NIST Definition of Cloud Computing
Cloud computing is a model for enabling on-demand network access to a shared pool of configurable computing resources (e.g.: networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.
An in-depth Risk Assessment should be performed for Cloud Computing Outsourcing.
Risk Mitigation in any Outsourcing Scenario (To satisfy MAS Requirements)
The below controls, which are applicable to an Service Outsourcing scenario is also applicable to a Cloud Outsourcing scenario and would help to reduce inherent risks.
- The Client Company should be able to contractually restrict the Production, DR and Non-Prod Datacenters where their data is hosted. Locations from which the data will be accessed / processed should also be contractually restricted. The Client Company should have Sovereignty over their Data.
- The Client Company should have the contractual power and means to promptly remove or destroy data stored at the service provider’s systems and backups.
- The Client Company should have the contractual power to audit the Service Provider and any Sub-Contractors who are hosting/processing/accessing the Client Company’s data.
- Data Loss Prevention solutions (Encryption, Access Control, Leakage Prevention) for Data at Rest, at Motion and at End Points should be enforced.
- In case where the Outsourced Service is Critical/Key to the functioning of the Client Company, any System Malfunction or IT Security Incident with Material Impact on the Client Company or its Customers should be reported to the Client Company who has an obligation to report to MAS within 1 hour and followed up with Root Cause Analysis (RCA) within 14 days.
Bare-Metal Server vs Virtual Servers
Bare-Metal refers to the creation of a server using a Hypervisor directly on the Hardware platform. The server created is dedicated for one single tenant.
Virtual Server refers to creating a virtual server with flexible resources. Typically one virtual server exist together with many other virtual servers built on top of a Host OS. This scenario causes multi-tenancy issues.