SECURITY IN THE CLOUD

Both public & private sector organisations will inevitably turn to the Cloud in order to achieve operational efciencies, remain agile in their marketplace & demonstrate Greener IT.
However, as the awareness, business benets & deployment models of Cloud Computing gain momentum, the need to maintain data security, privacy and compliance becomes paramount. Ensuring that all data is secure, segregated where needed, and access to it clearly controlled, requires careful planning and consideration when adopting Cloud. Some sectors such as Government will adopt a Community model because of data classication & handling reasons, however Financial Services & Pharmaceuticals may well turn to a Private Cloud. Others may be able to benet from a true multi-tenant environment of a Public Cloud deployment, where resources and computing power may well be considerably cheaper. For most organisations though, a Hybrid model will provide the best blend of technological cost savings (Opex instead of Capex) versus business risk. Protecting your business against all applicable legislative and compliance requirements will determine whether a Cloud approach is viable for you.

Cloud Computing Security Model NCC Group

Cloud Computing is best described as an internet based computing model, where applications, platforms and infrastructure are available resources, extending the better known paradigms of utility and grid computing, into an open model. It can be broken down into three component services: Software as a Service (SaaS), Infrastructure as a Service (IaaS) and Platform as a Service (PaaS). It is sold on demand, increases agility and is highly customisable. This in itself can bring efciency but not without business risk. Cloud services have been around for a few years now through established providers such as Amazon and Google, but the fact that UK Government is now talking Cloud demonstrates its maturity and business viability. In particular, the exemplar work around G-Cloud and Government Application Store (GAS) embraces the need for a new strategy to pull together all the published papers around Digital Britain, Operational Efciency Programmes, Greener IT and Smarter Government. Their approach encourages departments to share knowledge, resources and application development efforts within a Cloud model, reducing costs and promoting secure, standards based architectures. In essence replicating business drivers and operating practices seen across multiple sectors. The single fact that there are over 200 data centres used by Government today is a good enough argument that security should be increased if they are consolidated to 10-12. Early gures released to the press show potential savings of up to 75% on cooling and power consumption and a cut in infrastructure costs by up to 300m per annum. This demonstrates a clear adoption of Green Computing by Government, taking into account the social and environmental impacts of new and emerging technologies such as Cloud. Potential cost savings from the GAS could even surpass those gures from the Governments data centre consolidation programme. This approach on the other hand will not be without teething problems around data sharing, privacy, intellectual property and legal issues.

The onus on the Cloud provider is to ensure that their infrastructure is secure and that customers data & applications are protected, while you the customer must ensure that the provider has taken the necessary security measures to protect your information. Trust, service maturity, auditing and availability need to be woven into the fabric of any Cloud model, with adherence to robust information security policies maintained at all times.

NCC Group plc Manchester Technology Centre, Oxford Road, Manchester, M1 7EF phone: +44 (0)161 209 5288 email: advisorysales@nccgroup.com web: www.nccgroup.com

Version 1_June 2010

Key questions
Is my data secure? All Cloud providers will need to demonstrate to prospective customers that their infrastructure, platforms and application services are built securely and tested rigorously for vulnerabilities. The very nature of Cloud means that virtual servers may reside on multiple physical servers, all of which may be traversing countries where your data from a legislative perspective is not allowed to reside. If encryption is used to provide condentiality, the deployment of that technology (especially in Government) has to commensurate with the business impacts of the data. Key management in Cloud may not work as it could be argued that it will not scale, but a federated key management approach, backed by an enterprise wide Escrow service, could see your existing investment leveraged. Is the environment secure? If your business is processing payments through MasterCard and Visa within a Cloud environment, then it is imperative that the physical and logical compartments are secure in order to remain compliant to PCI-DSS. Adequate access controls need to be deployed and remote management of the Cloud by the provider has to be through agreed and assured channels, demonstrating separation of duty. IT Service Continuity has to be addressed to ensure that your business is not left incapacitated during an outage. Those mature Cloud providers that have developed their services with IT governance, using industry standard security frameworks have a key differentiator over their competition. What happens to my data if theres a breach? The legal aspects of hosting data within a Cloud need to be understood; where is it stored and who has access to it. This may be complicated in a Cloud where data retention and disposal policies may not be the same as your own. Another layer of complexity is that Cloud inherently means that your data may be on the move, therefore adding complexity to a forensic investigation, which is where litigation support may be advantageous. Ensure that youre covered through contracts and Service Level Agreements and that your data is backed-up and available for an e-Discovery or forensic investigation if required. Have the applications been tested? Cloud providers need to demonstrate that their SaaS has been load and stress tested to achieve SLAs and have elasticity to handle peak demands. Platforms and applications should be routinely security penetration tested with remediation plans socialised with the customer. Applications need to be robust (functional and unit testing) for integrity, usability and availability, but savvy IT procurement managers will ensure that their Cloud provider can demonstrate secure application development and source-code analysis through industry recognised testing practices.

About NCC Group

NCC Group is a leading global provider of independent escrow, information security assurance and advisory services. As a trusted advisor, we provide business critical IT assurance and protection to over 15,000 public, private and not for prot sector organisations, including 94 of the FTSE 100. Our independence from hardware and software providers ensures the advice we offer is unbiased and impartial. We focus on developing intelligent solutions to real business issues and building lasting partnerships through our comprehensive portfolio of business critical IT assurance and protection services.

ACCREDITATIONS
For more information on NCC Group, Secure Test please contact: phone: +44 (0)161 209 5111 email: securetest@nccgroup.com NCC Group Secure Test Manchester Technology Centre, Oxford Road, Manchester, M1 7EF

NCC Group plc Manchester Technology Centre, Oxford Road, Manchester, M1 7EF phone: +44 (0)161 209 5288 email: advisorysales@nccgroup.com web: www.nccgroup.com

Version 1_June 2010