Computing in the clouds while wearing a good service level agreement By Cade Zvavanjanja CISO Gainful Information Security
THE CLOUD “Cloud Computing” can mean different things SaaS, PaaS, IaaS Public Definitions: NIST Berkeley ABA Legal Tech Resource Center Service & Deployment Models: Private, Public, Hybrid
CLOUD:WHEN BAD THINGS HAPPEN TO GOODEVIDENCE General Considerations Potential Liability for Spoliation Minimize Risk by Addressing Up Front the Need to Preserve and Produce ESI Remedies for Spoliation
HOW DO YOU CONDUCT AFORENSIC EXAMINATION INTHE CLOUD?
CLOUD COMPUTINGSERVICE LEVEL AGREEMENTCONSIDERATIONS Use of data/Security Location of data No change of terms Destruction Ownership (assignment) Subpoena response Regulatory requirements Insurance/Indemnity Audits
SERVICE LEVEL AGREEMENT(SLA)SLA should contain: The list of services the provider will deliver and a complete definition of each service. Metrics to determine whether the provider is delivering the service as promised Auditing mechanism to monitor the service. Responsibilities of the provider and the consumer Remedies available to both provider and client if the terms of the SLA are not met. A description of how the SLA will change over time.
SERVICE LEVEL AGREEMENT (SLA) Security: Client and CSP must understand security requirements. Data encryption: Data must be encrypted while it is in motion and while it is at rest. The details of the encryption algorithms and access control policies should be specified. Privacy: Basic privacy concerns are addressed by requirements such as data encryption, retention, and deletion. An SLA should make it clear how the cloud provider isolates data and applications in a multi-tenant environment. Data retention/deletion: How does CSP prove they comply with retention laws and deletion policies? Hardware erasure/ destruction: Same as #4. Regulatory compliance: If regulations must be enforced because of the type of data, CSP must be able to prove compliance. Transparency: For critical data and applications CSP must be proactive in notifying client when the terms of the SLA are breached including infrastructure issues like outages and performance problems as well as security incidents.
(SLA) Certification: CSP should be responsible for proving required certification and keeping it current. Performance definitions: Defining terminology such as uptime and other contractual metric terms (i.e. – uptime could mean all servers on continent are available or only one designated server is available.) Monitoring: Responsible party for monitoring including identification of any third-party organization designated to monitor performance of the provider. Audit Rights: To monitor for any data breaches including loss of data and availability issues. SLA should clarify when and how the audits will take place. Metrics: to be monitored in real-time and audited after occurence. Metrics of an SLA must be objectively and unambiguously defined. Human interaction: On-demand self-service is one of the basic characteristics of cloud computing, but SLA should provide customer service when needed. Review and summary of cloud service level agreements, From "Cloud Computing Use Cases Whitepaper" Version 4.0,
REALITY – CONTRACT ISSUE Currently, the standard contracts offered by cloud computing providers are one-sided and service provider-friendly, with little opportunity to change terms. Few offer meaningful service levels or assume any responsibility for legal compliance, security or data protection. Many permit suspension of service or unilateral termination, and disclaim all or most of the providers potential liability. In addition, some cloud computing providers emphasize low cost offerings, which leave little room for robust contractual commitments or customer requirements.
BEFORE YOU GO “TO THECLOUD!”Security & ControlNo uniform standard for security and complianceamong cloud providers. This may be bad - if youhave evolved mature security and control discipline;or it may be a good thing, if you are looking for anexternal provider to help you with best practices.Cloud is not, per se, either secure or insecure. Yousimply need to set your own standards, be aware ofwhat your cloud provider can and cannot deliver,and choose according to your desired level of risk.
BEFORE YOU GO “TO THECLOUD!”Por tability & CompatibilityNot all cloud providers are able to provide the samelevel of portability and compatibility.Extractingand restoring data may be a slow manualprocess due to API limitations and other restrictions.May be impossible to accomplish in a timely mannerdue to common limitations such as bandwidth.Applications may require significant changes to becompatible with storage in a non-specific location thatchanges in case of emergency.Be aware of your use cases, and make sure yourrecovery plan allows for the mobility of data the cloudwill enable.
BEFORE YOU GO “TO THECLOUD!”Longevity & AccessibilityConsider and verify the longevity of CSPto ensure data will be accessible when andhow, needed before committing to CSP assole source for data recovery.During an analyst keynote speech at the2010 CA InfoXchange event in Malaysia,the speaker estimated that a substantialnumber of current cloud providers will beout of business within 2 years.CSPs talked about 99.999 per centuptime, or the equivalent of five minutesdowntime per year. This is the Holy Grail ofcloud computing but achieving it requiresmulti million-dollar investments in redundantinfrastructure.
BEFORE YOU GO “TO THECLOUD!”Where does your data reside? EU Data Privacy Concerns Which laws apply, country of origin or country where data resides?
ESSENTIAL POWER CONTRACTS TO RETAIN Realtime feed from data intrusion detection systems to permit monitoring of the security systems performance. Performance standards mandating maximum downtime and platform stability. Auditing rights – access to monitoring dashboard to see metrics on function of the system. Also onsite visits to provider. Remediation power – including monetary penalties for downtime, termination in the event of security violations and notice of any breach.
ESSENTIAL CONTRACT POWERS TORETAIN Freedom to Move – contract must make it clear that the data owner retains all ownership of the data as well as access to the data. There should be a defined time frame for giving back all the data once request has been made as well as definition of the format for the data if it is to be moved or returned to the client to avoid any additional cost to reformat data to be moved to a new provider. Preservation of metadata – what metadata will be maintained and any impact of the system upon that metadata. Access to information for e-discovery – how accessible the data will be including time to extract.