Data in transit must be protected

e-Security | Vol: 36-12014 © CyberSecurity Malaysia 2014 - All Rights Reserved 65

2. Asset must be made resilient and protected

Asset here refers to the computers and processing systems that either store or process consumer data. Both the asset and the consumer data itself must be protected from being tampered physically, stolen or damaged. Things like offsite backups, redundant servers, and physical security of the cloud data centres are some of the items that needs to be noted here.

3. Cloud tenants must be separated

Public cloud computing to a certain extent of the definition implies multi-tenancy. What this means is there exists more than one consumer utilising the same resources of the cloud service provider. It is therefore critical that separation between different consumers of the cloud service be established to eliminate the possibility of either malicious acts or compromised consumers adversely affecting the confidentiality, availability or integrity of another consumer of the service.

4. Availability of audit information to consumers

It is important that the consumers have available to them the audit information so that they may monitor things like access to their service and also access to the data that is contained within it. This is to allow them to take necessary actions in case of unexplained data access by potentially unauthorised parties.

5. Secure administration of the cloud service

The consumer should make sure that the methods used by the administrators of these service providers in managing the operational service are done in a manner designed to mitigate any risk of exploitation which could jeopardise the security of the service. Good practices like separation of duties between the service provisioners and the security administrators is one example.

6. Protection of External Interfaces

It is important to identify all external and any less trusted interfaces connected to the service so that proper protections are allocated to defend them against attacks. Since the networks that the cloud service runs on belong to the cloud provider, sometimes the consumer has no say whenever new connections are introduced into the network at a later stage. This becomes an important issue to be considered by the consumer.

7. Authentication and authorisation

Any and all access by both the consumer and the service provider to all interfaces into the service must follow e-Security | Vol: 36-12014 © CyberSecurity Malaysia 2014 - All Rights Reserved 66 strict authentication and authorisation processes. Nobody should be exempted from this requirement so that there is less chance for unauthorised individuals to do something harmful and also to ensure that actions taken by authorised individuals can later be traced back to them for accountability purposes.

8. Operational Security

There should be processes and procedures in place by the cloud service provider to ensure the operational security of the service is well-defined. The processes and procedures are important so that everybody is aware and can properly do their work during normal operating conditions as well as during security disasters.

9. Personnel security

The consumer should make sure that the cloud service provider performs adequate security screening of their personnel and ensure that those personnel undergo the correct security training for their role in the cloud provider’s organisation.

10. Secure development of services

Consumers should evaluate and decide whether the cloud service provider implement secure development practices. One way this can be verified is to insist on the latest vulnerability and security assessment reports of the services that the consumer is interested in. This can help to show whether the cloud service provider consistently identify and mitigate threats to the security of the service. Conclusion Security is the responsibility of both the consumer and the cloud service provider. This article has attempted to describe some of the security principles that both the consumer and the provider should be concerned with. There are additional security principles that will add extra layers of confidence if they are implemented by the provider but the principles described above should be a good starting point in the right direction for the consumer. ■ References 1 . h t t p : w w w . m e r r i a m - w e b s t e r . c o m d i c t i o n a r y s e c u r i t y 2 . h t t p : w w w. a c c o u n t i n g c o a c h . c o m b l o g s e p a r a t i o n - o f - d u t i e s - i n t e r n a l - c o n t r o l 3 . h t t p : w w w . s a f e n e t - i n c . c o m d a t a - p r o t e c t i o n v i r t u a l i z a t i o n - c l o u d - s e c u r i t y s a a s - s e c u r i t y - c l o u d - a c c e s s - c o n t r o l 4 . 4 . h t t p s : d a t a t r a c k e r . i e t f . o r g d o c u m e n t s L I A I S O N f i l e 1 1 8 1 . d o c [ R e q u i r e m e n t s f o r S e r v i c e P r o t e c t i o n A c r o s s E x t e r n a l I n t e r f a c e s D r a f t 0 . 3 4 J a n u a r y 2 0 1 1 ] 5 . h t t p s : w w w . g o v . u k g o v e r n m e n t p u b l i c a t i o n s c l o u d - s e r v i c e - s e c u r i t y - principlescloud-service-security-principles