Cloud Computing Risk Mitigation

NIST Definition of Cloud Computing

Cloud computing is a model for enabling on-demand network access to a shared pool of configurable computing resources (e.g.: networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. 

An in-depth Risk Assessment should be performed for Cloud Computing Outsourcing.

Risk Mitigation in any Outsourcing Scenario (To satisfy MAS Requirements)

The below controls, which are applicable to an Service Outsourcing scenario is also applicable to a Cloud Outsourcing scenario and would help to reduce inherent risks.

  • The Client Company should be able to contractually restrict the Production, DR and Non-Prod Datacenters where their data is hosted. Locations from which the data will be accessed / processed should also be contractually restricted.  The Client Company should have Sovereignty over their Data.
  • The Client Company should have the contractual power and means to promptly remove or destroy data stored at the service provider’s systems and backups.
  • The Client Company should have the contractual power to audit the Service Provider and any Sub-Contractors who are hosting/processing/accessing the Client Company’s data.
  • Data Loss Prevention solutions (Encryption, Access Control, Leakage Prevention) for Data at Rest, at Motion and at End Points should be enforced.
  • In case where the Outsourced Service is Critical/Key to the functioning of the Client Company, any System Malfunction or IT Security Incident with Material Impact on the Client Company or its Customers should be reported to the Client Company who has an obligation to report to MAS within 1 hour and followed up with Root Cause Analysis (RCA) within 14 days.

References

http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf 

MAS TRM Guidelines 

Bare-Metal Server vs Virtual Servers

Bare-Metal refers to the creation of a server using a Hypervisor directly on the Hardware platform.  The server created is dedicated for one single tenant.

Virtual Server refers to creating a virtual server with flexible resources.  Typically one virtual server exist together with many other virtual servers built on top of a Host OS.  This scenario causes multi-tenancy issues.

References:

http://www.internap.com/2015/02/26/bare-metal-vs-hypervisor/

http://www.thoughtsoncloud.com/2014/07/bare-metal-vs-virtual-servers-choice-right/

http://www.softlayer.com/bare-metal-servers

http://www.softlayer.com/virtual-servers

Cloud Computing Risk Mitigation

Outsourcing – IT Controls (MAS TRMG)

Any restrictions?: There is no restriction on the implementation of Cloud Computing, as long as the necessary due diligence and the necessary controls required surrounding Outsourcing is completed.

Reference: Section 5 of the Technology Risk Management Guidelines (TRMG).

Due Diligence Check: Due Diligence Check should be completed to assess the viability, capability, reliability, track record and financial position of the service provider and approved by the different parties involved.

Verification of DR Results: The FI should verify the service provider’s ability to recover the outsourced systems and IT services within the stipulated recovery time objective (“RTO”) prior to contracting with the service provider.

DR Training and Participation: The service provider should participate in the FI’s DR and should receive DR related training.

Contingency Planning: FI should prepare contingency plans for credible worst-case scenarios whereby the service provider is unable to continue providing the services.

Data Return and Removal: Upon termination of the contract, the service provider should return the FI’s data and remove all data from their systems and backup.  This should be contractually enforced.

Data Protection: Multi-tenancy and data commingling architectures should be risk assessed to ensure that the FI’s data are securely access controlled and protected.

Contract: The contract should include performance targets, service levels, availability, reliability, scalability, compliance, audit, security, contingency planning, disaster recovery capability and backup processing facility.  The service provider should be legally auditable by the FI’s regulators.

(SLA, Scalability, Security, Auditability, DR Planning)

Regular Monitoring: The FI should monitor the security policies, procedures and controls of the service provider on a regular basis.

Outsourcing – IT Controls (MAS TRMG)