Enabling SMEs and Public Administrations to manage risks better and more easily
The varied functional and economic benefits of the cloud are substantial, though security assurance and transparency still remain as open issues to enable the customer’s trust in Cloud Service Providers (CSPs). This is particularly critical both for Small and Medium-sized Enterprises (SMEs) and Public Administrations (PAs), which typically are not cloud (security) experts.
Furthermore, the growing number of CSPs offering diverse cloud-enabled services (from virtual machines and storage, to containers and big data analytics services) opens up the possibility of deploying complex services and workflows leveraging the services of more than one CSP (i.e. a cloud supply chain or even a multi-cloud system). Given this complex setup, and despite the advocated advantages of the cloud, two issues arise:
- How can a (non-security expert) SME/PA meaningfully assess if a cloud supply chain fulfills their security requirements?
- How to guarantee the sustained provision of security assurance to the SME/PA during the full cloud service life cycle?
A commonly implemented approach by public CSPs has relied on the adoption of cloud-specific “security control frameworks” (e.g. CSA Cloud Control Matrix) as a mechanism to provide customers a reasonable degree of security assurance and transparency. Further assurance is then provided through the adoption of security certifications based on those controls frameworks, like in the case of CSA Open Certification Framework. However, over the implementation of their security controls, the CSP can only assume the type of data a customer will generate and use; the CSP is not aware of the additional security requirements or the tailored security controls deemed necessary to protect the CSC’s data. Thus the cloud service customers crucially require mechanisms/tools that enable them to understand and assess what “good-enough security”  means and especially the changes in risk assessment/management that the cloud entails.
Adopting cloud-based solutions for PAs and SMEs operations does not inherently provide for the same level of security and for compliance with mandatory regulations or elicited requirements that were achieved in the traditional (non-cloud) ICT model. A cloud service customer’s ability to comply with any business, regulatory, operational, or security requirements in a cloud computing environment is a direct result of the service and deployment model being adopted, the cloud architecture, and the deployment and management of the resources in the cloud environment. Therefore, it is imperative that PA/SME stakeholders at all levels of the organization understand their responsibilities for achieving adequate information security and for managing information system-related security riskds when adopting a cloud computing solution for their information systems.
For each use case of an information system for which a cloud-based solution is adopted, it is necessary for the consumer to evaluate the particular security requirements in the specific cloud architectural context, and to map them to proper security controls and practices in technical, operational, and management classes. Such a risk management approach usually requires a rich body of knowledge around general information security management practices and cloud computing characteristics, which is usually out of reach for many PAs.
In the above-mentioned cases the philosophy behind the generation of the simplified risk-management approach, referred as risk profiling in CloudWATCH2, is to guide non-expert users in the complexity of risk assessment activities. In doing so, some complex security matters can be simplified to the minimum necessary in order to achieve an acceptable i.e. good enough) security level. This lead to a step-wise approach that reveals threat exposure/security posture from PAs and SMEs by offering customized controls for a certain set of assets that are common to the cloud service to use. Elicited controls can then relate to bilateral agreements such as Service Level Agreements (SLA) to increase and monitor the levels of trust and transparency provided to PAs and SMEs.
How CloudWATCH2 helps - Risk-based decision making mechanisms for SMEs and Public Administrations
One of the goals in CloudWatch2 is to provide SMEs/PAs with a simple, efficient and inexpensive approach to identifying and managing their (cloud) security risks both from the technological and organization perspectives. The resulting simplified approach, i.e. the developed risk profile, provides small organizations and public administrations with a means to perform cloud security self-assessments.
The approach has taken into account the requirements elicited from relevant state of the art works, and it is instantiated on top of well-known CSA’s best practices namely Cloud Control Matrix (CCM), and the Enterprise Architecture (EA). Both CSA CCM and CSA EA are widely-use industrial practices, and have been mapped to relevant standards like NIST 800-53v4 and ISO/IEC 27002.
From the PA and SME perspective the proposed approach brings the following benefits:
- Simplicity, thanks to a guided self-assessment for Pas/SMEs willing to develop a risk profile without the need of (cloud) security expert knowledge.
- Technical and organisational focus: the proposed approach aims guiding Pas/SMEs in the elicitation of security controls, which are “good enough” for their requirements. These controls are based on the well-known CSA CCM, and cover both technical and organisational aspects of the (prospective) cloud customer.
- A repeatable process for developing and using the risk profiles, which allows Pas/SMEs to periodically re-assess their risks in order to identify opportunities for improvement.
- The whole process has a high automation potential, therefore facilitating the development of software applications to empower Pas/SMEs in the creation and usage of risk profiles.
- Standards-based: in order to facilitate the industrial uptake of the proposed approach, CloudWATCH2 is leveraging well-known standards and best-practices into its development. As mentioned above, the underlying CSA CCM and CSA EA are based on international standards from ISO/IEC and NIST.
- Cloud-specificity: to the best of our knowledge there are not other approaches aimed to develop cloud-specific risk profiles for PAs.
To date CloudWATCH2 has produced an initial version of our incremental deliverable on risk profiles for SMEs/PAs, which analyses the challenges related to the specification and usage of state of the art risk management frameworks. The next edition of the deliverable (July 2017) will present the results of the real-world validation of the proposed risk profiling approach, with a particular focus on its usability and automation to facilitate access to non-security expert users from European SMEs and PAs.
The proposed approach consists of three incremental steps, which were designed to fully cover the more traditional security management lifecycle (Plan-Do-Check-Act). During the first step (Security Posture Assessment) the user will qualitatively assess its security posture (i.e. obtain the resulting Impact Level) through a set of questions designed to self-direct the PA in the assessment of inherent cloud-specific risks. Afterwards, during Step 2, the obtained Impact Level (any of Low, Moderate or High) will be used to select (i) a set of components from the cloud security enterprise architecture (CSA EA), and (ii) the corresponding CSA CCM security controls. Finally, during Step 3 the SME/PA will deploy the controls and continuously monitor them through mechanisms like e.g. cloud Service Level Agreements (SLAs).