The Gartner article by Jae Heiser, Analyze the Risk Dimensions of Cloud and SaaS Computing, was really
relevant for me in the topic of Cloud security and the different implications
of IaaS, PaaS and SaaS models from a risk management perspective. As more
vendors move their solutions to the Cloud, forcing customers to adopt some sort
of Cloud model, we are left struggling to figure out how security looks; it is certainly
one of the toughest things to deal with in this space.
Heiser correctly points out that analyzing risks, when it
comes to cloud computing, becomes complex given a lack of best practices on the
method and content of a cloud services risk assessment. This is driven by the
lack of transparency presented by service provides, particularly in a SaaS
model. Under normal circumstances, where the organization has control, there is
an expectation that the systems that are being evaluated are well proven and
well understood, meaning we know where all the layers are located and privileged
users are identifiable and supervised in many ways. When it comes to SaaS
solutions, the system administrators are not known and many different layers of
the architecture, like the services, network, the storage, the servers, and in
many ways even the application, are black boxes, as far as the client is
concerned. As Heiser notes, this concern is not so prevalent with an IaaS
model, given customers control a lot more in terms of the data, the application,
the virtual machines and they are actually responsible for monitoring and
auditing to a large extent, and have the required access to perform such
activities. Lastly, with PaaS, there is far more shared responsibility between
the customer and the provider given where the security controls are located.
Again, with SaaS, the provider is responsible for pretty
much all of the security functionality, the monitoring, and incident response.
All this means is that you as a customer have minimal ability to add controls
and other security mechanisms outside of functionality that is native to the
application, as Heiser notes. Do you want to set up a custom alert when a financial
period is opened or a user creates an invoice over a specified threshold? You
better hope the application can do that out of the box, because you can’t
extend it. Also with SaaS, design and build of any application related
functionality is a black box for customers, and you may simply receive and
email with the latest updates that will be released for your application the
following month. Without this transparency there can be no expectation that
functionality will remain the same, meaning we have to take into account
security testing in the time allotted to us as users, in order to test whatever
controls we do have access to before the updates get rolled out to your
Production environment.
One important point Heiser talks about, which many don’t think
about, is that often times your cloud providers are themselves a customer of an
additional provider. So basically, your provider may own and support the
application, but they may be using another provider for the infrastructure, the
storage, etc. This is called a nested hosting arrangement, and it really
complicates security even further. Everything that has been mentioned to this
point has really been assuming that your SaaS application is fully supported by
one vendor, but the risks are compounded, and the complexity increases many
times over, when nested hosting is in place. Basically, you need to conduct a
risk assessment of each and every provider involved in each layer of that cloud
application (this may apply to more than just SaaS).
As Heiser reinforces, oftentimes there’s really nothing you
can do given the lack of transparency in many areas, so you have to rely on
your contract serving as a mechanism that ensures appropriate levels of
security and service level expectations, at the risk of transparency and real
control. This of course is all depending upon whether the legal system will
enforce penalties for noncompliance and to what degree. Overall, it is very
clear that security in the cloud is a behemoth of a problem, and it involves
everything from risk assessment of your providers to controls, to auditing, to
monitoring, and everything you can think of that’s security related and you
were able to do in your On-Prem environments. It is worth noting that many
vendors will work with you and provide evidence of whatever controls you ask of
them, and you should, and they should be able to produce proof, also, certain
providers have different tools that handle security within their suite of Cloud
tools, which you can leverage to satisfy some additional controls.
References
No comments:
Post a Comment