VI. Hardening Steps to Secure Cloud Computing Environment - Software as a Service
/* The following article is extracted from the "Information Security Newsletter" published by the JUCC IS Task Force. */
SaaS provides the most integrated functionality built directly into the offering, with the least customised extensibility, and a relatively high level of integrated security offered by cloud providers. From customers' perspective, implementing security in the case of SaaS means that service levels, governance, compliance, and liability expectations of the cloud services and respective providers are contractually stipulated, managed, and enforced.
1. Service Level Agreement
Universities shall assess whether security considerations are addressed in the Service Level Agreements (SLA). An adequate SLA must include a set of security standards committed by the cloud service provider, which may include the following:
Encryption of Sensitive Data - ensure that the cloud providers have clear policies and sufficient technologies to achieve effective data encryption.
Disaster Recovery Mechanism and Testing - ensure that the cloud providers establish proper data recovery procedures and regular drills. Universities are also recommended to specify target Recovery Time Objective (RTO) in the SLA.
Secure SDLC - ensure that the cloud providers incorporate necessary security considerations and measures when developing the software used by the universities.
Transparency - ensure that the statistics on cloud providers' security controls, system availabilities and performance are readily available for universities' tracking and monitoring.
Data Extraction - ensure that universities data kept by the cloud providers can be retrieved back in the circumstances of SLA breaches or during service interruption.
2. Compliance and Audit
Compliance needs shall be addressed in the cloud providers' standard terms of service. It is beneficial for universities to have both legal and contracts personnel involved early to ensure that cloud services contract provisions are adequate for compliance and audit obligations. Specifically, the contract terms should allow the universities to perform security audits or reviews of the cloud computing environment.
3. Portability and Interoperability
With SaaS, universities will substitute new software applications for old ones. The focus is on preserving or enhancing the security functionalities provided by the legacy cloud provider in order to achieve a successful data migration.
In general, universities should perform regular data extractions and backups to a format that is independent from the legacy cloud provider. The ability to migrate legacy backup data by the new cloud provider must be assessed to ensure smooth transition. Consistency in security control effectiveness should be examined on the new and old cloud service providers.
References:
http://www.webhostingsearch.com/articles/saas-security-issues.php
http://www.cloudsecurityalliance.org/csaguide.pdf
http://dmsconsultingllc.com/blog/2009/03/24/ensuring-saas-security/