Simple SaaS security tips

Most people and companies are now using a significant amount of SaaS solutions. Companies are running sales support software, file sharing, collaboration, e-mail and a lot more in the cloud.

But that usage also leads to concerns about the security of those solutions. How safe are they? What risks do we run?

Here are a couple of tips to increase the security of those applications.

The biggest risks to handle in using SaaS are leaking data and losing control. And the top way to control theses risks is simple: watch your passwords, and know how to survive a cloud provider exit.

If you look at famous data breaches in the past year, such as the i-Cloud celebrity hack, you will find out that most of them have to do with weak passwords and password reminders.

Improving the protection that passwords offer is often fairly easy. Security experts recommend using so-called two-factor authentication. This basically means that you use more than one way to prove your identity. Examples include security tokens or dongles, and fingerprint scanners.

This used to be inconvenient for the user, but in the past years a number of usable scenarios have been developed. It does not have to be a daily hassle, and you don’t have to fear being locked out.

For example, you can configure your Dropbox account to ask you for an SMS confirmation when you use it on a computer you have not used before. Check it out, they have really thought this out well, and there is absolutely no excuse to not use this. You will find it under Account -> Settings -> Security.

Gmail too allows you set up security like this, and once you have done this it will alert you of suspicious activity. Like with Dropbox, the easiest thing is to use your mobile phone, but they also support additional extra tools. No need to be scared if you lose your phone.

Other services that you use might have some of these features as well. Go explore.

If you are the administrator of a cloud service this is even more important because you will be the prime target of any hacker.

As a cloud service administrator there are a few other basic things to do too. If feasible you should first create a secondary administrator account to do day to day work with. If that account gets compromised, you will have the first account to fall back onto.

Another basic cloud service administrator task is to apply hygiene on your user list. Regularly review if the users are still active in your company or project, and that they don’t have more rights than they need to have. (In larger organizations this is better done by ‘identity federation’, so you don’t have to do this on a service by service basis.) You don’t really want former employees or contractors to still have access.

I ran into a simple example the other day on a Google Docs document. It was not mine, but I could totally edit it. They may have wanted to give me some access, but it would be better to give me “Comment” or “Review” access.

Losing the provider or the data that is stored at the service is the other big risk. And preparing for losing all your data can also protect you against losing some of your data.

There are so many reasons why a provider may stop servicing you. They could have a hiccup, they could suffer from a disaster, they could go out of business, or they go in a direction that you don’t like. In all cases it makes sense to have an ‘exit plan’ or ‘plan B’: a plan to move to a different provider.

If you don’t have an exit plan, you are basically saying that you accept the risk of losing the data that is at that provider and the capability to use that data. This could be a valid decision. I am not that interested in my Doodle archive, for example, so making a backup of that is not a big concern.

At its most basic, an exit plan describes how your most valuable data is stored in a secondary place. For example, my Gmail mail archive is also on my laptop as it is automatically downloaded by my mail program. Moving to a new mail provider, should I want to get away from Gmail, is not something I have spend much time thinking on, but with the mail and contacts safely stored elsewhere I am confident that a new provider will help me do that migration.

For my customer management system I make regular copies of the entire customer database and contact details. Again, moving to a different provider will be a hassle, but not impossible.

If your business really depends on it, you may want to have a cloud system on ‘hot standby’. However, most of the times, this is not very easy with SaaS, because no two SaaS providers are alike.  You are better off to first think about which data to save to a secure location. If and when you want to move, your functional requirements will have changed anyway, and there are likely to be new SaaS providers as well.

For a deeper dive into cloud security issues and controls, have a look at the research that the Cloud Security Alliance is doing.

Using the Cloud Controls Matrix in procuring better cloud services

The Cloud Security Alliance (CSA) maintains the so-called Cloud Controls Matrix (CCM), a list of controls that can be used to get assurance on the quality of a cloud provider. (See earlier blog post for more details and background on the CCM). The CCM is part of a larger suite of CSA best practices, one of which is the CAIQ (Common Assessment Initiative Questionnaire). The CAIQ list a number of questions per control, which a provider can answer with yes or no.

In practice we see that this tool is used in a number of ways in this process.

  • CCM and CAIQ list a significant amount of cloud specific controls that are not found in other frameworks such as ISO 27001. Some companies use these as input to their own control frameworks.
  • Use the CAIQ as a first level filter. Providers are asked to provide a response with only yes/no answers. After passing that test, the provider can be asked to provide more specific demonstration on controls that matter most to the consumer. It is neither necessary nor efficient to ask the provider to demonstrate evidence on all controls.
  • The CCM and CAIQ can be used as input for a ranking activity, where multiple offers are scored on their security assurance.
  • Providers can use the CAIQ to demonstrate the breadth of their control, and as a ‘standard response to an RFP’. Examples of these (such as Microsoft Office 365) can be found in the STAR registry (https://cloudsecurityalliance.org/star/). Although answering to the CAIQ will take some effort, anecdotal evidence suggest that a provider who is already progressing with an assurance initiative will need only a few hours to draft a first version of their CAIQ.
  • Providers can use the CCM and CAIQ without publicly disclosing all their control evidence. Full evidence will then only be given to customers that have signed a non-disclosure agreement.
  • Providers can refer to the controls that their upstream providers have implemented. For example, an application provider could refer to Microsoft’s Azure CAIQ. In practice however, this still leaves a few questions open.

Providers are warming up to the idea of using the CCM. For them, it standardizes responses, so they can be reused, which can save work.

Cloud consumers see the advantage of standardizing control sets. It allows for easier comparison across potential providers, as well as having potential in creating control visibility in the supply chain.

Shortcomings and pitfalls

The CAIQ as it is developed only allows for yes/no answers. There is no provision for extra information, nor is their guidance on how the provider should qualify their answers (i.e. this is how we do this, this is the extent to which we do this). In practice, most providers do add another column to their response in order to provide more detail.

There is only minimal experience in efficiently handling assurance obligations over a supply chain of providers, such as a SaaS provider working on top of a PaaS provider working on top of a IaaS provider.

Cloud consumers like to add their own questions to the CAIQ. They are of course capable of doing it, but the answers will not be reflected in the STAR registration.

What should you do?

Most companies are procuring cloud services these days. Generally speaking, most of these are SaaS and just a few are IaaS or PaaS. Managing these contracts and relations is a bit out of the scope of this article, but essential bits are to have a clear owner of the contract of every cloud service, even if it is a free service, and some indication of the data classification. From a risk management perspective, it would then be good to have a filled-in CAIQ for every provider.

For more education on the various risks and control areas in the CCM, you can consider Cloud Security CCSK training.

As this is ongoing research, please send me comments and notes on this article.

Join our research – Cloud Assurance in practice

The Dutch CSA chapter has a plan to address the number one concern of organizations using cloud: “can we trust our provider?”.

The CSA (Cloud Security Alliance) has developed a number of tools to address that situation. Our plan is to test these tools in practice, and record the experiences for inclusion in a “best practices” paper.

The main CSA tools are combined in the so-called CSA GRC stack (which stands for Governance, Risk management, and Compliance).

The “Security guidance for critical areas of focus in cloud computing v3.0” is the underlying body of knowledge for the GRC stack. We typically refer to this document as the ‘CSA guidance’.

The first component of the GRC stack is the CSA Cloud Controls Matrix (CCM). These controls are largely based on the recommendations of the CSA guidance.

The CCM is called a matrix, because it cross references other assurance frameworks such as PCI-DSS (payment card industry) and HIPAA (Healthcare).

The CCM can be used as a framework to give assurance to cloud customers. To make this process more efficient, CSA has introduced a number of additional tools. One of them is the CAIQ (Common Assessment Initiative Questionnaire, pronounced ‘cake’) which is a standardized list of questions to use to evaluate cloud providers. Each question in the CAIQ corresponds to exactly one control in the CCM.

Cloud consumers can take the CAIQ as a basis, select questions from it, add their own questions, and submit it to a number of cloud providers.

The smart move for a cloud provider is to pre-answer the CAIQ, and publish the results. This is the ambition of STAR (Security Trust and Assurance Registry), which is also a CSA initiative. And it does not stop there, beyond this there is Cloud Audit and the Cloud Trust Protocol. These products are in development and aim to go further by automating parts of the assurance process.

STAR is planned to have multiple levels:

  • Level 1 is Self-Assesment, based on a provider report following either the CAIQ or the CCM.
  • Level 2 is Third-Party Assessment, where the idea is to use the requirements of the ISO/IEC 27001:2005 management systems standard integrated with the CSA Cloud Control Matrix (CCM) and an organization’s own internal requirements or specifications to assess how mature their systems are.
  • Level 3 is a Continuous Monitoring based certification. This is currently under development.

These three levels are collectively referred to as the Open Certification Framework (OCF).

Our ambition is to do a number of case studies in applying the CCM and CAIQ. These case studies would preferably cover at least a provider and a financial business (bank or insurance firm).  For providers, this could lead to an actual STAR entry with its associated benefits.

Some of the expectations are:

  • The CCM will be a better fit for cloud services than other assurance frameworks
  • Assurance frameworks such as the CCM will lead to lower costs for consumers and providers because audit costs will be lower.

Some of the research questions are:

  • How is the coverage of the CCM in relation to assurance requirements, what else do you need?
  • How much work is it to fill in the CAIQ?
  • How do you experience value in CCM/STAR/CAIQ?

Currently we have started to work with a number of IaaS providers who are interested in exploring better assurance. If you are interested you could still be part of this initial group. Just contact us.

Who needs cloud sales partners? How can they add value?

Cloud computing is supposed to be ‘totally self-service’, or so the naïve reading of the standard NIST definition goes. If it is not self-service, it is not cloud. With self-service, who needs partners standing in the way between the consumer and the cloud provider?

Well, it is a little more complex than that. The 5 NIST essential characteristics of cloud computing (of which self-service is one) should be interpreted in the context of the business value of cloud computing. It is these characteristics that lead to business value, and it is the business value on which to judge the degree to which a certain service offering is actually a cloud offering.

Example. Rapid scalability is an essential characteristic. But how rapid is rapid enough? A sudden surge of web traffic needs a response in seconds; a new development server should be available in a matter of minutes or maybe an hour. But adjusting the number of mailboxes to be paid for on a monthly basis is quite sufficient for most organizations. And moving from one mail provider to another is most certainly something that you would not do overnight on a whim. Such a migration takes planning, proper execution and change management with the users, who would have to learn to work with a new user interface. Think months.

You cannot expect big cloud providers like Google and Microsoft to help everybody in the world with this change management. That is where sales partners (or channel partners as they are often called) come in. They can guide the consumers in this process, show the specific opportunities and pitfalls, and provide training to users. That is value to the consumer that a cloud channel partner is bringing.

Consumers these days have a lot of risk management and compliance obligations to handle, and each consumer has a different set of requirements. They have to work with cloud providers to address these requirements on a continuous basis. If cloud computing is to be scalable at the provider side, the cloud channel partner should work out the mapping between what the consumer needs, and what the provider offers. If not, the provider will be swamped with controls questionnaires. At one of the Cloud Security Alliance (CSA) conferences last year a provider mentioned that those questionnaires can have anywhere between 10 and 1500 questions. They have full time staff dedicated to answering them. That does not scale.

One approach pioneered by the CSA is the GRC stack (Governance, Risk management and Compliance), which can standardize this process (more explanation on http://www.clubcloudcomputing.com/2012/09/can-we-simplify-cloud-security/). GRC is also business value. Rather than forward all risk and compliance questions to the cloud provider, a cloud channel partner can decouple the GRC process between consumer and provider, thus increasing the net value of GRC. That is the value to the cloud provider that a channel partner can bring.

Want to know how this can work for you? Visit www.cloudcomputingundercontrol.com

Why do people buy cloud services?

If you are a developing cloud provider, whether you are pure play or an internal IT department, it is very interesting to know who is buying cloud services, and why.

In a recent survey by PB7 sponsored by EuroCloud Netherlands and others, a group of Dutch companies was interviewed about their motivations and hesitations around cloud computing. The survey’s results were quite a bit more interesting than the usual lot. In this article I have cherry picked a few observations from the larger survey. The full survey is reported on in http://www.slideshare.net/peterthuis/ecm12-ghgg (in Dutch).

The majority of companies are using cloud computing these days, and this includes government organizations by the way. That adoption rate is not growing so fast anymore. The growth is in the number of cloud applications that are being deployed (and presumably also in the number of users of those applications).

How does cloud computing fit business strategy? Companies change for a number of reasons and objectives, and cloud computing as a driver is no different. Some organizations innovate using cloud computing, but from the survey it appears most are just optimizing business process, or even just substituting current solutions.

Substitution happens when an existing solution is replaced by a cheaper one. Examples of these can be seen across the board.  As you can expect from a wide survey, the most common applications are mail, messaging, document processing, sales, marketing, distribution, HR. One striking category though is field service where a lot of adoption is going on. Inhibitors for these types of applications include are the value of current investments (“the server in the closet has not been fully written off”).

Optimization involves process change: doing things differently. This could involve people inside the organization as well as outside the organization. From anecdotal evidence, we know that collaboration tools are on the rise, in particular when they serve to communicate over organizational boundaries.  Think procurement, project collaboration and marketplaces. These are the ‘cloud native’ apps so to say. The other category involves empowering the current workforce, especially if it is mobile already, a trend we see happening in airlines and retail. Cloud productivity solutions allow the inclusion of staff that was not equipped with computers before. This is clearly a big market for horizontal application suites such as Google Docs and Office 365. Vertical applications areas include HR and e-learning.

The less predictable the workload, the bigger the advantage becomes that cloud applications have over non-cloud applications. About a tenth of the researched applications have a ‘rapid growth’ workload pattern, i.e. new applications, new business. For these categories cloud is by far the preferred solution.

These trends align very well with two important cloud characteristics: elastic scalability (especially from a financial perspective), and broad network access (anytime/anywhere/anydevice). Broad network access allows the inclusion of users that are not within the corporate firewall.

Infrastructure as a service (IaaS) is definitely on the rise across the board: small/large enterprises as well as governments. It is expected to increased penetration to 30 percent in 2014, a twofold increase in two years. Still, this is a lot less than the penetration of SaaS.

As the number of cloud applications per organization rises, integration concerns increase. From the survey, it appears cloud consumers are seeing three different avenues to address these concerns. They call for open standards, they turn to cloud brokers to do the integration for them, and they hope to see ecosystems such as app stores providing this integration for them.

Other concerns are security and privacy in general, though it is unclear to what extent these fears are actually translated into action. It is peculiar in this respect that only 40% of cloud users has a clear exit plan.

There are quite a few implications for service providers in these findings. The biggest demand for cloud services is for rationalizing existing IT systems, and if they are internal, expanding their use cases to include mobile employees and business partners. As an extension of these, inclusion of more people and partners can allow business processes to be reengineered. Partnering with consultants to help effect these changes might make sense.

Potential clients are concerned about integration and security risks. Conceivably, adequately addressing these concerns can be a selling proposition. For the mechanics of that, have a look at another article I wrote (see http://www.clubcloudcomputing.com/2012/09/can-we-simplify-cloud-security/). A lot of these concerns (including integration) are expressible in terms of the CSA Cloud Control Matrix (Disclosure: I updated some of these controls recently as a CSA volunteer).

If you are a cloud provider and wonder how to improve your offering, you may be interested in having a look at www.cloudcomputingundercontrol.com