- Robert Ayotte
Senior Manager, IT Client Services
- Paul Livi
They say that a message has to be repeated seven times in order for it to be assimilated. We have been writing about Cloud computing for a while now and we have nearly reached the point where the message will be absorbed: Cloud computing makes sense. It has its benefits in that it will allow an organisation to react faster and adapt quicker to the ever-evolving markets and the technologies that enable adaptation to these markets. Cloud computing is being adopted by organisations at an ever-increasing rate and it is here to stay.
CBC/Radio-Canada now lives in the Google Apps world, and the Corporation has done so since the beginning of March 2013; the benefits of Cloud computing that made it an appealing choice for replacing our aging email infrastructure have materialised and allowed the Corporation to replace the email system within a three-month period. This level of efficiency is largely attributed to the staff that collaborated on this project on a scale never previously witnessed at CBC/Radio-Canada, but it was also made possible by the very nature of a Cloud computing solution: not having to worry about infrastructure set up and scaling.
Nonetheless, all of this took some time to prepare in order to ensure that, whilst reaping the benefits of Cloud computing, we would also comply with our obligations with regards to regulations and other controls that are imposed on public entities such as CBC/Radio-Canada for the protection of its audience, Canada’s taxpayers.
This article will detail our journey into the hidden side of Cloud computing, more specifically, public Cloud computing, the service contracts and risk assessments that need to be conducted, and the lessons learned along the way that will inform the way in which we will partake of other Cloud computing services in the future.
Seeking a Cloud-based Solution for our Email & Collaboration Platforms
In June of 2011, CBC/Radio-Canada started looking at the market of email and collaboration tools to evaluate the different options available and, after having obtained the pertinent information about these options, decided to seek a public Cloud-based solution for the Corporation’s email and collaboration platforms. We reviewed several forms of Cloud computing offerings: public and dedicated Software as a Service (SaaS) and Infrastructure as a Service (IaaS) solutions. A thorough analysis was undertaken to assess the risks of Cloud computing in general but also, more specifically, as it pertained to email and collaboration tools. In the end, in consideration of our specific requirements, we elected to go for a public SaaS solution because email and collaboration platforms have become commodities. As a result of this, CBC/Radio-Canada would therefore benefit from most of the new features of the solution at the same rate as the public would.
However, would a public or consumer Cloud service offering be able to help the Corporation meet its compliance obligations? This was not only a very good question, but also one that was at the heart of several items to evaluate in our assessment.
Thankfully, the public Cloud-based email solution market was ripe with solutions aimed at enterprises. Consequently, a public Request for Proposals (RFP) was prepared and published, targeting the major vendors that offered these kinds of Cloud computing services.
The term Cloud computing might sound like a recent invention, but it is really just another way of contracting computing services with a third party. The key to such an endeavour is to lay out your requirements very carefully in your RFP, evaluate the responses, and select the solution/vendor that conforms the most to the criteria that you have established. Once that is done, you negotiate a contract that will ensure the most advantageous service level to the organisation and support it if problems occur, but also include the terms and conditions that will protect it and allow it to maintain its own compliance obligations. As you can see, there is nothing particularly new about this, but it bears restating nonetheless.
However, there is a twist. Remember that what makes public Cloud computing enticing for organisations (e.g., growing or decreasing scalability of the solution) also limits the ability to negotiate custom terms with the service provider because of the commodity model of the service. A typical enterprise agreement for Cloud computing services tends to cater to all enterprises, regardless of their specific and unique requirements. Think of it this way: do you negotiate how the hydroelectric service (a commodity) is delivered to you or how its associated customer service is provided?
Whilst a consumer does not have any opportunity to negotiate these things, an enterprise needs to be able to obtain most, if not all, of its specific needs. This is what we sought with our RFP sent to vendors that offered enterprise-grade, public Cloud computing.
Cloud Computing: Risk Analysis
A thorough risk analysis of Cloud computing must be performed before going to an RFP or sourcing a solution. Risks must be identified and categorised according to their criticality and likelihood. One must then evaluate whether the risks can be mitigated or accepted from a business standpoint to assist in the decision-making process.
As Cloud computing services necessarily involve transferring and storing data outside of your own organisation’s perimeter and control, some of the risks identified revolve around privacy concerns, which must be evaluated. For instance, a vendor may be storing your data in the U.S. or in other countries, where applicable laws may differ from Canadian laws affecting how the vendor will protect your interests.
Developing RFP Criteria
When crafting an RFP for IT services, CBC/Radio-Canada’s Finance, Legal, and IT departments come together and join forces to ensure that the appropriate criteria are identified and listed as requirements for the vendors to meet, and that the evaluation of the responses with regards to these criteria is done and weighted adequately.
In the case of Cloud computing services and, more specifically, public Cloud computing, the implied loss of total control on the service delivery, when compared to an in-house solution, had to be taken into consideration.
Research on industry standards and the vendors’ own obligations was key in identifying the minimum requirements that the respondents should meet in the Corporation’s RFP. For instance, the top vendors and providers of public Cloud computing services hold themselves to very high standards to ensure their own service continuity. As such, a requirement for the solution to meet these standards was added in the RFP.
The following sections will describe some of the criteria that were evaluated.
Data Confidentiality, Integrity & Availability
The primary security concern of the general public by far regarding public Cloud computing is data confidentiality. Data in any public Cloud computing environment must be protected both in transit and at rest in order to ensure protection from fraud and theft. Therefore, CBC/Radio-Canada must be confident and assured that its data is not compromised on its way to the Cloud computing environment, nor while it is sitting on the environment’s infrastructure.
In the case of our new and very significant public Cloud computing product, Gmail, data transmitted to and from Google’s facilities uses high-grade encryption (RC4, 128-bit keys), and the option to turn off encryption for the Gmail service has been disabled entirely so that a user cannot intentionally or accidentally disable Gmail’s encryption features. The encryption also ensures the integrity of the data being sent and that it has not been altered whilst in transit. At rest, data is protected by data distribution and obfuscation, where a piece of data such as an email is spread across multiple servers within the infrastructure, which ensures that a single Google server or one of their system administrators will never have access to a complete email. Data chunks are given random ﬁlenames, they are not stored in clear text, and are not humanly readable. This distribution of data is preserved across Google’s infrastructure via data replication and backups, to help ensure availability in the event of a disaster.
Vendor Compliance With Industry Security Standards
Overall compliance by the external provider to its own security policies and procedures by actively enlisting third-party auditors to review their practices and the provider’s adherence to known industry security standards are also of concern and can greatly assist a corporation in its evaluation of a public Cloud computing product. Typical third-party audits, such as SSAE 16 or SAS70 reports, are very good indicators that the external provider’s services can be used securely and with a great deal of confidence. Adherence to industry standards, such as those published by the National Institute of Standards and Technology (NIST), are also good indicators of an external provider’s ability to operate securely within known, industry-accepted standards.
Vendor Compliance With the Customer’s Directives
External providers should also be cognisant of, and able to comply with, their customers’ own security policies and directives in order to ensure that they can integrate and operate securely with their customers’ infrastructure when the need arises. As such, an evaluation of the external providers’ ability to meet a corporation’s information security and risk management programme requirements is a necessary step in the process of selecting a solution. These types of programme directives control and manage access to corporate information, and monitor activities within Cloud computing environments to detect any security anomalies.
In the case of Gmail, one of the reasons this solution was attractive was because the vendor provides the tools that allow the use of automated provisioning processes, dashboards to help in the monitoring of the service, and access to their logs for any security or transactional anomalies, such as an account security breach. Monitoring and audit tasks extend beyond the security realm as well, and corporations with Cloud services should regularly review their external provider services regarding performance, account management, support, and availability.
Typical Security Measures for Cloud Computing Products
In addition to the sections outlined above, there is also a series of typical security measures that all external providers offering public Cloud computing should have in place. These detailed security measures are not exhaustive by any means, but are essential points that should be reflected in any framework or selection process in order to ensure the on-going security of a corporation’s data. The external provider should:
- Have access control measures employed to ensure that only qualified and authorised staff have access to the infrastructure and data;
- Employ access control measures to ensure that only qualified and authorised staff has access to logs and that the external provider is capable of protecting logs from malicious conduct, such as entry deletions or modifications;
- Have a complete and documented Disaster Recovery Plan (DRP) for its data centres, operating centres, and head office;
- Carry out regular risk management assessments and vulnerability or intrusion assessments;
- Employ measures to secure the main aspects of its network infrastructure (firewalls, Intrusion Detection Systems, etc.);
- Provide details on security reinforcement measures applied to its servers (e.g., server and operating system hardening) and describe their efficiencies;
- Provide details outlining the physical security measures in its offices and data centres to ensure those locations are properly protected; and
- Have server infrastructure that must run antivirus/antimalware tools and anti- spam/antivirus/antimalware tools if it provides Cloud email services.
These are all examples of things to watch out for and they outline the necessity of having a formal framework for evaluating Cloud computing solutions.
We also know that this strict selection process for a Cloud computing solution is just one of many steps. There is a requirement for on-going monitoring and auditing of the solution to ensure that obligations are continuously being met.
As stated in the introduction to this article, Cloud computing is becoming more and more prevalent, and is seen as a practical and secure way to meet a corporation’s business objectives. Public Cloud computing services are also becoming more and more attractive due to their commodity models, but they require a thorough understanding of the risks as well as the likelihood of such risks. Service contracts must be prepared to cover or mitigate as many of the risks identified as possible. CBC/Radio-Canada’s forays into Cloud computing services have highlighted the need to develop a formal framework to evaluate these types of solutions and the lessons learned along the way have helped the Corporation identify some of the key criteria to include in such a framework.
Cloud computing also meets the Technology Strategy Board’s principles, which, in turn, serve CBC/Radio-Canada’s 2015 Everyone, Every way initiative, in that it empowers our people, who are key in making the 2015 strategy a success. Our future Cloud computing endeavours will foster the continuing innovation that allows CBC/Radio-Canada to remain a leader in the media world.
International Information Systems Security Certification Consortium, The Official (ISC)2 CISSP CBK Review Seminar, February 2013