Brought to you by the publishers of

COMPLIANCE WEEK

INSIDE THIS PUBLICATION: Risks and Benefits of Employee-Owned Devices PwC: Establishing Trust in Cloud Computing Improving Data Security for Cloud Computing GeoTrust: Choosing a Cloud Provider with Confidence Outlook Improving for Data Security in the Cloud

Mobile and Cloud Computing

An e-Book publication sponsored by

Improving Data Security for

e-Book

A Compliance Week publication

Compliance Week is an information service on corporate governance, risk, and compliance that features a weekly electronic newsletter, a monthly print magazine, proprietary databases, industry-leading events, and a variety of interactive features and forums. Founded in 2002, Compliance Week has quickly become one of the most important go-to resources for public companies. Compliance Week now reaches more than 26,000 financial, legal, audit, risk, and compliance executives.

PwC has been providing professional IT and compliance services for over 100 years. With strong industry credentials and more than 163,000 professionals in 151 countries, we actively leverage our diverse institutional knowledge, experience and solutions to provide fresh perspectives and significant value for our clients. PwC provides professional services offering cloud providers and their customers an independent and objective assessment of controls and policies related to cloud computing technology. As broader enterprise adoption of cloud computing technology emerges, you need IT, audit, and security professionals you can trust to help you see through the clouds and protect your assets, technology, and brand. Our professionals are recognized throughout the industry for their innovation in analyzing, developing, and implementing tailored solutions for clientsboth within the technology sector and across all industry sectors.

GeoTrust, a leading certificate authority, provides retail and reseller services for SSL encryption, and website authentication, digital signatures, code signing, secure email, and enterprise SSL products. Products include True BusinessID with Extended Validation SSL Certificates, True BusinessID SSL Certificates, Multi-Domain Certificates, Wildcard SSL Certificates, UC/SAN SSL certificates, Quick SSL Premium Certificates, and VeriSign Certified Document Solutions, My Credential Certificates, and Enterprise SSL.

Inside this e-Book: Company Descriptions Risks and Benefits of Employee-Owned Devices PwC: Establishing Trust in Cloud Computing Improving Data Security for Cloud Computing GeoTrust: Choosing a Cloud Provider with Confidence Outlook Improving for Data Security in the Cloud 2 4 6 10 12 18

e-Book

A Compliance Week publication

Risks and Benefits of Employee-Owned Devices

By Joe Mont

ueled by the popularity of the iPhone and iPadand aided by the uncertain future of Research in Motion, maker of that longtime business staple the BlackBerry companies are increasingly embracing a bring-your-owndevice workplace. No longer content with just a company-issued desktop or laptop, employees are looking to thumb their way through e-mail and what is often sensitive company data whenever, and wherever, they choose on devices they purchase themselves. The trend has forced companies to weigh the benefits of a happy, productive workforce with security issues and regulatory requirements. I think the BYOD discussion is going to come down to how much you can get away with before you introduce harm, says Davi Ottenheimer, president of information security firm Flyingpenguin. If you give employees a workspace that they are able to own, and run with, they will be productive. But on the flipside you are also introducing so much more risk, adds Ottenheimer, co-author of Securing the Virtual Environment: How to Defend the Enterprise Against Attack. While some companies are embracing the BYOD approachhappy to let employees bear the cost of hand-held devicesothers are clamping down on the practice out of security concerns. For example, IBM recently evicted Siri from its workplace and banned employees from using their own devices, like iPhones, to view company data. IBM cited concern over the way Apples data pipeline between users and the voice-activated personal assistant could compromise security. IBM has a lot to lose if Siri is actually leaking data out, Ottenheimer says. IBM also bans cloud-based services, like Dropbox, that are more consumer focused and dont offer robust, enterprise-level security. Mobile computing has dramatically changed how we exchange data, says Rick Dakin, CEO and co-founder of Coalfire, an information technology governance, risk, and compliance firm. Unfortunately the developers of mobile applications and the cloud services that support them did not bake compliance and security into the solutions, he says. I think the rapid change caught developers and enterprise IT off guard. In a way, it is more than bringing your own device to work, it is managing compliance in the post firewall era. Dakin recalls sitting on a flight recently beside a fellow passenger who was frantically pounding out an executive briefing filled with sensitive sales data on a brand new iPad, using the airplanes insecure WiFia scenario he says is far too common. The IT department of that enterprise has no idea what he is doing, has no idea what the access controls are, has no idea what data is being addressed, no idea how that data is being transported, and has no ability or access

to wipe that iPad should he lose it, he says. According to Dakin, most companies dont even realize the security risks they are taking when they allow employees to use their own electronic devices. Can you imagine being the internal auditor and going to your board of directors and saying, Well, I can provide evidence that we have compliance on these rigorous data protections and intellectual property protection policies that you set on 60 percent of our devices. The other 40 percent? We have no clue, he says. Some IT security experts say that companies can allow a BYOD approach and still maintain some security standards. Companies have to find a way, from a political standpoint to use compliance to say, You can bring your device, but we will hold you responsible and we will take action, in self defense, to protect our assets, and to make sure the devices that are brought in meet our compliance guidelines, Ottenheimer says.

Embracing BYOD study of 600 U.S. IT and business leaders conducted in May by Cisco finds that more companies are embracing BYOD. IT is accepting, and in some cases embracing, BYOD as a reality in the enterprise, the studys authors wrote. According to the study, 95 percent say their organizations permit employee-owned devices in some form in the workplace. Eighty-four percent of IT departments not only allow employee-owned devices, but also provide some level of support and 36 percent of those surveyed say enterprises provide full support for employee-owned devices. The trend toward BYOD has both helped and hurt Cisco. In May the company announced that while the trend has led to tremendous interest in its Jabber and WebEx collaboration software, these same market transitions led to a decision to cease development of its Cius tablet. Launched in 2010, the enterprise-focused tablet found itself struggling to draw market share away from the consumerlevel devices being integrated into the workplace. The same trends havent been kind to BlackBerry. In the old days, not that many people really bought a BlackBerry themselves, says Ojas Rege, vice president of strategy for MobileIron, a company that provides enterprise management and security for mobile devices and apps. The BlackBerry was a business instrument that maybe you did some personal stuff on. Whats changed now is that every individual wants a smartphone or a tablet and it is a personal instrument that they are also going to do business on. The role has reversed. Companies have already looked at issues like encryption and password protections, Rege says. What they havent done as well is to bridge the gap between implementation and policy, particularly when it comes to privacy issues. [In the past] they have been able to put policies in place

without really having to consider the impact of privacy. In a BYOD setting, with a personal device that is being used for business, suddenly, privacy becomes relevant, he says. Security is an enterprise worried about losing its data. Privacy is a user worried about losing his or her data. It is exactly the same problem, but from two very different perspectives.

Protecting Data he first step for companies looking to adapt to BYOD demands, Rege says, is to identify the baseline for corporate data protection. They then need to assess what could happen to a mobile device that might pose a threat to corporate data, such as a lost phone or a user who removes password protection. Similar to how companies deploy data classification programs, users can have privileges reined in based on their mobile devices trust level. You can say that a highly trusted device, which has defined characteristics, gets access to all my enterprise resources, Rege says. If the trust level of that device drops, you only get access to e-mail and not an application with financial data. If the trust level drops even more, you dont get access to anything. He says the trust level of a particular device can be changed through the day depending on its characteristics, such as its location or behavior pattern. The mind shift compliance and security teams need to have is that the user experience is fundamental, so anything they do on the security side that breaks user experience will just lead that well-intentioned user to go rogue, Rege says. They will just go around it. User experience will actually
MOBILE DEVICE TRENDS

trump your security policy. Updating security policies to adapt to mobile devices is another important step, says Dakin. Most companies have not, he says. Internal audit requirements also have to be updated to account for mobile computing. It is a question of raising the awareness, because the solutions are there, they dont need to fear migration to mobile, they just need to plan for it and execute for it, Dakin says. Unfortunately, many of the business decision makers, the ones who allocate the capital, dont understand the technology, he adds. The early wave of security was all about firewalls and intrusion prevention because the bad guys lived in Russia and they were going to attack us over the Internet. Thats really where their education stopped, with that firewall mentality of a hard candy outer shell with a soft, gooey inside. Beyond users, companies also need to navigate regulatory hurdles. There are a lot of companies that are worried about moving forward with next-generation mobile apps because they are not sure how to handle their compliance teams and regulators in a way that gets everyone to a place where they need to be, Rege says. I think there are going to be some new models for how a compliance team is structured and how the relationship with whatever regulatory body is managed on a daily basis. Ottenheimer predicts that these issues will gain more focus as younger people, raised on technology, enter government. We are transitioning into the era of the tech-aware regulator, he says.

The following graph from Cisco shows what is trending now for mobile devices.

Source: Cisco.

KNOWLEDGE LEADERSHIP

Establishing Trust in Cloud Computing

By Sharon Kane and Cara Beston Cloud Value Proposition Cloud computing has unprecedented potential to deliver greater business agility and flexibility while lowering IT costs. It is no surprise that cloud computing is the fastest-growing trend in enterprise technology todayand for the foreseeable future. Forrester Research, Inc. predicts the global cloud computing market will mushroom from $40.7 billion this year to $241 billion by 2020.1 Cloud has already taken flight in many IT organizations. In PwCs 2012 Global Information Security Survey of more than 9,600 security and IT leaders, 41% of respondents said their organization has implemented some form of cloud computing. 2 This is no surprise given the results of our 2012 Global CEO Survey, which indicated 31% of CEOs expect a significant change in strategy related to the adoption of new technologies like enterprise mobility and cloud computing over the next three to five years. 3 While most CIOs now consider cloud computing mature enough for some level of adoption within the enterprise, they remain concerned about the risks associated with cloud computing. Of particular concern are the risks associated with using a public cloud, which is where the greatest benefits can be achieved. In an era where corporate governance,
1 Forrester Research, Inc., Sizing the Cloud, April 2011 2 PwC, 2012 Global State of Information Security Survey, September 2011 3 PwC, 15th Annual Global CEO Survey 2012, January 2012

compliance with regulations, and meeting stakeholder commitments are essential to a companys reputation, many business leaders are concerned about how they will address the issues that surface in every conversation about the cloud: security, availability, data privacy and integrity, and compliance.

data privacy and integrity, and compliance. Gartner, Inc. predicts that by 2016, 40% of enterprises will make proof of independent security testing a precondition for using any type of cloud service.4 Third-party assurance may be the catalyst companies need to embrace cloud computing with greater confidence. Risks with Cloud Computing Some of the risks associated with cloud computing include the following: Security: In a recent PwC survey, 62% of respondents who outsource IT say that data security in the cloud is a serious risk. 2 Protecting sensitive, business-critical data is paramount. You could be at a competitive disadvantage or subject to negative publicity and legal or regulatory action if your intellectual property or other data is accessed by other cloud users or hacked. Availability: Cloud providers promise certain levels of availability and uptime, but you have no way of knowing if a provider has adequately prepared for high usage levels across multiple cloud users. This is an especially relevant concern for companies considering moving high-volume, data intensive, or critical transaction processing to the cloud. Data integrity: You rely on data to forecast, report on, and manage your
4 Gartner, Inc., Summary Report for Gartners Top Predictions for IT Organizations and Users, 2012 and Beyond: Control Slips Away, Daryl C. Plummer, et all, November, 29, 2011

Cloud providers promise certain levels of availability and uptime, but you have no way of knowing if a provider has adequately prepared for high usage levels across multiple cloud users.
Moving to the cloud can provide unprecedented benefits, but it can mean giving up some control over these risks. While businesses can outsource their systems, applications, and business processes, they cant outsource their obligationsto investors, employees, customers, partners, and regulatorsto manage risks. As such, companies need transparency into how well cloud providers environments address their concerns. Third-party assurancethat is, independent reporting solutions to address the trust gap between providers and usersmay be part of the answer. With third-party assurance, an independent and objective organization delves into a cloud providers environment to identify and test controls that govern the ability to deliver promised levels of service along with sufficient security, availability,

WWW.COMPLIANCEWEEK.COM 888.519.9200

PWC

business. Inaccurate or incomplete data coming from a cloud providers systems could result in poor forecasting or incorrect public reporting. Your business may also be subject to regulations or legal processes that require ready access to significant historical data. Without sufficient data retention and access rights, you may be subject to fines and penalties for non-compliance. Finally, your cloud service provider may use your data for secondary purposes if data ownership rights are not addressed in contracts. Data privacy: You are obligated to protect customers and employees personal datasuch as social security numbers, health information, and credit card numbersfrom breaches. Even the loss of relatively small amounts of customer data has led to bad publicity and brand damage for many large organizations. Exposing customers personal information can also result in fines. Cloud computing provides very clear benefits. However, these advantages require that your organization cede control over risk mitigation and management to a third-party cloud services provider. Moving to the right cloud provider can help your company save money, provide new services and products to customers, respond more quickly to internal IT needs, and expand as business grows. The question is: How do you choose the right cloud providerone that will help you realize business objectives, while reducing risk and providing the trust and transparency you need?

Protecting Against Risks Cloud providers know that businesses have reservations about cloud computing, but their efforts to overcome doubts often fail to inspire the confidence of potential cloud users. Customers and prospective customers are looking for timely, useful information with enough relevance and detail to help them make decisions and compare providers. They also want proof that a cloud provider is operating in a way that meets changing regulations and standards set out by government agencies, industry groups, and their own governance boards. The amount of comfort you will want to obtain will depend on the risk associated with your cloud adoption. Cloud providers may offer the following assurances:

Compliance certifications: Increasingly, customers are requiring providers to demonstrate compliance with a growing number of traditional standards, primarily focused on security. As a result, cloud providers are investing great amounts of time, resources, and effort into compliance with ISO 27001/27002, the Federal Information Security Management Act (FISMA), the Health Information Portability and Accountability Act (HIPAA), PCI Data Security Standards and other standards. Customer audits: Providers complete customer-prepared checklists and detailed questionnaires about capabilities, but a providers need to protect confidential processes can limit the scope of customer audits. Also, cloud users need specialized resources to conduct effective audits. Service level agreements (SLAs): These agreements spell out the providers obligations, but they often do not include customer-centric monitoring of SLA performance or financial adjustments for non-performance that protect cloud users. AICPA Service Organization Reports: These reports range from addressing a providers internal controls as they relate to information processing systems relevant to financial reporting (SOC 1 or SSAE 16) to an assessment covering technology related areas such as privacy, availability, confidentiality, processing integrity, and security of service providers (SOC 2).

Cloud computing provides very clear benefits. However, these advantages require that your organization cede control over risk mitigation and management to a third-party cloud services provider.
Self-assessments: Providers prepare assessments based on their own framework, generally focused on the documentation of security policies. Even when these assessments are thorough, they are not objective.

WWW.COMPLIANCEWEEK.COM 888.519.9200

KNOWLEDGE LEADERSHIP

A Cloudy Future The technologies and processes used to deliver cloud computing are evolving, and there are no established technology or compliance standards specific to cloud. While existing compliance and regulatory frameworks were not developed to address the specific risks of cloud, the fundamental risks are similar to those risks that would have been faced with any IT or business process outsourcing.

To choose a provider you can trust, evaluate the level of assurance they can offer you and supplement it with your own evaluation of controls, as necessary.
Emerging control standards are also under development, the most prominent of which is the Federal Risk and Authorization Management Program (FedRAMP). FedRAMP is a US government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. Beginning later in 2012, cloud service providers will be able to seek FedRAMP certification, which will require having an independent Third Party Assessment Organization perform an initial system assessment and ongoing monitoring of controls. While the FedRAMP program is specific to cloud providers seeking to do business with the government, this framework and associated certification may provide commercial companies a foundation of

comfort that a cloud provider has been subject to an independent assessment of controls relevant to cloud. Many cloud providers have invested heavily to develop highly secure and available environments. Yet every cloud provider is different. To choose a provider you can trust, evaluate the level of assurance they can offer you and supplement it with your own evaluation of controls, as necessary. As standards evolve, cloud providers may be able to offer a certification that alone satisfies your concerns; but, until then, third party assurance may be necessary for you to trust your most valuable assetyour brandto cloud computing with confidence. About PwC PwC has been providing professional IT and compliance services for over 100 years. With strong industry credentials and more than 163,000 professionals in 151 countries, we actively leverage our diverse institutional knowledge, experience and solutions to provide fresh perspectives and significant value for our clients. PwC provides professional services offering cloud providers and their customers an independent and objective assessment of controls and policies related to cloud computing technology. As broader enterprise adoption of cloud computing technology emerges, you need IT, audit, and security professionals you can trust to help you see through the clouds and protect your assets, technology, and brand. Our professionals are recognized throughout the industry for their innovation in analyzing, developing, and implementing tailored solutions for clientsboth within the technology sector and across all industry sectors.

2012 PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights reserved. PwC refers to the US member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors. ABOUT THE AUTHORS Sharon Kane (sharon.l.kane@us.pwc. com) and Cara Beston (cara.beston@ us.pwc.com) are partners within PwCs assurance practice. They have significant experience working with both technology providers and cloud users on evaluating the risks and controls associated with cloud computing technology.

Kane

Beston

WWW.COMPLIANCEWEEK.COM 888.519.9200

Turning cloudinto businessvalue

One things for sure. The strategy for the cloud has moved beyond cost reductions. The right cloud strategy and execution plan can transform your business. It can make your business even more agile and collaborative, increase innovation and decrease time to market. Which suggests the importance of developing and implementing a comprehensive cloud strategy that considers governance, security, and controls along with the impact on IT. To learn more about how PwC can help turn your cloud strategy into business value, go to pwc.com/us/cloud

2012 PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights reserved. PwC refers to the United States member rm, and may sometimes refer to the PwC network. Each member rm is a separate legal entity. Please see www.pwc.com/structure for further details. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.

10

e-Book

A Compliance Week publication

Improving Data Security for Cloud Computing

More challenges face companies looking to mitigate data security risk
By Jaclyn Jaeger

he advent of cloud computing and mobile devices has, of course, dramatically changed the way employees access, use, and share information, yet the related security risks continue to frustrate IT professionals. How do we manage online identities when our emIn fact, a recent Global Study on Mobility Risks ployees maintain dozens? conducted by the Ponemon Institute reveals the degree to which mobile devices are circumventing enterprise securi How do you protect information when the workforce ty and policies. According to the survey of more than 4,000 shares information freely? IT practitioners in 12 countries, 77 percent said the use of mobile devices in the workplace is How do we keep track of a subimportant to achieving business obstantially higher volume of online acWe need to stop saying no tivity? jectives, but 76 percent also believe and partner with our user these devices put their companies at risk. If we cant answer these quescommunity. This new world We are going through a massive tions, it will be a barrier to the new cannot be a choice between world of business, said Salem. He transformation in our industry, said social versus secure; it has to described the need for an advanced Mark Benioff, CEO of Salesforce. com at the RSA Conference in San be both. persistent protection plan made up Francisco in February. This new of four essential pillars: Enrique Salem, workforce is more open, transparChief Executive Officer, ent, and collaborative. Reliable early warning systems Symantec At the same time, there are no easy that allows you to understand when a solutions to solve the security risks, new threat is potentially going to ateven while pressure mounts to mititack; gate those risks. Were being required to offer more services, mobility, and access while at the same time dealing State-of-art protection, one that recognizes threats with more requirements around governance and compliwithout affecting the corporate infrastructure; ance, said Symantec CEO Enrique Salem at the conference. Fast remediation, solutions that can move faster than A lockdown mentality is not the answer, said Salem. the threat can spread across the company; and We need to stop saying no and partner with our user community. This new world cannot be a choice between A response plan that includes enforcement officials social versus secure; it has to be both, said Salem. The new that can help with an ultimate solution. world of doing business means enabling interconnectivity, as well as allowing for strong governance, compliance, Companies still have a long way to go, however, when and controls. it comes to adopting necessary security controls and enThat push for access to social media platforms and moforceable policies. According to the study, only 39 percent bile apps is driven by a young generation that has never been have the necessary security controls to address the risks, tied to a desktop system. Salem described how the digital and only 45 percent have enforceable policies. native generation, in particular, has forever changed the Part of the problem is that employees dont always fol-

way companies conduct business. Typically born in the 1990s, digital natives have never known a time before the Internet or mobile devices. Digital natives readily turn to their mobile devices, social networking sites, and the cloud to solve problems, rather than obtaining information from a single source, such as a search query. This is the future of business, said Salem. While security problems still abound, great progress is being made toward getting them solved. Salem offered a list of three questions companies in every industry must think about to move forward:

11

low the controls and procedures. In fact, 59 percent of respondents report that employees circumvent or disengage security features, such as passwords and key locks, on corporate and personal mobile devices. During the past 12 months, 51 percent of those companies experienced data loss resulting from employee use of insecure mobile devices, including laptops, smartphones, USB devices, and tablets. Its clear that employees are deliberately disabling security controls, which is a serious concern, said Larry Ponemon, chairman and founder of the Ponemon Institute. And the continued migration to mobile devices will only make matters worse. Tablets and iOS devices are replacing corporate laptops as employees bring-their-owndevices to work and access corporate information, said Tom Clare, senior director of product marketing management of security provider Websense, which sponsored the study. These devices open the door to unprecedented loss of sensitive data. IT needs to be concerned about the data that mobile devices access and not the device itself. The study indicates that companies often dont know how and what data is leaving their networks through non-secure mobile devices, which increase rates of malware infections. Fifty-nine percent of respondents reported that over the last year, their companies experienced an increase in malware infections as a result of insecure mobile devices in the workplace, with another 25 percent unsure if they have or not. As mobile devices become more pervasive and more employees bring their own smartphones and tablets to work, IT is being challenged like never before, said John McCormack, president of Websense, a data security firm. They need to immediately protect data, and they need to establish and enforce security practices and policies. Traditional static security solutions such as antivirus, firewalls, and passwords are not always effective at stopping advanced malware and data theft threats from malicious or negligent insiders.

also spoke at the RSA event. By doing so, the network can determine several factors, said: How is that device connectedvia Ethernet or wireless? Whats the device: a PC, iPad, iPhone? What is the posture of that device: Is it infected, or is it clean? Where is that device connected from, and when?

What makes all this context power is that now legitimate users can safely get access to the resources that they need on your network, said Young. This replaces that one size first all policy that most organizations are using today. Administrative burdens on users also must be reduced. Data that leaves the cloud should automatically be tagged, and cloud audit trails need to be set up and monitored, said Salem. Employees access to accounts also should be disabled after they leave the company. In a world where uses are bring their own devices to work and where user names and passwords, even the strong ones, are easily compromised, Young added, our only way forward as an industry is to deliver increasingly granular, context aware, and forced control via the network.
MOBILE DEVICE RISK

Below is a chart from the Ponemon Institute study that shows respondents perceptions about the use and risks of employees mobile devices (strongly agree & agree responses combined):

New Security Tools o prevent security threats, Christopher Young, senior vice president at Cisco Systems described the need for more effective firewalls that can track data as it enters and leaves a companys systems. Authentication of data also needs to be altered, so that it is as close to single sign-on as possible, but flexible enough to work across a variety of platforms, added Salem. Companies already have available the tools they need to achieve greater visibility. Today we can access standard language that is directly embedded in routers and switches that automatically enforces our policies, said Young, who

The employees use of mobile devices in meeting business objectives is essential or very important. The use of mobile devices in the workplace represents a serious security threat. My organization has the necessary security controls to mitigate or reduce the risk posed by insecure mobile devices.

77%

76%

0.0 0.6 0.2 0.8 0.4 1.0

39%

0%

10% 20% 30% 40% 50% 60% 70% 80%

Source: Ponemon Institute.

KNOWLEDGE LEADERSHIP

Choosing a Cloud Provider With Confidence

SSL ProvideS a Secure Bridge to the cLoud
E xEcutivE Summary
Cloud computing is rapidly transforming the IT landscape, and the conversation around adopting cloud technology has progressed from if to when. Enterprises are showing strong interest in outsourced (public) cloud offerings that can help them reduce costs and increase business agility. These cloud services offer enormous economic benefits, but they also pose significant potential risks for enterprises that must safeguard corporate information assets while complying with a myriad of industry and government regulations. Many cloud service providers can deliver the security that enterprises need and SSL (secure sockets layer) certificates are part of the solution. More specifically, SSL is the solution for securing data when it is in motion. The goal of this white paper is to help enterprises make pragmatic decisions about where and when to use cloud solutions by outlining specific issues that enterprises should raise with hosting providers before selecting a vendor, and by highlighting the ways in which SSL from a trusted certificate authority can help enterprises conduct business in the cloud with confidence. Most organizations cite cost savings as the most immediate benefit of cloud computing. For the enterprise, cloud services offer lower IT capital expenditures and operating costs, on-demand capacity with self-service provisioning, and pay-per-use pricing models for greater flexibility and agility. The service provider, in turn, achieves exponentially greater economies of scale by providing a standardized set of computing resources to a large base of customers. Many enterprise hosting providers are already well positioned in the market and have the core competencies (people, processes, technology) to deliver the promise of cloud computing to the enterprise. New Security Challenges for IT Despite the clear economic benefits of using cloud services, concerns about security, compliance and data privacy have slowed enterprise adoption. An IDC survey of IT executives reveals that security is the #1 challenge facing IT cloud services. 3 Gartner Research has identified seven specific areas of security risk4 associated with enterprise cloud computing, and recommends that organizations address several key issues when selecting a provider: 1. Access privileges Cloud service providers should be able to demonstrate they enforce adequate hiring, oversight and access controls to enforce administrative delegation. 2. Regulatory compliance Enterprises are accountable for their own data even when its in a public cloud, and should ensure their providers are ready and willing to undergo audits. 3. Data location When selecting a hosting provider, its important to ask where their datacenters are located and if they can commit to following specific privacy requirements. 4. Data segregation Most public clouds are shared environments, and it is critical to make sure hosting providers can guarantee complete data segregation for secure multi-ten3 Source: IDC eXchange (http://blogs.idc.com/ie/?p=730)

r Eady or Not, HErE comES tHE cloud

Some people believe cloud computing is the most significant paradigm shift since the advent of the internet. Others think its just a fad. But one thing is for certain: cloud technology is quickly rising to the top of every CIOs priority list.1 Organizations are accelerating their uptake of cloud services, and industry analysts such as Gartner Research estimate that enterprises around the world will cumulatively spend USD $112 billion on cloud services over the next five years. 2 New Opportunities for Business
1 Source: Gartner EXP Worldwide Survey (http://www.gartner.com/it/ page.jsp?id=1283413) 2 Source: Gartner Research (http://www.gartner.com/it/page. jsp?id=1389313)

4 Assessing the Security Risks of Cloud Computing (http://www.gartner. com/DisplayDocument?id=685308) Gartner, June 3, 2008.

WWW.COMPLIANCEWEEK.COM 888.519.9200

GEOTRUST

ancy. 5. Data recovery Enterprises must make sure their hosting provider has the ability to do a complete restoration in the event of a disaster. 6. Monitoring and reporting Monitoring and logging public cloud activity is hard to do, so enterprises should ask for proof that their hosting providers can support investigations. 7. Business continuity Businesses come and go, and enterprises should ask hard questions about the portability of their data to avoid lock-in or potential loss if the business fails. To reap the benefits of cloud computing without increasing security and compliance risks, enterprises must ensure they work only with trusted service providers that can address these and other cloud security challenges. Whats more, when enterprises move from using just one cloud-based service to using several from different providers, they must manage all these issues across multiple operators, each with different infrastructures, operational policies, and security skills. This complexity of trust requirements drives the need for a ubiquitous and highly reliable method to secure your data as it moves to, from and around the cloud.

is likely to move around between servers in the cloud when the service provider performs routine management functions. Whether data is moving between server and browser or between server and server, SSL helps to secure it. SSL delivers two services that help solve some cloud security issues. First, SSL encryption keeps prying eyes from reading private data as it is transmitted from server to server and between server and browser. The second benefit, possibly even more important, is establishing that a specific server and domain can be trusted. An SSL certificate can authenticate that a specific server and domain do belong to the person or organization that it claims to represent. This benefit requires that the hosting provider use SSL from a third-party Certificate Authority (CA). How Does SSL Work? An SSL certificate contains a public and private key pair as well as verified identification information. When a browser (or client) points to a secured domain, the server shares its public key (via the SSL certificate) with the client to establish an encryption method and a unique encryption key for the session. The client confirms that it recognizes and trusts the issuer of the SSL certificate. This process, based on a sophisticated backend architecture laced with checks and double-checks for security, is known as the SSL handshake and it can begin a secure session that protects data privacy and integrity.

SSl ProvidES a B ridgE to SEcurE data iN tHE cloud

SSL is a security protocol used by web browsers and web servers to help users protect their data during transfer. SSL is the standard for establishing trusted exchanges of information over the internet. Without the ubiquity of SSL, any trust over the internet simply would not be possible. SSL comes into play anytime data changes location. If an enterprise keeps its data in the cloud, secure network access to it is important. Plus, that data

WWW.COMPLIANCEWEEK.COM 888.519.9200

KNOWLEDGE LEADERSHIP

Ensuring Data Segregation and Secure Access Data segregation risks are ever-present in cloud storage. With traditional onsite storage, the business owner controls both exactly where the data is located and exactly who can access it. In a cloud environment, that scenario is fundamentally changed: the cloud service provider controls where the servers and the data are located. However, a proper implementation of SSL can secure sensitive data as it is being transmitted from place to place in the cloud, and between cloud provider servers and end users on browsers. Encryption Businesses should require their cloud provider to use a combination of SSL and servers that support, at minimum, 128-bit session encryption (or, preferably, the stronger 256-bit encryption). This way their data is secured with industry-standard levels of encryption or better as it moves between servers or between server and browser, preventing unauthorized interceptors of their data from being able to read it. Authentication Businesses also should demand that server ownership be authenticated before one bit of data transfers between servers. Self-signed SSL certificates provide no authentication. Only independent, third-party SSL certificates can legitimately deliver ownership authentication. Requiring a commercially-issued SSL certificate from a third-party Certificate Authority that has authenticated the server makes it virtually impossible to establish a rogue server that can infiltrate the cloud providers environment. Certificate Validity Once a server and domain are authenticated, the SSL certificate issued to that device will be valid for a defined length of time. In the rare case that an SSL certificate has been compromised in some way, there is a fail-safe check to verify that the certificate has not been revoked in the time since it was originally issued. Every time an SSL session handshake is initiated, the SSL certificate is checked against a current database of revoked certificates.

There are currently two standards used for this validity check, Online Certificates Status Protocol (OCSP) and Certificate Revocation List (CRL). With OCSP a query is sent to the certificate authority asking if this certificate has been revoked; the certificate authority answers yes or no. If the answer is no, the handshake may commence. CRL, on the other hand, requires that the browser download the most current revocation list from the certificate authority and check the list itself to see if the certificate appears in the list. The Online Certificate Status Profile (OCSP) standard is considered the more reliable method by many because it is always up-to-date and less likely to time-out due to network traffic. SSL certificates that rely only on the CRL standard are less desirable because in instances of high amounts of network traffic, this step can be missed: some browsers will misinterpret an incomplete CRL review as a confirmation that a certificate is not on the revoked list, consequently completing a handshake and initiating a session based on a revoked SSL certificate. In such a scenario, a rogue server could use a revoked certificate to successfully Facilitating Regulatory Compliance Next are the regulatory compliance risks. When it comes to secure and confidential data, businesses are burdened with a slew of regulations. These range from laws like the Sarbanes-Oxley (SOX) Act which affects only public companies, to the Payment Card Industry Security Standard (PCI-DSS), which affects any company accepting payment cards, to the federal Health Insurance Portability and Accountability Act (HIPAA) which affects any businesses with even the remotest possibility of touching patient data. In Europe there is the EU Data Privacy Directive and Canada has an equivalent Personal Information Protection and electronic Documents Act (PIPEDA). When an organization outsources IT to a cloud service provider, the organization is still responsible for maintaining compliance with SOX, PCI, HIPAA and any other applicable regulations and possibly more depending on where the servers and the data are at any given moment. As a result, the enterprise will be held liable for data security and integrity even if it is outsourced. Since the enterprise IT manager cannot rely solely on the cloud provider to meet these requirements, the enterprise must require the cloud provider to seek some compliance oversight.

WWW.COMPLIANCEWEEK.COM 888.519.9200

Cloud computing providers who refuse to undergo external audits and security certifications are signaling that customers can only use them for the most trivial functions, according to Gartner. Additionally, technological changes to the cloud computing environment can unknowingly whittle away at the compliance of a cloud computing providers customer. Feature upgrades such as permission modifications, new capabilities, introduction of mobile devices, and network changes also can affect compliance. 5 Here, as with data segregation, SSL encryption thwarts accidental disclosure of protected or private data as regulatory due diligence and data access is automated. SSL encryption renders all sensitive data useless to any third party intercepting or viewing it. Keeping Data Away from Undesirable Locations SSL addresses the third area of risk, data location, in the same manner. Public clouds are like black boxes: while they enable ubiquitous access to data, they also obfuscate the physical location of the servers and the data. But if a cloud provider uses SSL to encrypt data as it changes places, an enterprise can be assured that its data will be secure as it moves around the cloud. In addition, legitimate third-party SSL provider such as GeoTrust or VeriSign will not issue an SSL certificate to a server in an interdicted country such as North Korea and Iran. So, as long as the cloud provider requires trusted authentication and encryption on all their servers through SSL from a certificate authority following such a practice, an enterprise will know that the cloud provider isnt storing their data on IT hardware in these countries. Other Areas Where SSL Can Help The enterprise needs to know how their cloud provider, with servers around the globe, safeguards data in the case of a disaster. Gartner states that any offering that does not replicate the data and application infrastructure across multiple sites is vulnerable to total failure, and that any business in the cloud has a duty to know if the cloud provider is able to completely restore
5 Domain 10: Guidance for Application Security V2.1, Cloud Security Alliance, July 2010.

data from backups or duplicates, and how long it will take. To prevent data loss, cloud service providers should maintain backup data repositories. If a crash happens, cloud hosts will attempt to recover data from backup servers. SSL adds an extra layer of protection to the backup and recovery process for a business, ensuring that data accessed from backup or duplicate servers is encrypted in transit and that servers being

uSiNg SSl to EStaBliSH aNd maiNtaiN truSt iN tHE cloud

Using a cloud service provider requires a high level of trust and confidence. Business critical applications cannot rely on trial and error. Businesses must insist upon a critical reliability equation to establish trust, and SSL certificates provide a highly visible and immediately recognizable way to accomplish that. Alternately, missing or broken SSL can destroy trust instantly. For example: suppose an enterprise chooses a cloud provider to host their e-commerce web site, but the host has a problem with the sites SSL certificate. A user visits the site and is immediately greeted with the alarming Secure Connection Failed error or There is a problem with this web sites security certificate message. Will that user ignore the browser warning and click through to complete a transaction on a seemingly-untrustworthy site? Not likely. Not All SSL is Created Equal The chain of trust extends beyond the cloud vendor to their security provider. The cloud vendors security is only as good as the reliability of the security technology they use. Cloud providers should be using SSL from an established, reliable and secure independent Certificate Authority. Its SSL should deliver at minimum 128-bit session encryption and optimally 256-bit encryption. And it should require a rigorous authentication process. Enterprises need to make sure their cloud provider uses an SSL certificate that cannot be hacked. So, in addition to making sure the SSL comes from an authorized third-party, the enterprise IT organization should also demand the following security requirements for the cloud providers SSL security:

WWW.COMPLIANCEWEEK.COM 888.519.9200

KNOWLEDGE LEADERSHIP

A Certificate Authority that safeguards its global roots behind layers of industrial-strength security, employing multiple levels of electronic and physical security measures. A Certificate Authority that maintains a disaster recovery backup for its global roots Global roots using the strong new encryption standard employing 2048-bit RSA keys. A chained hierarchy supporting their SSL certificates. At least one intermediate root in the chain adds an exponential level of encryption protection to prevent attacks to the global root. Secure hashing using the SHA-1 standard to ensure that the content of certificates can not be tampered with. Additionally, many servers rely on a Debian-based operating system for generating their SSL keys. The fundamental encryption capabilities of this system were compromised from 2006 to 2008. Enterprises should make sure their cloud provider is not relying on servers nor SSL certificates which may be have been compromised by this flaw. SSL certificates can be issued for validity lengths of up to six years, so it is possible that SSL with this flaw is still being used.6 Authentication Generates Trust in Credentials Trust of a credential depends on confidence in the credential issuer, because the issuer vouches for the credentials authenticity. Certificate authorities use a variety of authentication methods to verify information provided by organizations. It is best to choose a cloud provider who standardizes on a certificate authority that is well known and trusted by browser vendors, while maintaining a rigorous authentication methodology and a highly reliable infrastructure. There are four levels of authentication for SSL. All enable
6 Source: http://voices.washingtonpost.com/securityfix/2008/05/debian_ and_ubuntu_users_fix_yo.html

an encrypted exchange of information; the difference lies within the strength of the server and domain authentication in other words, the amount of effort put into validating the ownership and control of that server and domain. 1. Self-signed certificates offer zero authentication to enable encryption, and that is all. This type of SSL does not provide the security required by an enterprise. 2. Domain validated certificates offer only basic authentication because they only confirm that the person applying for the certificate has the right to use a specific domain name. These certificates are not recommended for server-to-browser connections because they do not vet or display the identity of the organization responsible for that domain or server. 3. Organization validated certificates offer reliable authentication for the cloud because they validate that the organization claimed to be responsible for the domain or server actually exists, and that the person applying for the SSL certificate for that domain or server is an authenticated representative from that organization. These SSL certificates are acceptable choices for server-to-browser connections, but they do not offer the highest level of confidence-building features for the end user. 3. Extended validation certificates (EV) are the best choice for server-to-browser connections because they offer the strongest level of authentication and the clearest validation that the connection is secure. With EV certificates, the legal, physical and operational existence of the organization is verified, as is the right of that organization to use that domain. Using EV ensures that the organizations identity has been verified through official records maintained by an authorized third party, and that the person requesting the certificate is an authorized agent of the organization. An SSL certificate with this highest level of authentication can uniquely trigger unmistakable identifiers in an end-users web browser: a green browser address bar that displays the name of the organization, and the name of the certificate authority which issued the SSL. When end users encounter the green ad-

WWW.COMPLIANCEWEEK.COM 888.519.9200

dress bar, they have complete assurance that their connection is secure. Numerous businesses have reported noticeable uplifts in completed transactions (18 percent on average for VeriSign customers) after deploying Extended Validation SSL. For these and other reasons, V is the preferred choice for hosting applications and services in the cloud.

coNcluSioN: go witH wHat you K Now

SSL is a proven technology and a keystone of cloud security. When an enterprise selects a cloud computing provider, the enterprise should consider the security options selected by that cloud provider. Knowing that a cloud provider uses SSL from a trusted certificate authority can go a long way toward establishing confidence in that providers commitment to safeguarding the data in its possession. When selecting a cloud service provider, enterprises must also be very clear with their cloud partners regarding handling and mitigation of risk factors not addressable by SSL. Enterprises should consider the seven categories suggested by Gartner when evaluating (and especially when contracting with) cloud computing solutions. Cloud providers should be using SSL from an established, reliable and secure independent certificate authority. Its SSL should deliver at minimum 128-bit encryption and optimally 256-bit encryption based on the new 2048-bit global root. And it should require a rigorous authentication process. The SSL issuing authority should maintain military-grade data centers and disaster recovery sites optimized for data protection and availability. The SSL certificate authority needs its authentication practices audited annually by a trusted third-party auditor. The GeoTrust, Thawte, and VeriSign SSL brands all offer SSL products that meet these requirements. Learn More To find a trusted cloud service provider that meets the criteria outlined in this white paper, visit http://www.geotrust.com/sell-ssl-certificates/ strategic-partners.html.

About GeoTrust GeoTrust is a leader in online trust products and the worlds second largest digital certificate provider. More than 300,000 customers in over 150 countries trust GeoTrust to secure online transactions and conduct business over the Internet. Our range of digital certificate and trust products enable organizations of all sizes to maximize the security of their digital transactions cost-effectively. Contact Us www.GeoTrust.com CORPORATE HEADQUARTERS GeoTrust, Inc. 350 Ellis Street, Bldg. J Mountain View, CA 94043-2202, USA Toll Free +1-866-511-4141 Tel +1-650-426-5010 Fax +1-650-237-8871 enterprisesales@geotrust.com EMEA SALES OFFICE GeoTrust, Inc. 8th Floor Aldwych House 71-91 Aldwych London, WC2B 4HN, United Kingdom Tel +44.203.0240907 Fax +44.203.0240958 sales@geotrust.co.uk APAC SALES OFFICE GeoTrust, Inc. 134 Moray Street South Melbourne VIC 3205 Australia sales@geotrustaustralia.com 2011 GeoTrust, Inc. All rights reserved. GeoTrust, the GeoTrust logo, the GeoTrust design, and other trademarks, service marks, and designs are registered or unregistered trademarks of GeoTrust, Inc. and its subsidiaries in the United States and in foreign countries. All other trademarks are the property of their respective owners.

WWW.COMPLIANCEWEEK.COM 888.519.9200

18

e-Book

A Compliance Week publication

Outlook Improving for Data Security in the Cloud

cally across Elsevier, he says. The first hurdle is a big one: Does the proposed cloud application involve what Cass y now, the benefits of cloud computing are familiar: calls regulated datainformation that falls under the rapid deployment, scalability, low startup costs, ability purview of the Sarbanes-Oxley Act, the Health Insurance to focus on the business rather than running data centers, Portability and Accountability Act (HIPAA), the Payment accounting gains from expensing costs rather than capitalCard Industry Data Security Standard (PCI DSS), or a host izing them; the list goes on. of other laws and industry standards? The tally of the clouds principal disadvantages is just If so, Cass says, Elsevier takes the cloud off the table. as well-known, albeit a lot shorter: data security and comAs the cloud matures, as security gets better and theres pliance. more visibility into the product, we can revisit some of the Dont be deceived by imbalance in pros and cons, howregulated data applications, he says. ever; those two drawbacks have cast quite a shadow on Applications passing the first test then go through a cloud adoption. The good news is cloud readiness assessment and a sethat a combination of IT self-awarecurity review, Cass says. The move If youre doing processing on to the cloud really puts the focus back ness, savvy dealings with cloud-computing providers, and new software your end and put personally on application security and good IT offerings is chipping away at data identifiable information in governance, he says. assessment resecurity concerns, making the tranThe cloud readiness the cloud, the risk is reduced view involves a hard look at the applisition to the cloud much less of a leap of faith. if its encrypted when it gets cations themselves. Because you may Thats not to say that data security there. not have control over a cloud providproblems are evaporating. While exers security and firewalls, the key perts see an increasingly wide range thing is to make sure the application is Douglas Barbin, of data as cloud-eligible, deciding designed with security in mind, rather Director, Brightline what to keep in-house and what to than having to put security around move to the cloud depends on an orthe application, Cass says. ganizations appetite for risk, the valDouglas Barbin, a director at ue (or savings) the cloud can impart, and the consequences BrightLine and cloud-security auditor, agrees. Its not just of losing control over ones data. on the cloud provider and how good they are. It depends on Different types of cloud models have their own data-sewhat you give the public cloud in the first place. If youre curity and compliance implicationswhich, in turn, hinge doing processing on your end and put personally identifion the nature of the data and processing a company wants to able information in the cloud, the risk is reduced if its ensend to the cloud. Computing vendors host private, public, crypted when it gets there, he says. and hybrid clouds, where they provide software as a service The risk is also reduced by finding the right service pro(SaaS)think Salesforce.com; infrastructure as a service vider in the first place, Barbin says. Cloud providers are pil(IaaS), which is server-and-storage for hire; and platform as ing on certifications to demonstrate their commitment to a service (PaaS), a virtual software-development platform. security, including SAS 70, ISO 20000, PCI DSS 2.0, and Public clouds, hosted by the likes of Amazon, Microsoft, others. The Cloud Security Alliance and the Open Data IBM, Google, and many others, are the most economically Center Alliance are also publishing guidance on security attractive; SaaS and IaaS, on the other hand, are the fasteststandards. In terms of auditing, it used to be that the forgrowing markets. ward-thinkers were doing SAS 70; now [the AICPAs] SOC David Cass, chief information security officer of Else1 and SOC 2 seem to be more the norm, Barbin adds. vier, a publisher of science and health data, says his organization sees the cloud as an opportunity to let Elsevier focus In the Contract on its strengths, managing content and delivering prodervice-level agreements can shore up cloud security and ucts to customers. Elseviers default IT position is to think lessen the risk of moving to the cloud, says Thomas cloud-first for every application and revert to in-house Trappler, director of software licensing at the University of data centers if the cloud looks too risky, Cass says. California at Los Angeles. Trappler, who teaches a seminar on cloud computing contracting, says even HIPAA-class Risk Analysis data could be cloud-ready, with the right SLAs in place and he analysis starts with Elseviers enterprise architecthe right provider. ture committee, because it looks at things strategiThe cloud provider doesnt necessarily have to underBy Todd Neff

19

stand HIPAA per se, Trappler adds. HIPAA merely says healthcare data must be secure and confidential; it doesnt specify how to get that done. Once a path to HIPAA compliance is defined, a company can wrap an SLA around a bundle of servicesencryption, physical security, auditability, and so forththat combine to achieve compliance, he says. HIPAA [compliance] is an end-state, Trappler says, though he agrees that most organizations will have data they deem too sensitive to put in the cloud. Greg Brown, McAfees vice president of product marketing and cloud security, says hosted private clouds, which let you identify dedicated physical servers and storage, are the best bet for audit-sensitive offerings. Vendors are stepping up with new cloud-security offerings, says Rick Holland, a senior analyst covering risk and security with Forrester Research. For example, Okta, an identity and access management service, offers a way to provision and de-provision (that means add and delete
CLOUD COMPUTING RISK ASSESSMENT The following information from PwC explains what risks are associated with cloud computing, what cloud providers are doing to thwart risk, and the benefits of third-party assurance: With cloud computing, risks include:

in the common tongue) users quickly and across cloud and corporate platforms. Another, CloudLock, provides a layer of control and auditability for Google Apps, and, soon, Microsofts cloud-based Office 365. The CloudLock software addresses a common issue: employees, or even entire departments, are using Google Apps, Box.net, and other cloud-based software without the IT departmentsor the compliance teamsknowledge (let alone consent). I would dare to say that almost every organization has a lot more of that going on than they think, Holland says. The big names in IT security are playing in the cloud, too; McAfees Cloud Security Platform is just one example. It integrates into existing McAfee security products with the defining philosophy that a company should be able to extend its approach to IT security into the clouds SaaS and IaaS environments, Brown says. Just because youre embracing the cloud doesnt mean you have to invent a new security process, Brown says.

tion and access rights, you may be subject to fines, penalties or judgments for non-compliance. Finally, your cloud service provider may use your data for secondary purposes if data ownership rights are not addressed in contracts. Providers try to address user concerns with:

SecurityYou could be at a competitive disadvantage or subject to negative publicity and legal or regulatory action if your intellectual property or other data could be accessed by other cloud users. The same is true for data viewed and misused by cloud administrators. PrivacyYou are obligated to protect customers and employees personal data, such as social security numbers, health information and credit card numbers, from breaches. Even the loss of relatively small amounts of customer data has led to bad publicity and brand damage for many large organizations. Exposing customers personal information can also result in fines. AvailabilityCloud providers promise certain levels of availability and uptime, but you have no way of knowing if the provider has adequately prepared for high usage levels across multiple cloud users. This is an especially relevant concern for companies considering moving transaction processing to the cloud. Data Integrity, Retention and OwnershipYou rely on data to forecast, report and manage your business. Inaccurate or incomplete data coming from a cloud providers systems could result in poor forecasting or incorrect public reporting. Your business may also be subject to regulations or legal processes that require ready access to significant historical data. Without sufficient data reten-

Self-assessments: Providers prepare assessments based on arbitrary frameworks, generally focused on the documentation of security policies. Even when these assessments are thorough, they are not objective. Customer audits: Providers complete customer-prepared checklists and detailed questionnaires about capabilities, but a providers need to protect confidential processes can limit the scope of customer audits. Also, cloud users need specialized resources to conduct effective audits. Service level agreements (SLAs): These agreements spell out the providers obligations, but they often do not include customercentric monitoring of SLA performance or financial adjustments for non-performance that protect cloud users. SAS 70 reports: These reports address a providers internal controls as they relate to information processing systems that support financial reporting. But cloud computing risks go far beyond those relevant to financial reporting. So while the SAS 70 delivers insight, it is not sufficient to address the full scope of risks associated with cloud computing. Source: PwC Whitepaper on Protecting Your Brand in the Cloud (December 2010).