“Incident response and the cloud is something we’ve been talking about for some time,” Frank Coggrave, general manager EMEA with Guidance Software, told Infosecurity. “We’re starting to see security professionals take it seriously; but it’s something most users tend not to consider.” The problem, he said, is that most companies adopt cloud services for economic reasons – so if the cloud provider ticks the economic boxes, then that’s all that is really necessary. “The challenge is that people don’t think about the security details – what happens, for example, if there are security breaches – until later.”
It’s part of a wider issue, says Coggrave. While some of the larger and better organized providers are beginning to publicize their security, the user still gets no insight into governance within that provider. A current example can perhaps be seen with Amazon Web Services (AWS). AWS has now submitted its security details to the Security, Trust and Assurance Registry (STAR) operated by the Cloud Security Alliance (CSA). Amazon Web Services: Risk and Compliance, July 2012 is now available to anyone who wants to check the AWS approach to security.
But if we take Coggrave’s specific example, and check on AWS incident response, we find “Controls provide reasonable assurance that system incidents are recorded, analyzed, and resolved.” What it doesn’t say is whether system incidents are reported to the customer. But this is a serious issue. The Out-Law legal blog today examines what is effectively a security self-assessment and relates it to EU responsibilities under the Data Protection Act. As to be expected, says Out-Law, the UK's ICO welcomes the STAR initiative, but points out that no cloud provider can absolve the user of his responsibilities under the DPA.
“Organizations thinking of using cloud service providers must understand that they are still responsible for the safety of that data,” the ICO told Out-Law. “Just because their cloud service provider is registered with such a scheme [ie, STAR], does not absolve the organization who collected the data of their legal responsibilities.” Out-Law then points out that the EU privacy watchdog, the Article 29 Working Party, said earlier this month that “businesses that wish to use cloud services to store and process personal data must use providers that can ‘guarantee’ compliance with EU data protection laws.” That, if the proposed Data Protection Regulation is adopted, will include breach notification.
This is Coggrave’s point. Without adequate insight into the provider’s security governance, there is no way to be sure that stated or promised security guarantees are sufficient or effective. And unless the provider reports a breach, the user will be unaware they are violating DPA breach notification laws. There is no easy answer to this problem. Coggrave believes that the governance issues must be understood from the beginning of cloud negotiations, and that security and legal minds – not just IT and finance minds – should be brought early into the contract process. The solution is in the contract; one that ensures that all of the user’s legal obligations are covered, and allows the user to satisfy himself on the provider’s security governance. “If customers can’t do it themselves, should cloud providers be offering incident response and eDiscovery as a service?” he asks.