Technology

Taming the Wild West: How to build a strong cloud security strategy

2

The cloud is a fast-moving target that will operate very differently six months from now than it does today. It is clear, however, that companies are already reaping game-changing benefits by using the cloud to, for example, improve time to market or quickly scale up or down their capacity demands. And many are doing so in a controlled and secure way, either using the cloud provider’s services or supplementing those services in-house.

Indeed, the cloud represents a fresh chance for organizations to rethink their approach to information security. Typically, security is a bolt-on affair, limited to dealing with the inadequacies of a specific technology. That approach is reactive and bottom-up.

As companies transition to the cloud, they have the opportunity to adopt a top-down approach in which the security framework is understood, set and supported by management. And in many cases, organizations will not own the security mechanisms themselves.

An effective cloud security program will delegate layers of security to various parties, with cloud providers doing their part as well.

Security management is about protecting the company and its assets. It is not a purely technical issue. The topic covers legal, compliance and regulatory requirements, hackers and attackers, threats and vulnerabilities. So far, the security race has not fully kept pace with the speed at which the cloud model is moving. That will change rapidly, as cloud providers continue to mature their security operations, the law catches up with technology, and standards emerge to address the risks of a multi-tenant computing environment.

Based on Accenture’s experience working with the providers and clients breaking ground in the cloud, we recommend five principles for crafting an effective cloud security strategy.

Five principles for crafting a security strategy1. Know your appetite for data privacy

and security risk.

2. Expect to share responsibility.

3. Demand transparency and accountability from cloud providers.

4. Use the cloud to solve identity and access management issues.

5. Architect solutions that address the risk.

Perhaps you are not yet convinced that the benefits of the cloud outweigh the considerable legal and regulatory risks. Or maybe you are waiting for the right moment to commit. You ask, “Are we ready to shoulder the responsibility of moving our data to the cloud?” and “Do we really know what good cloud security is for our company?”

Can You Reap the Benefits of the Cloud?

3

Know your appetite for data privacy and security riskLegal and regulatory issues are amplified in a cloud setting. These issues can pertain to the handling of an incident, protecting individual data privacy or collecting evidence. Cloud technology is evolving so fast that legislation and regulations have not been able to keep apace of its development, leading to different and sometimes conflicting obligations in terms of who has to follow the law. This is something recognized by the EU and the revision of the EU Data Privacy Framework Legislation will seek to catch-up with developments in technology.

It is important, first, to distinguish between data privacy and security. Compliance with data privacy law is a minimum requirement. That goal can be achieved in a number of ways—for example, by collecting only the minimum amount of personal information or issuing notifications in case of a breach. Security is a broader topic that allows an organization to take clear-cut action in accordance to strategic objectives and the importance of the assets that will be at risk.

To figure out whether a risk is worth taking, companies need to classify (and value) their data and make internal policy decisions regarding how to handle each class. Low-sensitivity and non-personal data are not regulated by data privacy laws and can be placed in the public cloud without modification of standard contract terms or operational controls. Enterprises may decide to retain confidential and regulated data in-house or filter it before passing it through to the cloud — though some companies are choosing to put sensitive data in the cloud in controlled use cases, fulfilling the legal requirements around transfers of data to determine where the real issues lie.

Data can also be risk delineated based upon knowledge of the application type that will move to the cloud, such as:

•Enterpriseapplications–coreline-of-business applications that involve personally identifiable information (PII) and contain regulated data that must be handled internally or in a co-location facility on behalf of clients

•Edgeapplications–applicationsthat are not mission critical, have no data issues, and can be hosted in a dedicated or shared environment

•Applicationextensions–extensionsof enterprise or edge applications, such as components used for bursting of bandwidth, web portals or front ends with seasonal usage, which can be hosted in a dedicated or shared environment

The costs of adding confidentiality, integrity and availability protection mechanisms for each application type will vary. For example, a core banking application or manufacturing process control system will not relocate to the cloud without steep security investments. Ultimately it will be up-to management to decide if the benefits outweigh any residual risks.

The Compliance Dilemma: Regulations in Need of Global Harmonized ApproachThe security and data privacy laws and regulations currently in force were instituted pre-cloud. They reference de facto standards (e.g., ISO/IEC 27000-series, NIST Special Publications) that do not attempt to decipher or address cloud issues such as continuity of cloud services, evidence control in a virtualized environment or security architectures across jurisdictions.

As a result, cloud security solutions that rely solely on these standards will sometimes find themselves in conflict or deviation with regulations. Across the European Economic Area (EEA), data privacy laws prevent data from being accessed or transferred outside the EEA unless certain preconditions are fulfilled. In order for companies to store EEA data in clouds outside of Europe, these conditions must be satisfied by the cloud providers and described in the terms of service. Non-EEA cloud providers that do not meet these legal conditions are not eligible to host EEA data.

Even when regulations are not directly at odds with what the cloud is trying to do, ambiguity and the thicket of potentially conflicting laws cast a cloud over companies’ initiatives to deploy to the cloud.1 Here are just a few examples of the quandaries companies face:

•Lawsrequiringbackupstobeencrypted (such as the Health Insurance Portability and Accountability Act (HIPAA) and in Massachusetts and Nevada) can be difficult to interpret in a cloud environment. Who is responsible for performing the backup? For the encryption? In addition to application-level encryption, who is responsible for encrypting data and hardening communication channels as data gets replicated between data centers?

•Lawsthatincludephysicalandhardware security requirements (Spain, Italy and Massachusetts) don’t specify who is responsible for implementing these requirements in a shared environment. How does a cloud supplier respond to multiple overlapping requirements from different customers?

4

•Lawscontrollingdataretentionmay conflict with each other or with governing data privacy laws. If an enterprise needs to collect passport information, there will likely be a local mandate for a retention period, and that mandate may conflict with data privacy laws of another country.

Until global IT, data privacy and information security regulations regulations are updated and harmonized, companies should survey the cloud provider’s security and data privacy controls in the countries where they operate or where their data may reside, and then use a cumulative set of requirements as a baseline. That knowledge can help businesses and cloud providers resolve impasses regarding data privacy and security. Indeed, a close analysis of a wide swath of data privacy and security laws reveals that many countries’ compliance regulations are overlapping, but also contain specific requirements.

Furthermore, organizations should be aware of and help accelerate the creation of global harmonized requirements for data privacy and security and global standards by industry groups. The Common Assurance Maturity Model (CAMM) and the Open Group Initiative are but two examples of efforts to create the standards on which regulations rely. CAMM, for example, is proposing standard levels, similar to the ISO 27005 certification model, to help companies perform due diligence on cloud providers. Instead of performing a full audit themselves, clients can rely on the CAMM certification level achieved by the provider.

A Cloud Computing Risk Management FrameworkThe shift to cloud computing alters the risk landscape, just as any technological change does; and this risk must be analyzed and then mitigated at the enterprise level. If data is stolen or released by mistake, for example, a company would be exposed to direct losses, public embarrassment, and lawsuits as well as the costs undoing other damage.

There are new vulnerabilities and threats that are specific for cloud computing. For example, a cloud provider can outsource certain specialized tasks of its “production” chain to third parties. In such a situation, the level of security of the cloud provider depends on the level of security of each one of these links as well as the level of dependency of the cloud provider on the third parties.

Multi-tenancy and shared resources, two of the defining characteristics of cloud computing, can in the extreme introduce “class breaks”. Here a failure in the mechanism that separates storage, memory and routing, would lead to new attacks from data theft, service disruption to invalidation of assurance levels for both cloud provider and their clients.

Decision Point: Do You Need to Know Where Your Data Will Reside? Control over data location comes up frequently in contract negotiations. Cloud providers prefer to locate data wherever it makes the most sense from a scale and cost perspective, while customers want to dictate that location.2 Remember, regulated data remains regulated regardless of its location, and data owners remain responsible for the acts and omissions of their service providers.

Providers should be able to pinpoint the country or countries in which the data is located; the sticking points are whether they have the freedom to move that data and whether they will agree to the obligatory contractual and operational guarantees that satisfy applicable legal requirements based on the data’s origin and use. In several industries, such as biopharma, momentum is building to harmonize regulations related to the cloud, particularly those related to data location, roles and responsibilities, movement restrictions, and government data access.3

Regulated data remains regulated regardless of its location, and data owners remain responsible for the acts and omissions of their service providers.

5

Automation increases auditfrequency which reduces risk

Mature organizations use automation to reduce costs by up to 54%

Mon

ths

betw

een

asse

ssm

ents

Rela

tive

spen

d on

regu

lato

ry c

ompl

ianc

e

7

6

5

4

3

2

1

0

Least mature

Least mature

MostMature

100%

80%

60%

40%

20%

0%

MostMature

54% less

Based on survey of 3,280 companies

6

Figure 1. Achieving scale to reduce risks and costs

Source: IT Policy Compliance Group

Understand the cloud Gain visibility into the cloud Govern the cloud•Determinethelevelofrisk

that you are willing to take by rigorously analyzing threats, vulnerabilities and selecting countermeasures.

•Harmonizetherightregulatoryregimes and legal requirements from different industries, countries and jurisdictions.

•Findtherightmixofguidanceand standards: National Institute of Technology and Standards, International Organization for Standardization, European Network and Information Security Agency.

•VerifythatSLA/contractterms are favorably established with all cloud service providers.

•Usetechnical,administrativeand physical control mechanisms to check for the security health of a cloud provider.

•Verifythatsecuritycontrolsare maintained so long as the relationship is in place.

•Senseandpredictwhensystemswill deviate from the norm in order to avoid violations and emerging threats.

•Ensureexecutivemanagementis on board, define policies and implement a continuous security program.

•Ensurestrongcoordinationwithand direction of system integrators used to place and maintain regulated data in the cloud.

•Promotesecurityawarenesswithemployees and provide checklists of “must-have” security criteria for contracting teams, systems integrators, and application developers.

•Ensurethatvulnerabilitiesarecaught early and deploy cloud-specific defensive capabilities.

Goals: Share risk, establish trust and get assurances

Cloud technology is evolving so fast that legislation and regulation have not been able to keep apace of its development, leading to different and sometimes conflicting obligations in terms of who has to follow the law. This is something recognised by the EU and the revision of the EU Data Privacy Framework Legislation will seek to catch-up with developments in technology.

How can a cloud provider be safer than my own data center?Security is a heavy burden for many companies. Security patches have to be kept up to date, and configurations monitored for breaches. The turnaround time to apply a software patch typically runs 30 days and does nothing for unknown and advanced threats, such as the 6 million new viruses identified in 2010. Companies cannot thwart sophisticated cyber-attacks without advanced security capabilities, but building ROI business cases for these capabilities is difficult.

The automation of routine security activities — which has moved from once a year or once a quarter, to once every month or even every day — leads to much lower risks and costs.(SeeFigure1.)Varioussecurity measures can be achieved at lower cost when implemented on a larger scale. Cloud computing provides an opportunity to escape from the treadmill of patching systems and operational security activities.

Large cloud providers such as Microsoft, Amazon Web Services, Google, and Salesforce.com run tens of thousands of identical systems to take advantage of the economies of scale. Having grown up managing mountains of data and complex IT operations, cloud service providers perform many tasks automatically, at far less expense, than the majority of companies can. And by leveraging custom-built and uniform systems, they manage systems better than most of their customers do. It is the scale and embedded automation that make a cloud provider’s shared data centers safer than many companies’ private data centers.

Keep in mind, that most public cloud providers will provide only a base level service that is common to all customers. Cloud providers with a heritage in co-location or dedicated hosting are uniquely able to customize and add on security services for an incremental cost.

7

8

Expect to share responsibilityIt is crucial to clarify the roles of the data owner, cloud provider and system integrator, if applicable, in delivering legally compliant solutions. From a legal perspective, there is no clear division of labor between the cloud provider, an application manager (or system integrator), and the data owner. The law only cares that certain things get done, no matter who actually does them, and makes the data owner responsible for the outcomes.

Unfortunately, many data owners and cloud providers have misperceptions of their responsibilities that hinder the evolution of a secure and compliant cloud solution. The division of labor varies by the cloud service model. Some requirements will be in the span of the cloud provider’s control, others in the tenant’s control. For example, a provider may be responsible for a business continuity or disaster recovery capability that is not a standardized component of its offering. The provider may not be equipped to fail-over to its own cloud, but there may be an opportunity to design a fail-over solution to another data center.

A slew of security and compliance capabilities can be added to a cloud provider’s standard offer. Yet in our experience to date, cloud providers view one-off customizations for customers as anathema to their business models. Companies, regulators and the public should continue to pressure cloud providers to ensure that their services support compliance with applicable data privacy and security requirements.

Cloud providers remain reluctant to commit to terms that would help clients and consumers meet their obligations to the law, describing these requirements as impossible or at least prohibitively expensive. But in fact, overlapping regulations have much in common; the superset of major regulatory requirements around the world can be determined with relative ease. In short order, we expect cloud providers to recognize this fact and change their stance.

The willingness of the cloud provider to share the risk as a “service provider,” and in turn bear the necessary legal obligations on the part of the data owners, is a key part of the equation. Indeed, progressive public cloud providers can be used to host a wide array of confidential and regulated data. For example, most organizations interpret the legal or regulatory requirements to encrypt data at rest too stringently. Encryption is one way to obfuscate data, but there are other ways to achieve the same end, including masking the data and making it difficult to reassemble (by scrambling and distributing data components through virtualization).

Google uses the latter approach, which currently does not satisfy encryption laws or regulatory regimes such as the Payment Card Industry (PCI) or HIPAA. Given that the key used for encryption for data at rest in most cloud solutions usually leads to a loss of possession of the key itself, Google's obfuscation approach, which keeps even Google from easily reconstructing the data, may be a valid alternative.

The issue of data residency is significant and poses a real hurdle to the adoption of cloud computing. Enterprise users of cloud services are uneasy about the potential for a foreign government to demand access to their data. On the other hand, governments worry about losing the legal ability to oversee data in the cloud and apply their laws to data that is stored outside geographic boundaries.

All organizations, multi-nationals in particular, can reduce data privacy risks by creating accountability through robust contractual agreements, including EU Model Clauses. Each accountable party is then responsible for the data handling and protection including addressing the important issue of transferring data across legal jurisdictions.

However, the enduring solution to the data residency issue needs a global approach that includes industry involvement and recognizes and builds on existing initiatives such as the Data Privacy Accountability Model, Privacy-by-Design, and Binding Corporate Rules.

Decision Point: Pick a Cloud Model that Works for YouCloud computing models vary significantly in the security controls employed by the provider and its willingness to commit to terms and conditions (Figure 2). Most of the regulatory compliance burden will fall on the customer of Infrastructure as a Service (IaaS). Platform as a Service (PaaS) is in the middle. With Software as a Service (SaaS), the burden shifts to the supplier.

These differences underlie trends in current adoption rates of these cloud models. A 2010 Technology Business Research survey found that 54 percent of respondents in the United States and Europe had purchased SaaS, while only 26 percent had purchased IaaS solutions.4 Almost 40 percent of the respondents claimed to be planning purchases of both SaaS and IaaS by the end of 2011.

Hybrid models mix internal infrastructure, private cloud, and public cloud, and are designed to allow companies to take advantage of the economies of scale and computing power of the public cloud but store sensitive data internally.

At the end of the day, there is no 100% turnkey cloud solution. Data owners, cloud providers and system integrators (if involved) must be willing to agree to each of their roles and obligations in any cloud solution, regardless of the type.

Web Extensions to Core Applications

Vertical specific high performance applications

Marketing Portals and Applications

Content Collaboration And Distribution

Core applications

Deployment Options

Matching Application Styles to Cloud Services

Hybrid Cloud computing

Internal Data Center

Dedicated Hosting

Co-location

Service Models

SAAS PAAS IAAS

Private Cloud Public Cloud

9

Figure 2. A spectrum of cloud service models

•Softwareasaservice(SaaS)–Theprovideroffersfinishedapplications that are very tangible and easy to understand (e.g., email, collaboration, communication, customer relationship management). The embedded security and compliance features of the software may not be customizable. Examples include NetSuite, Microsoft Office 365, and Gmail are SaaS solutions, sometimes also called “desktop as a service.”

•Platformasaservice(PaaS)–The vendor abstracts the virtual infrastructure but gives the customer flexibility to build its own applications. Examples include Force.com, Microsoft Windows Azure, and Google App Engine.

•Infrastructure-as-a-service(IaaS)–Theenterprisepurchasesa logical infrastructure, typically preloaded with an operating system. The customer determines how to use the hardware and selects most of the security, data privacy and compliance controls. Examples include AmazonEC2,VMwarevCloud,VerizonComputingAsAService.Co-location and server hosting, both well-established outsourcing models, are similar to IaaS.5

Multi-tenancy and shared resources, two of the defining characteristics of cloud computing, can in the extreme introduce “class breaks”. A class break occurs when one breach leads to a whole new category of attacks on a range of systems.

Systems Integrator Direct Purchase

OutsourcingArrangement

In-HouseImplementation

Enterprise Acquisition Strategies

Each layer reveals new risk

Software Cloud Supplier

Platform Cloud Supplier

Infrastructure Cloud Supplier

Salesforce.com, Workday, Ariba, Google Apps

Windows Azure, VM Force, Force.com

BT, Verizon, AWS, NTT Communications

Degree of Control and Visibility

• SLA Dependence• Supplier / SW Pedigree• Compliance Traceability• Security Courses of Action

10

Figure 3. The more parties in the equation, the less visibility

Demand transparency and accountability from cloud providersCloud providers should be transparent — willing to tell customers what they do.Andtheyshouldbeaccountable–willing to take responsibility for their acts and omissions. If data owners cannot win a reasonable amount of transparency and accountability from cloud providers, they should walk away from the negotiating table.

It is not reasonable, of course, to expect cloud providers to divulge their trade secrets or compromise the security of their network. However, subject to nondisclosure agreements, when both parties are known entities, there must be sufficient disclosure to allow data owners to make meaningful risk-based judgments about how to handle their data. Lacking transparency, basic risk management methodology forces companies to assume, or at least plan for, the worst-case scenario.

For example, some cloud providers label themselves as a “Payment Card Industry-ready” or “validated as PCI Data Security Standard” compliant, implying that they adhere to 12 requirements for any business that stores, processes or transmits payment cardholder data. That does not mean an enterprise is automatically PCI-DSS-compliant if it is a tenant of that provider. The only way a customer could become automatically compliant would be if a PCI-compliant cloud provider managed all the way up the application stack. Organizations have to engage in the effort to determine any missing capability (e.g. missing documentation, private key rotation, anti-virus scanning) and then find a fix or workaround.

Cloud providers are also customers. For example, a provider of SaaS may contract with another provider for infrastructure. As customers, these providers can lack the visibility and control into the workings of other providers that would allow them to commit to a specific level of service. A combination of security reviews across the physical infrastructure, cloud management software and the application will provide the complete compliance and situational awareness picture. Figure 3 shows how both a cloud provider and a data owner have increasingly less visibility as the stack of providers deepens.

No single set of standards will be definitive. The appropriate standard is one that takes into account multiple regimes and legal requirements.

Industry Organizations Standards Bodies Standards and Specifications

Cloud Security & Data Privacy

• Cloud Security Alliance (CSA)• American Institute of Certificate Public Accountants (AICPA)• Object Management Group (OMG)• Trusted Computing Group (TCG)• PCI Security Standards Council • Distributed Management Task Force (DMTF)

• International Organization for Standardization (ISO)• National Institute of Standards and Technology (NIST)• European Telecommunications Standards Institute (ETSI)• European Network and Information Security Agency (ENISA)• Organization for the Advancement of Structured Information Standards (OASIS)

• ISO 27001/27001 Series • NIST 800-53 Special Publication • PCI-DSS • Web Services Security / SAML • Open Authentication (OAuth)• SSAE 16

Eventually, we will see a set of standard audit frameworks that can be reused across cloud providers and multiple cloud application authorizations (see Figure 4). Until then, companies should approach conversations with cloud providers as they do any other vendor conversations— from the bottom up (people, process and technology) and the top down (risk, compliance, governance). A cloud provider that has a good process will likely have a good product. It will be your responsibility as the buyer to evaluate the assurance level of a cloud provider’s claims.

As a consumer of cloud services, data owners or system integrators should ask the following questions:•Howdoestheprovider’stechnology

work, and which of their people (including subcontractors) have access to customer data?

•Whattestinghasbeencompletedto verify that service and control processes are functioning as intended and that unanticipated vulnerabilities can be identified?

•Towhatextentissecurityembeddedin the cloud solution?

•Doesthecloudproviderreservethe right to change its terms and policies at will (this right significantly magnifies data privacy and confidentiality risks)?

•Doweknowhowtosecureeach cloud service provider by incorporating security controls and risk mitigations?

•Haveweaccepted,reduced,transferred or mitigated the risks? What processes do we have in place to verify periodically that controls are functioning?

With all these outstanding questions, there needs to be a more effective way forward to achieve accountability. A key finding from our work with the World Economic Forum6 is the need for governments worldwide to adapt and harmonize regulations relevant to cloud. The aim is to improve regulatory applicability and reduce divergence across jurisdictions, while considering the maturity of the

overall industry. This would imply achieving a harmonized approach to the underlying principles that guide the regulation, which currently differamountjurisdictions–notablethrough the US’s fragmented approach to data privacy regulation and the EU’s more universal one. Minimum regulatory standards are notasolution–theyareoftennotsufficient to reduce complexity, as they do not stop countries from introducing additional provisions.

Figure 4. Relevant standards and specifications

11

The security and data privacy laws and regulations currently in force were instituted pre-cloud.

Custom

Past Future

Private Managed Hybrid Utility

Cloud

Outsourced

On-Premise

SaaS

Standardized Solutions

12

Use the cloud to solve identity and access management issuesIdentity management in the cloud matters just as much as outside the cloud: Let the good guys in and keep the bad guys out using a proven, flexible identification and authentication process. Companies want one view into users and applications, regardless of whether they reside on the cloud or on its premises.

Every time a user accesses a cloud resource, a defined interaction should analyze the trust assignments and allow appropriate access. Access control will be your first line of defence to protect your assets and resources. Remember access control is not just technical or logical (e.g. passwords, and software configurations). Access control spans administrative controls (e.g. internal policies, screening of personnel, security awareness training) and physical controls (e.g. protecting individual networks, locks and alarms on exterior doors, security guards).

Logical identity (and access) management is one of the fastest-moving areas in the cloud ecosystem, and we expect that identity will become a “service” over the next few years. In other words, identity management tasks (enrollment, provisioning, authentication, authorization, audit, single sign on, and role management and reporting) will progressively move from an

on-premise solution to a SaaS model (Figure 5). This approach will catch on fast, too: By some estimates, Identity as a Service will expand into a $700 million business by 2014.

Vendorsareresponding.Verizonhasahost of identity management offerings that are managed and cloud-friendly. For this vendor, a purchase of cloud computing services can also include a bundle of authentication and directory services. Salesforce.com is another vendor that offers improved identity management. Salesforce.com has a sophisticated roles-based access control system that manages the assignments of permissions to all objects in the application, including data and display items.

One piece of caution: Cloud data centers are alluring targets for cyber-criminals because of the concentration of data from multiple sources. Vulnerabilitiesincludeinfiltrationofsuppliers by criminals using stolen identities, insiders colluding with criminals, or brute force attacks.The concepts of authentication and identity management, should also be applied to theentiresupplychain–todetermineauthenticity of all components.

Each cloud provider will vary in terms of their level of protection against these so-called supply chain cyber-risks.

While standardization and large-scale operations help prune out errors and vulnerabilities (see the sidebar “How can a cloud provider be safer than my own data center?”), the attack surface is larger and the opportunity, motive and methods of criminals are advanced and persistent.

Companies with a high degree of data sensitivity should assess the supply chain risk if a component, business process or individual is compromised. Like any outsourcing vendor, the cloud data center itself should be evaluated in terms of vendor pedigree, the potential for counterfeits and insider threats. Some of the questions to ask include:

1. Is our supply chain geographically and geopolitically resilient to risk? Is the risk spread across an appropriate number of partners?

2. Are our contracts and relationships flexible?

3. Do our service level agreements protect our exposure?

4. Can we predict a supply chain risk event?

Figure 5. The many faces of identity and access management – from private to utility based services

13

Architect solutions that address the riskIn the near term, many enterprises will select hybrid clouds as a bridge solution waiting for the industry to mature and data privacy and compliance features to be gradually “designed into” standardized offerings. A hybrid model allows organizations to hedge their bets and keep parts of their system in house while taking advantage of running dedicated processes as cloud services.

Public cloud computing vendors have very large financial incentives to provide the data privacy and security controls that companies are requesting in order to move mission-critical applications into shared environments.

These changes will come, and very soon. One step in this direction is represented by Google Apps for Government. With this solution, agencies are assured that their supplier has passed Federal Information Security Management Act (FISMA) certification and accreditation. Google was the first vendor in the industry to complete certification and receive “an authority to operate” at the FISMA-Moderate level. This type of "communitycloud"–asdefinedbytheNational Institute of Standards and Technology–isalsoavailablefromMicrosoft for U.S. federal, state, or local governments.

Over the next several years, companies and suppliers will grow smarter about where they run applications and how they deal with security management on the cloud. As they do so, they will use the savings to invest in security architectures and innovations that add value to the business.

As an example of cloud security architecture, consider a healthcare provider that wants to secure patient-related medical data on a public cloud. The first step would be to look at whether the cloud solution can be HIPAA compliant. The company would need to get a Business Associate (BA) agreement through which the cloud provider would adhere to HIPAA security and data privacy rules.

The company would then evaluate the business and regulatory risks associated with outsourcing patient records to a third party. Finally, the solution would have to cover unambiguous requirements such as record-level logging and audit capabilities, encryption of data, and breach notification procedures/requirements for any lost or compromised data.

Even with a BA agreement, the third party could lose data. The security architecture implemented to address gaps could incorporate innovations such as:

•Applyformatpreservingdataencryption. If data is going to be processed in the cloud, it usually has to be temporarily decrypted. During this brief period of decryption, the supplier may have the technical ability to access data. By using format preserving encryption applications can continue to function even while data is in cipher text.

•Limittheinformationsenttothe cloud for processing. If the patient's name is not needed, don't send it; if zip code suffices, don't send the whole address.

•Masksensitiveinformation,ifanymust be sent. Map a 9-digit SSN to an obfuscated 15-digit number and keep a look-up table to make sure all your databases do the same conversations consistently.

•Considermultiplecloudvendors.Processing different subsets of the data in different places might provide additional data privacy in case some information is compromised. There is still an issue with having to decrypt the data when it is processed and having private decryption keys in the possession of the cloud provider.

•Applyencryptionand/ortokenizationat a proxy server, potentially using a private network or a trusted third party. These vendors create trusted communication paths and data processing centers to help customers adhere to data security and regulatory concerns of using cloud- hosted applications.

14

The fast pace of cloud maturation provides new solutions to old challenges. There are clear benefits to highly elastic, scalable, on-demand computing power and an ecosystem of providers eager to meet the needs of large enterprises. For the most part, there are no barriers to the placement of non-regulated, non-personal data onto a public cloud.

But that does not mean that companies should throw caution to the wind. Data privacy and security implications are amplified when putting regulated personal data onto the cloud. In that case, we believe that good security by itself does not satisfy regulatory obligations. And vice-versa: Rock-solid compliance activities do not ensure adequate security against a growing threat landscape. Enterprises have to determine which data and applications make the most sense for the public cloud and which require a different solution, such as a hybrid pass-through of data into the cloud for number-crunching and then back to a private data center for storage.

As with any technological solution, companies need to understand the risks associated with multi-tenancy in the cloud, develop a risk management framework for security and governing data, and then architect solutions to address the risks. Both enthusiasm and speed are warranted, but a “buyer beware” attitude is still essential.

Furthermore, companies should help create cloud ecosystems in which they would be comfortable placing their data. To do that, companies need to support and possibly join efforts to create standards immediately.

Companies considering the cloud should keep these final thoughts in mind as they move forward:

•Studydataprivacylawstoensurethat none are violated. Think twice — at least in 2011—before putting consumer data in the cloud.

•Bringtherightpeople(privacy, IT, security, corporate governance, legal) to the table when cloud decisions are being made.

•Donotallowanyadhoccloudcomputing. Require business units to follow standardized enterprise-wide rules.

•Readacloudprovider’stermsofservice, and then read them again.

Accenture is also working with cloud providers to help them understand the regulatory environment affecting their potential client base. These efforts are bearing fruit, and more cloud providers are now providing the transparency and the controls demanded by data owners.

For more information on how Accenture is helping organizations address the cloud security challenges, please visit accenture.com/security

Where We Stand

Reference1 Accenture and the World Economic Forum, “Advancing Cloud Computing: What to Do Now? Priorities for Industry and Governments”, 2011.

2 Accenture and the World Economic Forum, “Advancing Cloud Computing: What to Do Now? Priorities for Industry and Governments”, 2011.

3 Accenture and the World Economic Forum, “Exploring the Future of Cloud Computing,” November 2010.

4 Technology Business Research October 2010 Cloud Study. Forrester has identified similar trends. Jonathan Penn, “Security and the Cloud,” Forrester (October 20, 2010).

5 Kevin Fogarty, “Cloud Computing: Today’s Four Favorite Flavors, Explained,” CIO (July 8, 2010).

6 Advancing public cloud computing: What to do now? Priorities for industry and government; Part two of the 2011 World Economic Forum project.

15

Copyright © 2011 AccentureAll rights reserved.

Accenture, its logo, and High Performance Delivered are trademarks of Accenture.

About AccentureAccenture is a global management consulting, technology services and outsourcing company, with more than 215,000 people serving clients in more than 120 countries. Combining unparalleled experience, comprehensive capabilities across all industries and business functions, and extensive research on the world’s most successful companies, Accenture collaborates with clients to help them become high-performance businesses and governments. The company generated net revenues of US$21.6 billion for the fiscal year ended Aug. 31, 2010. Its home page is www.accenture.com.

ContactsDr. Alastair MacWillson Global Lead, Security Practice +44 20-7844-6131 alastair.macwillson@accenture.com

Walid Negm, CISSP Global Lead, Cloud Security Initiative Accenture Technology Labs +1 703-947-4614 walid.negm@accenture.com

Bojana Bellamy Director of Data privacy +44 20 7844 6879 bojana.bellamy@accenture.com

Benjamin Hayes, Esq., CIPP/G/C/IT Data privacy Compliance Lead, North America +1 703-947-2292 benjamin.hayes@accenture.com

11-1327 / 02-2578