to leverage best practices in security across an enterprise.”

Interesting! I recently had a discussion with our Chief Security Advisor in Australia and he told me how currently the Cloud comes into the play: Customers are not looking for a cloud solution but a way to improve their GRC processes. In parallel they have to reduce costs. Why not use the Cloud for this? Instead of trying to get ISO 27001 certified – we are. Instead of getting the ISO audit under SAS 70 Type II – we have. And the reason for that is fairly simple: We need to in order to help you to get compliant and then – it is our core business. Is running a datacenter in a compliant way yours?

So, the article above mentions four reasons, why you should stop worrying:

1. Sharing the cloud with strangers isn’t always a deal breaker.

[…]

Those risks are real, but they shouldn’t be deal breakers if proper steps are taken, especially given the potential financial rewards of multitenancy services. “You make a mistake if, in order to get security, you avoid co-tenancy entirely,” Rasch said.

There are ways to make such environments safer. At the Treasury Department, for example, officials are choosy about what they send to the cloud.

[…]

But Williams warned that cloud customers need to look below the surface. “Serious attention must be paid to crypto-implementation for processing and storage,” he said. He advises administrators to investigate each provider’s encryption strategy to answer the ultimate question: “Do you trust the algorithm as implemented by the vendor?”

It has to be about understanding your data and the classification thereof. If you do not understand your data, you cannot take the decision as described above. It reflects the last point in our paper on Information Protection. Additionally, trust leads back to certification. The encryption has to be FIPS certified.

2. FedRAMP is good start, but only the beginning.

Federal officials are optimistic that the budding Federal Risk and Authorization Management Program will simplify cloud security, but agencies shouldn’t let their guards down. Even after it’s finalized, don’t expect FedRAMP to relieve you of all security burdens.

I cannot (and do not want to) comment on FedRAMP. But what I keep saying (and again wrote in the paper), whatever you do with the Cloud, compliance and risk management remains your responsibility!

However, the interesting thing is that as soon as money is involved the discussions starts, which are the right standards to build something like that upon… I will not comment that further.

3 Outsourcing to the cloud? Don’t abdicate on security

Cloud computing increases the importance of a security best practice that every agency CIO might soon need to implement: continuous monitoring of IT resources and activities

See the point I made above. It is your responsibility. One thing is important to understand: If you are shooting for a public Cloud, you have to be aware of the fact, that this is a standard service, out of the box. The ability to customize it to your compliance needs is very, very limited as this is what the public Cloud is all about. You will have to trust the standards applied and the audits done by the Cloud provider. These audit reports have to be accessible to you if you are a customer (maybe under NDA). We are talking about economy of scale as you are looking for lower costs.

If you need tighter security, more controls etc. you might want to consider a private Cloud (on- or off-premise).

4. Off-the-shelf security terms are often negotiable.

Not all cloud security challenges are caused by still-evolving best practices and immature technologies. Some are the result of ongoing confusion about where a cloud service provider’s data management responsibilities end and the agency’s begin.

For example, don’t assume that the cloud provider will automatically back up data and store it on off-site tapes — a reasonable assumption under long-standing data protection practices. Similarly, a traditional intrusion detection system might not be included in a standard cloud contract.

“Those are services you can add, but if you don’t ask, you are not getting them oftentimes,” Cronin said.

Avoid unpleasant surprises and finger-pointing by diligently combing through cloud quotes to clearly understand what is being provided. And be ready to negotiate for anything that’s not spelled out in the document.

Therefore we ask customers to run a strong security and risk management team within their organizations. They need to be included in contract negotiations and I would definitely expect a Cloud provider to run the service in a professional way. At the end of the day, you have to be able to trust your provider.

And finally, there is a very interesting statement at the end:

“There is initially a belief that the cloud may not be as secure as [an agency’s] own infrastructure,” Cronin said. “But a cloud solution can be more secure than many federal systems that are on legacy infrastructures using legacy controls.”

If you are honest and try to get around your feelings: How good is your security? Really! Don’t get me wrong. I do not claim that security is bad everywhere and only Cloud providers know how to deal with it but I have seen a lot of very scary things, which cannot be changed internally because you are internal. If the best practices are applied by the provider you “have to” apply to these processes. This might be a great opportunity to increase your security.

And finally, there was an Australian KPMG report, which makes similar statements: Customer Experience: Security Can Improve in the Cloud

Roger

Cybercrime as a Service–Our Future?

Roger Halbheer — Wed, 12 Jan 2011 09:01:31 +0000

It is not really surprising that the criminals will leverage the economy of Cloud Computing for their illegal purposes. Especially activities, which consume a lot of processor power will be moved to the Cloud – like any other business.

Some way back, there were discussions on how to leverage GPUs to crack passwords: Graphics Cards – The Next Big Thing for Password Cracking? – that was back in 2007. Then in 2009 there were discussions on how to misuse Amazon EC2 to crack passwords: Using Cloud Computing To Crack Passwords – Amazon’s EC2. Now, there are announcements that it will become public knowledge how to use Amazon’s EC2 GPU to combine both – announced at BlackHat DC: Cloud-Based Crypto-Cracking Tool To Be Unleashed At Black Hat DC.

This development cannot be surprising. Crime is a business – illegal but following the same rules as any other business. If somebody is conducting illegal activities on a Cloud infrastructure, I expect every cloud provider to do their best to fight that. But it is close to impossible. Let’s assume you are a mathematician at a University doing crypto research. Part of your job is trying to understand how vulnerable the mathematical models for crypto are and how you can improve them. So, cracking crypto is a legitimate part of your job. Putting such work in the Cloud might make sense. How can you distinguish such use of a Cloud infrastructure from an illegal activity? Even worse: In Amazon EC2, you just rent an infrastructure, without Amazon knowing what is going on in the virtual machine. As a customer of Amazon, I would definitely not want them to look into my VMs – that’s my business.

How can we now make sure, that the criminals are not misusing a Cloud infrastructure but still retain confidentially? This will be a huge challenge.

Roger