TURBULENCE Within The Cloud

TURBULENCE WITHIN THE CLOUD

• How do you pick the RIGHT Cloud Service Provider (CSP)?

• Do you choose based on ease of use? • Do you choose based on features? • Do you choose based on reviews? • Do you bother reading the EULA? • Does any of this matter?

TURBULENCE WITHIN THE CLOUD

• Know what to ask and how to select the right cloud before winding up in a fog of bewilderment.

• Know what to consider and agree to in order to protect your data.

CLOUD CONSIDERATIONS?

• What do we mean? • Do you care if your data will be stored

somewhere other than the United States? • Do you care if the vendor has claim to your

data once you copy it to their service? • Do you care about whether your data is secure

and protected? • Security, Privacy, Potential Legal Pitfalls…

CLOUD CONSIDERATIONS

• Disaster Recovery • Backup and Recovery • Security • Encryption • Multi Factor Authentication • Data Ownership • Data Comingling

Disaster Recovery

• CSP should have disaster recovery plans in place to ensure absolute minimum downtime during various degrees of system failure.

• CSP should represent that these disaster plans are documented, been tested and you have a right to know what they are.

BACKUP AND RECOVERY • CSP should have a backup of your

data for at least the last 24 hours. • Data recovery within a recovery time

objective (“RTO”) of four (4) to six (6) hours and a recovery point objective (“RPO”) of 1 to 2 hours or less.

• Backup of Data should be to an off-site “hardened” facility no less than daily, maintaining the security of the Data.

• Backup data must be encrypted in transit and at rest.

• CSP should have a minimum of two United States-based recovery sites, only one of which may be on the West Coast of the United States.

SECURITY

• CSP should be responsible for establishing and maintaining a data privacy and information security program, including physical, technical, administrative, and organizational safeguards, which the security program is designed to: – (a) ensure the security and confidentiality of your Data; – (b) protect against any anticipated threats or hazards to the security or

integrity of your Data; – (c) protect against unauthorized disclosure, access to, or use of your Data; – (d) ensure the proper disposal of your Data if requested or required by

applicable law; and, – (e) ensure that all employees, agents, and subcontractors of CSP abide by it.

SECURITY

• Firewalls – CSP must use reasonable precautions, including but not limited

to, physical, software, and network security measures, employee screening, training and supervision, and appropriate agreements with employees, to:

• (a) Prevent anyone other than the designated users or its authorized employees from monitoring, using, gaining access to, or learning the import of your Data;

• (b) Protect appropriate copies of the your Data from loss, corruption, or unauthorized alteration; and

• (c) Prevent the disclosure of your passwords and other access control information to anyone other than authorized users/employees.

SECURITY

• Segmenting – CSP must implement security controls that adequately safeguard against intrusion, tampering,

viruses, and other security breaches (NIST SP 800-47). • Audits

– The CSP should conduct annual audits of its data privacy and information security program and share audit finds.

– The CSP should be willing to have an independent audit upon written request to ensure compliance with as applicable: Health Insurance Portability and Accountability Act of 1996 (“HIPAA”)/Health Information Technology for Economic and Clinical Health Act (“HITECH”); Gramm-Leach Bliley Act (“GLB”); Family Educational Rights and Privacy Act (“FERPA”); The Payment Card Industry Data Security Standards (“PCI DSS”); Federal Trade Commission Act (“FTC”); and any other relevant standards, at the expense of the Department. CSP agrees to cooperate fully with any such audit(s).

– You have a right of audit to review the CSP’s data privacy and information security program prior to the commencement of the agreement and from time to time during the term of the agreement. At your expense.

SECURITY

• Penetration Testing – The CSP must conduct periodic penetration testing for all public-facing

applications at intervals of no greater than one year. This must be done both internally and externally.

• Performance Testing – Performance testing is required for all public-facing applications. The

CSP must demonstrate the ability to conduct performance testing and establish terms for testing and cost.

• Forensic and Investigative Response – The CSP must maintain appropriate chain of custody throughout the

duration of the agreement for the purposes of potential forensic or legal investigation.

SECURITY

• Vulnerabilities – CSP software applications and any third party software

applications embedded in the CSP’s software applications must be free from vulnerabilities and defects. The CSP must provide vulnerability scanning services for critical systems or systems hosting sensitive data. The CSP should provide attestation by an objective third party, stating that the application has been tested for common security vulnerabilities as articulated by the "OWASP Top-10" as published by the Open Web Application Security Project (see www.owasp.org for current list of the top 10).

SECURITY

• Authorization and Access – The CSP must enforce the following IT security best practices with respect to its services:

• (a) Least Privilege: CSP should authorize access only to the minimum amount of resources required for a function.

• (b) Separation of Duties: CSP shall divide functions among its staff members to reduce the risk of one person committing fraud undetected.

• (c) Role-Based Security. CSP shall restrict service access to authorized users. Contractor shall base access control on the role a user plays in an organization.

• Data Storage – CSP agrees that data will be stored in the United States of America only.

• Changes in Service – CSP will provide notification of any changes in the services, such as changes made as

enhancements and upgrades, which can impact the security of the services.

SECURITY

• Vendor Induced Inhibiting Code and Hardstop/Passive License Monitoring – The CSP should not include any Vendor Induced Inhibiting Code

(“VIIC”) or any other inhibitor on reports and data submitted. VIIC is defined as any deliberately included application or system code that will degrade performance, result in inaccurate data, deny accessibility, or adversely affect, in any way, programs or data or use of the services.

• Click-through Agreements – All click-through or click-wrap agreements presented to users in

the course of the use of the services are inapplicable.

SECURITY

• Encryption – The use of proprietary encryption algorithms is not allowed for any purpose, unless reviewed

by qualified experts outside of the CSP and approved by your Chief Information Security Officer, or governing body such as DoITT, or ITCS. Proven algorithms such as AES, Triple-DES, Blowfish, PGP, and RSA should be used as the basis for encryption technologies. At a minimum, the preferred hash algorithm is 160bit SHA-1. 128bit MD5 is an acceptable alternative. SSL/TLS implementations should use either 3-DES or AES for the cipher component and 128bit MD5 or 160bit SHA-1 for the digest cipher.

– Who owns the encryption keys? – Will the CSP allow ownership of the encryptions keys to be yours? Ownership is preferred for

a few important reasons. • Data Ownership

– All Data is owned exclusively by the YOU/Agency/State/City and cannot be used by the CSP for any purpose other than to provide the services to the agency.

– The CSP must not be able to remove metadata.

Exit Strategy

• Have an exit strategy. • Will you be able to get your data from the

CSP? • Will your data be in a format you can use

when you leave?