Microsoft Cloud Security for Government Compliance

For a Information Security Logo company, In-De...

Image via Wikipedia

Governments are one of the largest potential adopters of Cloud Computing, and equally have the most demanding requirements for the levels of security and data privacy it must offer.

They’re mandated by policy to ensure the confidentiality, integrity and availability of the data they store, and so it’s no wonder they would be cautious to move it out of the data-centres they directly control.

Pioneering agencies are starting to do so, and so by reviewing what procedures they are using to do this safely, in conjunction with reviews of the best practices developed by the operators themselves notably Microsoft and their Azure service, organizations can develop their own frameworks to meet these needs.

This analysis shows the following main areas of work:

  • Organizational maturity
  • Cloud Security technologies
  • Compliance best practices
  • SDLC process

By repeating these same structures organizations can ensure their software developers build hardened applications suitable for safe deployment to Cloud environments..

Microsoft Security and the Cloud Security Alliance

Microsoft runs a number of very large online properties (Windows Live, Hotmail, Bing etc.) as well as their Azure Cloud environment.

They have documented the strategy for this scale of operation including security into the white paper ‘Microsoft Compliance Framework for Online Services‘ (47-page PDF), where they describe how they adopted best practices from a variety of governance areas including Information Security, Asset Management, Human Resources Security, Physical Security, Access Control, and Incident Management processes.

This has enabled them to run their operations to a level compliant with key standards such as ISO27002, and achieving this goal via the same type of framework is the principle purpose of the Cloud Security Alliance (CSA). They offer a full Cloud security maturity model which unites a number of existing best practices like ISO27002 and the NIST series, and applies them to Cloud service provider scenarios.

Their body of knowledge brings together processes in areas such as enterprise risk management with technical design best practices for ensuring data privacy within ‘multi-tenant’ software environments, such that an organization can advance their overall Information Security maturity, in the same manner as Microsoft.

Cloud Security technologies

Specifically for MS Azure, this dictates a new heightened level of security that applications require when operating in a multi-tenant environment.

Azure caters for this through providing a hosting environment of high-powered load-balancing infrastructure configured such that it protects against threats like spoofing and denial of service attacks. The network and Virtual Machine environment are all configured so that there is complete isolation between different customer systems, and the Windows Azure SDK extends the core .NET libraries to allow developers to integrate the .NET Cryptographic Service Providers to further encrypt data.

It also builds in the most advanced capabilities for identity and access management, what is known as a ‘claims-based’ authentication system. Applications targeting Windows Azure can take advantage of the same developer tools, identity management features and services that are available to their on-premise counterparts, most notably the Windows Identity Foundation and Active Directory Federation Services 2.0, and deploy these through the Azure AppFabric Access Control.

Early government pioneers of this ‘claims-based identity’ approach include the province of British Columbia, adopting it for their BCeID scheme.

Compliance best practices

Ultimately these procedures and technologies are so that compliance of the environment can be assured, and there are best practice frameworks that can be used to assess for this.

For example the following are just a few individual elements from the recent Cloud Management Standards published by the DMTF :

Cloud service providers should utilize encryption and key management technologies in line with government standards.

Encryption and key management should be able to handle data isolation for multi-tenant storage and seperation of customer data from operational data of the service provider.

Data retention and secure destruction capabilities should be provided.

The cloud service provider should provide customer transparency regarding how data integrity is maintained throughout the lifecycle of the data.

The same principles are reflected in the real-world adoption by leading government agencies. For example the state of Michigan in the USA documents their practices in this Cloud Computing strategy document (20-page PDF) where they also define a requirement for this compliance, and also how to achieve it.

It includes a model contract that specifies the goals for how Cloud service providers should configure their environments so as to be compliant with the unique requirements of Government, starting with the key point:

There are no unique legal issues or constraints for cloud computing that are not present in other third-party hosting agreements. A template contract for both third-party hosting and cloud-sourcing contracts helps shape negotiations and ensure best practices are included from the outset.

From there it stipulates a number of other key terms to ensure this compliance:

  • Guarantee that Michigan will continue to own and control all access their data, and will surrender and purge on demand
  • Ensure that data is replicated to other data-centre locations
  • Auditable records of all data access events
  • Compliance with Michigan Identity and Access Management (IdAM) standards
  • SLAs: Define incident response metrics, MTTR with penalties etc.
  • Stipulate that all provider contracts including telecom providers, are enforceable under US law, ideally Michigan law
  • Define protocols for how to handle FOIA or e-discovery requests

SDLC process: Privacy by Design

In addition to these xx for the operations of the environment, there are also practices for the phases that lead up to the deployment, with the special needs of Cloud computing highlighted by Microsoft:

“when it comes to cloud-based solutions, it is more important for software designers and developers to anticipate threats at design time than is the case with traditional boxed-product software deployed on servers in a corporate datacenter.”

For this purpose they employ the use of their ‘SDL’ – Security Development Lifecycle. This builds in a number of rigorous checks into an organizations software development process to ensure the required level of security is achieved prior to deployment to the Cloud.

For Governments this can be combined with their own specific compliance checks intended for the same phase. For example in Canada Ann Cavoukian, the current Privacy Commissioner for Ontario has developed the Privacy by Design methodology to ensure compliance with the stringent data privacy laws, and has adapted this specifically for Cloud Computing through the Privacy by Design Cloud Computing Architecture (26-page PDF) document.

This provides a base reference for how to combine traditional PIAs (Privacy Impact Assessments) with Cloud Computing. Ann comments:

“organizations must rethink their established software development, validation, certification and accreditation processes in response to the need to push or pull applications in the Cloud. They may thus need to re-design their SDLC (Software Development Life Cycle) to build Privacy in.

The state of Michigan has combined all of these types of elements into a simple decision process structure so that project managers can carefully select the right type of Cloud computing service based on these factors.

They have established a MiCloud Delivery Method Decision Tree process where projects can be assessed for criteria like business criticality, security and privacy requirements, and then mapped on to a tiered service catalogue made up of internal government cloud (on-premises), external government cloud (off-premises, cross-boundary partners), external commercial cloud (off-premises vendors) and hybrid cloud (any combination) service options.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: