Cloud Risk Guidelines

Common Cloud Risk Question and Answers you should ask any host when you are about to host your Company on the cloud. Prevent data loss and downtime cause by issues that may not be simply related to any Technical problems there are far more things to consider when you take your infrastructure and trust it to the Cloud.

General (7)

Network Breaks
Due to mis-configuration, system or OS vulnerabilities, lack of resource isolation or lack of, or a poor and untested, business continuity and disaster recovery plan.
– a redundant setup of fiber lines, upstream providers, routing and switching components mitigates loss of connectivity
– disaster recovery plans exist to quickly establish connectivity in worst case scenarios.
Network Management
This cloud damatically effect network uptime, experience, up-time and service delivery.
– network management is in a serparate vlan and only reachable via dedicated out-of-band management ports
– other management services like webinsterfaces or telnet are disabled only secure protocols are allowed for management access (SSH).
Modifying Network Traffic
This could affect data integrity, loss and alteration of sensitive information. Eventually this will evolve as a reputational risk.
– due to vlan seperation on the uplink up to the customer infrastructure, no third party can access the communication on layer 2. dedicated routing is available on request.
Privilege Escalation
This could lead to access to information or parts of the system normally not accessible to these users.
– Access to systems occurs only by proprietary staff. Access to systems are logged for 1 year and can be traced. All staff is contractually bound by a privacy declaration.
Social Engineering Attacks
Due to lack of security awareness, user provisioning vulnerabilities, lack of resource isolation, communication encryption vulnerablilities, and inadequate physical security procedures.
– on the application level we offer qualified third party scans that make sure that the make sure that the systems are being sufficiently protected.
– our email systems have incorporated, spam, fishing, and virus protection for all users by default.
Loss or compromise of operational logs
Due to lack of policies or poor proceures for logs collection retention, vulnerabilities, lack of forensic readiness, system or OS vulnerabilities.
– all infrastructure systems are subject to regular controls (revision meetings) and evaluations.
– additionally, during regularly scheduled maintenance, further testing is peformed and logging protocols are generated.
Loss or compromise of security logs
Due to lack of policy or poor procedures for logs collection and retention, vulnerabilities, user provisioning vulnerabilities, user de-provisioning vulnerabilities, lack of forensic readiness, system or OS culnerabilities.
– see above (revision meetings). All loggin procedures are performed according to legal standards.

Risk Operation (32)

Lock-In
Risk of not being able to migrate easily from one provider to another.
-­ our customer systems are being backed up and upon request system images can be made available. These images are compatible with leading hypervising software (particularly VMware) and can be transferred to another provider, if this is requested
Loss of Governance
Control and influence on the cloud providers, and conflicts between customer hardening procedures and the cloud environment.
– through the use of our virtualisation technology, individual custom settings on the virtualisation layer is possible, without impacting the hosts of the cloud environment and vice versa
-­ it is possible to get access on the control panel for the virtualised resources (Vcloud Director) and to allocate and maintain the available virtualised resources among the desired virtual machines that you need to operate (resource independence and control of their allocation according to current individual (dynamic) needs.
Compliance challenges (i.e. right to examine, exit clause, privacy etc.)
The risk of Cloud Providers which cannot provide evidence of compliance to all relevant requirements, policies, laws etc
-­ our data center is in the process of ISO 27001 certification (expected until the end of the year).
-­ German data protection laws are among the strictest in the EU and in the world.
Loss of business reputation due to cotenant activities
Risk of malicious activities carried out by one tenant affecting the reputation of another tenant
– there are several layers of that. On the data center level, we proactively combat DDOS attempts by using automated and semi
-­automated checks and filtering methods, including remote trigger black holing in cooperation with our carriers, so that malicious traffic does not even reach the data center
– the cloud environment is separating the customers by using separate VLANs and thereby having a network separation, that does not allow other users to affect one’s own environment.
– additionally, upon request private cloud environments can be established, that host the VM on dedicated hardware systems, which are not shared with other customers.
Cloud service termination or failure
This risk of providers going out of business. The risk of unclear data ownership
-­German data protection law has very clear regulation, managing data ownership. The customer is the exclusive owner of data.
-­ Out of business risk does not affect data ownership, and any insolvency administrator is bound by law to hand over the data to the legitimate owner upon termination of operation
Cloud provider acquisition
Acquisition of the cloud provider could increase the likelihood of a strategic shift and may put non-­binding agreements at risk.
– this can be contractually managed: a right for the customer for early contract termination can be granted, in case of change of ownership
– specific needs of the customer that may not be changed in case of ownership change can be explicitly drawn into the contract
Supply chain failure
A cloud provider can outsource certain specialized tasksof its ‘production’ chain to third parties. The risk of non-­compliance of those subcontractors.
-­ access to the systems is performed by our own staff. Subcontractors submit themselves to the same privacy and liability rules as our own staff and can thereby not be differentiated from our own staff in terms of reliability
Changing regulations
The risk of changes in laws and regulations could impact the requirements for both the financial institution and the cloud provider. Changes in regulations could also impact the risks for the Outsourcer.
-­ the legal frame of the Federal Republic of Germany, is among the most stable and trustworthy in the world.
Insufficient skills and knowledge to identify risks related to Outsourcing / Cloud computing
If the financial institution has insufficient knowledge to identify the risks involved or to assess the operational effectiveness of the controls at the Cloud SP outsourcing is not allowed. Monitoring outsourcing requires specific skills and knowledge.
-­ we can provide assistance where there are questions about the nature of outsourcing. It has been our experience and general market recognition, that outsourcing can mitigate serious risks and save considerable amounts of money through fewer expenses due to: economy of scale, infra structure redundancy (e.g. UPS, Diesel generator, use of alternative carriers that are bundled into one reliable network backbone, etc.)
Resource exhaustion; under or over provisioning
There is a level of calculated risk in allocating all the resources of a cloud service, because resources are allocated according to statistical projections.
– our cloud platform is fully monitored 24/7 including long time measuring of the used systems resources, as well as the performance and user behaviour. Therefore a customer transparent resource management is possible.
Isolation Failure
This class of risks includes the failure of mechanisms separating storage, memory, routing, and even reputation between different tenants of the shared infrastructure.
-­ as previously mentioned, through the use of private cloud (dedicated systems) these aspects can be further protected.
-­ since we are also the operator of the data center, there is an additional security and protection.
Cloud provider malicious insider – abuse of high privilege roles
The malicious activities of an insider could potentially have an impact on: the confidentiality, integrity and availability of all kind of data, IP, all kind of services and therefore indirectly on the organization’s reputation, customer trust and the experiences of employees.
-­ the 4-­eye-­principle is applied (two different people have access on critical system interventions).
-­ access (physical and virtual) is logged via personalised entrance tokens (for physical access) and personalised certificates (access to systems is restricted only through personalised means, so that changes can be traced)
Management interface compromise
The customer management interfaces of public cloud providers are Internet accessible and mediate access to larger sets of resources (than traditional hosting providers) and therefore pose an increased risk especially when combined with remote access and web browser vulnerabilities.
-­ our management interface is accessible only through encrypted channels.
­- all externally available services of critical importance are regularly tested via a qualified external security scanning (Qualys).
Intercepting data in transit
Sniffing, spoofing, man-­in–the-­middle attacks, side channel and replay attacks should be considered as possible threat sources.
-­ for maximal protection, our communication is using encryption and hashing mechanisms against spoofing etc.
Data leakage on up / download, intra-cloud
Data leakage from inside or outside the cloud provider is a major reputational risk for the financial institution. The contract must contain a section in which the financial institution is informed by the cloud provider in case of any relevant data leakage.
-­ the contract can be designed to accomodate these concerns
Insecure or ineffective deletion of data
The risk of data being available beyond the lifetime specified in the security policy. (I.e. not wiped/deleted securely enough).
-­ the data are being held in accordance with the strict rules of German legislation.
-­ all data is destroyed after the business relationship has been terminated according to the strict German data protection laws and appropriate methods in adherance thereof.
DDOS Distributed Denial of Service Attacks could lead to: unavailability, identity theft, integrity failures etc.
Contract should contain a section in which the financial institution is informed in case of a DDOS
-­ we usually include such requirements in an apporpriate section that concerns information management.-­ this clause can be included to be an obligation of Hostway
EDOS (Economic Denial of Substainability)
as DDOS Distributed Denial of Service Attacks, but with the effect of Cloud customer going bankrupt or is stolen from.
– user access management can be restricted accordingly, as needed
Loss of Encryption Keys
Loss or disclosure of secret keys (SSL, file encryption, customer private keys, etc) or passwords to malicious parties, the loss or corruption of those keys, or their unauthorized use for authentication and non repudiation(digital signature).
– in a case of key loss without third party involvement, this data is replaced in a customer transparent manner. In case of loss due to intervention of a third party, in accordance to legal standards, a lawsuit has to be filed. Replacement is always taking place in a customer transparent manner.
Undertaking of malicious probes or scans
Collect information in the context of a hacking attempt. A possible impact could be a loss of confidentiality, integrity and availability of service and data.
-­ logging can be activated and performed as required from a protection stand point, within the legal frame of posibilities.
Compromise service engine
Risk of compromise the highly specialized platform, the service engine located above the physical hardware resources and manages customer resources.
as mentioned above:
-­ a private cloud is possible.
-­ cloud provider and data center operator are the same entitiy (we operate our own data center).
Conflicts between customer hardening procedures and cloud environment
Risk of not being able to comply to the hardening procedures of the client, as well as differences betweenor unclear segregation of responsibilities.
-­ these hardening requirements can be evaluated before hand, as toexclude the possibility of such conflict
Right to audit for supervisors
Risk of not being compliant to regulation; In the contract the right to examine/audit must be granted without any limitations to this right. The right also applies for sub-­contractors in the chain. If there is an adjustment (new sub contractor) in the chain, the institution needs to be informed.
-­ we are adhering to the law of Germany
-­ data center is being audited and certified according to ISO27001
-­ additional audits are also possible, if required. Same standards apply to CAT Data Center Bangkok
Subpoena and e-Discovery
The risk of disclosure of centralized storage as well as shared physical hardware, to unwanted parties.
-­ as previously mentioned, through the use of private cloud (dedicated systems) these aspects can be further protected.
-­ since we are also the operator of the data center, there is an additional security and protection. Same standards apply to CAT Data Center Bangkok
Where is the data
It should be clear where data is stored. This applies also for backup data in a vault location and replicated data in a secondary or third datacenter. Also TMB needs to know whether the data is traveling between data centers or if the data stays in one datacenter.
-­ there are several options. Since we operate two different data centers on the business park, we are able to provide additional security, by backing up in an entirely different data center, rather than just a separate location within the same data center. Same standards apply to CAT Data Center Bangkok. For all Cloud services provided in Thailand the Data storage is in initial in Thailand. Only on specific customer request will data stored outside of Thailand.
Risk from changes of jurisdiction
Change in location of data could lead to different jurisdiction, laws and regulations.
The Customer Data in Thailand are only stored in Thailand and the Thai laws apply. Only on customer request will data be stored in our German Data Center and the laws of the Federal Republic of Germany apply.
Data protection risks
The risk of not being able to validate if data is handled in a lawful way. Compliance to regulations like privacy laws, as well as encryption standards apply.
Our infrastructure in Germany and Thailand is reviewed and checked by regulary scheduled IT-­revision meetings with team leads, IT-security staff and support technicians. We are subject to regularly revisions by 3 . party auditors.
Specific local data privacy
The risk that other law and regulations apply at the location where the datacenter is situated compared to where the contract party is situated;
For the Data Center in Germany only the law of the Federal Republic of Germany and the European Union apply For the Data Center in Thailand only the law of the Kingdom of Thailand applies.
Risk of conflicting regulations Laws and regulations due change on a regular basis
The risks exist that the cloud provider cannot to comply to both regulations.
-­ our data center is in the process of ISO 27001 certification (expected until the end of the year).
-­ German data protection laws are among the strictest in the EU and in the world.
In Thailand the CAT Data Center in Bangkok is ISO 27001 certified and complies with all laws and regulations in Thailand.
Exit clause in contract
The contract must contain an exit-­clause. The exit clause should contain f.i. the way data is treated after termination of the contract, timelines, migration assistance, etc.
-­ this can be provided, as needed
Licensing risks
Licensing conditions, such as per-­seat agreements, and online licensing checks may become unworkable in a cloud environment.
-­ the most efficient licensing method is discussed with the customer depending on the actual need. Linux / open source products are not subject to that problem. Windows licensing occurs centrally in the context of SPLA (monthly licensing fees according to certain criteria, such as physical or virtual CPUs apply. We will work with the customer for the most efficient and cost effective licensing option.
Certify SAS 780 type 2 or SOC Report
The report must explains not only application but also platform and data centre controls i.e. how to prevent access to TMB bank’s data. If available please present of service audit report. These could either be SOC 1(financial statement), SOC 2 (Service Organization Control including control effectiveness), and SOC 3 (summary on statement of control at the service organization related to operations and compliance).
-­ our own proprietary ISO27001 audit is planned in two steps in July and September 2015. We can provide the relevant data from the audit reports.
-­ Also, financial data (balance sheet) are public and can be provided at your request.
-­ security guidelines and other related documents can be made available upon request
Take your business to the next level with VMware 3x Cloud Solutions