I am updating and reposting this article which originally appeared in the March 2017 edition of the ISC2 Cloud Insights magazine, since which time innovation in services and processes have made ‘Cloud First’ a strategic option for many companies. In terms of securing systems, the NCSC has provided some excellent resources on how to apply security principles to your cloud implementation here.
Resilient Cloud Business Systems
Resilient business systems should be able to withstand significant shocks or stresses while being able to maintain the same essential functions. A resilient enterprise should have the
“ability to anticipate, prepare for, respond and adapt to incremental change and sudden disruptions in order to survive and prosper”
as defined by BSI Group, the UK standards body. Resilience can appear to conflict with competitive pressures, but is critical to the survivability, recovery, adaptability, and sustainability of the organization under exceptional circumstances.
Many cloud providers have strict security and highly qualified security personnel. However, it is unlikely that the provider will indemnify you against the costs of a breach and the subsequent negative publicity. Every public cloud supplier will have hundreds or thousands of company tenants, but you will usually only deal with a few main cloud providers. Therefore, the relationship between your organisation and cloud security suppliers relies on confidence when handling sensitive information. In terms of compliance and governance you are responsible for the active management and protection of data and availability of your core applications and working closely with suppliers is the key to making your security and resilience goals a success. The cloud provider may become the public face of your systems and provider of infrastructure, but cloud service supplier performance is only part of an effective on-premise and cloud resilience strategy. Only via coordinated responses and seeking to build into agreements a shared approach of responsibilities on each side of the cloud “fence” can security be implemented seamlessly.
Seven Crucial Principles
These seven principles of resilient systems ensure that a strategy for cloud brings together the best features of people and technology to maintain service levels in the event of attack.
- Maintain Diversity and Redundancy. Ensure that you have storage segregation on and off-premise to provide redundancy in the event of attack. Ensure that sensitive data and backups held off-premise are encrypted and that you have an effective encryption key rotation and handling process. Consider whether the sensitive data that you hold is necessary at all. Cloud systems can assist in these tasks by providing inexpensive, encrypted, geo-located and redundant storage and key vaults to help you adopt an assertive security stance.
- Maintain Connectivity. Ensure that you, your regional teams, and your customers can maintain predictable communication by considering the scalability of systems to deal with (for example) a denial-of-service communication attack. Talk to your ISP to see if there are mitigation measures you can take (e.g., DNS, proxy servers, load balancing and bandwidth) and prioritize action to protect your business-critical systems.
- Manage slow variables and feedbacks. Shocks are rarely a complete bolt out of the blue. Identify emerging risks that could present problems in the future. I have worked at an organization where a data center was flooded because a nearby drain became blocked in a storm. Act early to treat “benign” risks to ensure they do not cause problems.
- Create adaptive systems.
- Ensure that the principle of least privilege is used when granting permissions, but make certain that, in the event of a sustained attack, there are sufficient personnel available to step in and cover the critical roles.
- Determine whether you can offer a reduced service in times of stress (by selectively disabling noncritical functions on web sites, for example).
- Produce a security policy that dynamically prevents unauthorized access to the cloud. Flexible organizational structures and supply chains help organizations adapt to changed or restricted circumstances.
- Encourage learning and collaboration. Ensure that your personnel are familiar and engaged with the most common security incident responses and foster trust relationships between those who will be at the forefront of response. Ensure that you have contacts with others who may be called into these ‘business not as usual’ scenarios, like law enforcement, legal teams, auditors, or investors.
- Participation. Active participation in your community will pay dividends in times of crisis. Consider the support given by common industry groups, chambers of trade and local business networks. Resilience is built through your interactions with help of others. Explain your connectivity measures to your customers and educate them on your cyber-resilience processes.
- Multi-centric governance. Consider the physical locations of your people, assets and storage capabilities and the data protections this affords. Build teams that can self-organize when resources are unreachable or not available. Ensure that there is out-of-hours decision empowered management available.
Update Business Continuity Plans
A business response to a cloud data breach should be structured in the same way as on-premise with plans and exercises to ensure they work when needed:
- Put safety first and ensure that systems of record are protected.
- Assemble a cybersecurity response (CSIRT) team. Devise and work through the consequences of a breach to dovetail your business continuity with that of the supplier, as per electricity outage planning.
- Communication is key handling an incident. Establish a plan or calling tree for communication channels with suppliers, customers, and the board.
- When using hybrid architecture, ensure that your own on-premise installation does not become the back door that is used by intruders. Guard against this threat by strengthening internal access controls.
- Secured logs, alerts, and audit trails should always be monitored for evidence of attack and to reconstruct events afterwards in both the cloud and on-premise.
- Strengthen security assurances on your data, websites, and communication channels proactively. Let customers know that your business principles value their security. Give customers a second channel to communicate about sensitive matters, e.g., via a helpline.
- Know where your processes are becoming reliant on the cloud and always take steps to rigorously protect your sensitive data and business IP.
Do not cede any security ground to the fact that you are choosing to go to cloud and make the most of the opportunities and cost savings this offers. The advantages of cloud assist innovation and business transformation when implemented properly.
Just because there are not yet any examples of major business disruption and data loss purely because of cloud does not mean this will never happen. Remember that the confidence of companies in their abilities is highest just before a crisis. Preparing advance resilience and business continuity plans ensures you can respond quickly to any unforeseen circumstances.