Author: Samuel Lewis, Senior Security Consultant, CISO Global
PREFACE: I want to make clear that I am not a legal professional and am not offering legal advice in this article. What I am giving you, here, are some high-level topics you should discuss with your organization’s inside or external counsel before you engage a new cloud vendor. Skipping that especially important conversation could cost you more than you save in an hour or two of legal fees to get their professional opinion.
Cloud Vendors Make It Easy for You…
Cloud application, platform, and infrastructure vendors (cloud service providers, or CSPs) do a great job of advertising online. They offer seemingly painless ways to sign up for their services through “freemiums” and two-week trials, advertisements that follow you from Google to LinkedIn, and what appear to be straight-forward sales processes. However, signing up for a cloud vendor too quickly to solve a problem you are facing could cause bigger problems if you haven’t performed due diligence. So far in this series, we’ve talked about the potential risks a cloud provider can introduce around the security of your data, uptime and availability, vendor lock-in, and data loss or leakage. Today, we are going to consider potential compliance and / or legal issues as well as CSP reliability concerns.
…But There’s a Lot to Consider, Like Data Residency
When you store data in the cloud, whether that’s a SaaS application, supporting cloud infrastructure, or platform as a service (PaaS), it’s essential to think through issues around data residency, data sovereignty, regulatory requirements for your industry, and legal jurisdictions for the geographical locations your data may end up. When you sign up for an AWS account, for example, you will want to consider the sheer number of global geographies in which Amazon owns data centers. Some industries and countries regulate where data can be stored, legally, and what can be done with that data. Services like Amazon often transfer data between data centers around the world, using load balancers and other mechanisms to ensure that one server or group of servers is not overutilized, while others go underutilized. If they don’t transfer data constantly, they may experience slowdowns in their services, called latency. Customers complain about latency, and most cloud providers have service level agreements (SLAs) around speed, uptime, and availability. Because of this, they use these geographical data transfers to ensure they can meet their SLA commitments. That’s great on a functional level, but if your geographically regulated datasets are inadvertently sent through a country where they are not permitted to be, due to data residency rules, you could have a serious problem on your hands.
…And Data Sovereignty
Let’s take that scenario one step further. If you are storing data for a company that has rules around data residency, but you accidentally send it through a country that has unfavorable laws governing what can and cannot be done with data inside its borders, which is called a concept called “data sovereignty,” you could have an even bigger issue. Suppose your client’s customer data is protected from being viewed, stored, or processed by any third party without express consent, as is the case with GDPR privacy protections, but that dataset is sent through a datacenter in a country whose government policy is to view, copy, and retain all data within its borders. You may have contracted with the cloud provider in your home country, never even considering that the data could leave a geographical border. So, now you have violated GDPR compliance laws and potentially opened your organization up to millions of dollars’ worth of fines. (Yes, that’s millions. GDPR enforcement agents don’t mess around – just ask Facebook or Google.) And all you did was hire a cloud vendor to help you execute with excellence in service and operations.
To be sure, there are cloud providers who intentionally house data within regional borders and advertise as such. You just need to talk with your organization’s legal and compliance teams to find out what your obligations are for data handling, residency, and sovereignty and b) whether your intended cloud vendor will introduce risk in that area.
Get Clarity on Legal and Compliance Obligations
If you handle data for an organization that is under legal obligation to keep data within certain borders, or if you are that organization, you need clarity about where your data could end up if you entrust it to a cloud vendor. This also gets into another compliance and legal obligation you will want to consider. What is your role in protecting data entrusted to you? If you are under GDPR compliance requirements, as mentioned above, you will want to pay special attention to any partners you engage to either store or handle data. If you are the data controller by GDPR (or other related privacy regulation) definition, you will be held responsible for what happens to that data, regardless of whose environment it is in. The data controller is the organization that is collecting and making decisions about the personal and/or customer data, including what partners store, handle, or process that data once it has been collected by you. So, if you store data you have collected in a vendor’s cloud environment, and that cloud provider is compromised somehow, you are held primarily responsible, because you are the organization that engaged the provider and entrusted the data to them. If you are not sure what regulations may apply to you, it would be good to get an outside evaluation of the various countries in which your customers reside and what laws may be in place to protect them. Being unaware will not preclude being held responsible in the event of even an accidental violation.
Create Proper Data Flows and Do Thorough Vendor Reviews
To mitigate potential compliance violations and/or vulnerabilities that could lead to compromise of the data you are entrusting to a cloud provider, you will want to track, review, and audit all users who have access to your data. This information should be available using logs. If your preferred cloud vendor does not have a logging option available or does not make those available to you as their client, that will be a strong indicator that you may not wish to use their services. Keeping these logs will help you demonstrate compliance for protecting the privacy and security of sensitive data sets, particularly. It also allows you to ensure that the only people accessing and/or using your data are people to whom you have granted permission, and that their purposes for doing so are permissible under your policies. For example, you would not want to overlook a cloud vendor’s policies and practices around handling your data if they are using it for marketing or other purposes not expressly approved by you.
Review Copies of Your Cloud Vendor’s Security Validations
In addition to understanding your regulatory requirements as an organization, you’ll want to understand how reliable your desired cloud vendor is. Namely, what evidence can they provide that they will do what they promise, and that their environment is as secure as they say it is? I encourage all clients to request security validations like the most recent penetration test report, validations of compliance, and a conversation between their security team and yours. We perform vendor evaluations for our own providers, internally, and on our clients’ behalf. Here’s a rule of thumb – if a provider cannot send over a report quickly, is hesitant to put someone on the phone with you to answer security questions, invites legal counsel to the call, or is otherwise unhelpful in answering your inquiries, you probably don’t want to use them. Those are all signs of an immature security program. Especially if you are under compliance requirements, this can be a major red flag. There are many vendors CISO chooses not to do business with for this reason. All your friends may tell you this person is a solid provider, but unless they have a security program that is validated by solid evidence, and they have a full-time security team available and knowledgeable enough to answer questions, why would you trust them with your data?
Get Creative with Best-Practice Mitigating Controls
It may be that you can mitigate this risk with a compensating control and still use your preferred provider. For example, can you feed any part of the environment into your security monitoring services? Can you install third-party security technology on top of their environment to bolster security? Who controls the configurations? Will they provide you with a list of everyone in their organization who has access to the environment in which your data is housed, and what their roles are? Hesitance to do so, again, is a red flag.
Consider Continuous Monitoring
The likelihood of your adding security tools to help protect a cloud environment will be higher for cloud infrastructure or platform as a service (IaaS, PaaS) provider, but you may still be able to work with some software as a service provider (SaaS) if they are more mature in their cybersecurity program. Continuous monitoring (ongoing view and assurance of compliance with a set of policies, including active identification and remediation of new vulnerabilities, rather than a singular point-in-time evaluation and report) of the cloud environment’s performance, accessibility, and cybersecurity will help in all three instances, however. The ability to actively and continuously monitor all aspects of the specific environment in which your data is housed is a key capability.
If you would like support architecting a cloud environment securely, evaluating a responsibility matrix, understanding compliance requirements, or creating/executing compensating security controls to protect your data in a cloud environment, reach out to us anytime. We’re here to help!