Utilities in Canada have to do more to protect their operational data in the cloud

Who is responsible for your operational data in the cloud?

Cloud computing is causing a transformational shift in the way utilities in Canada do business, manage software, and pursue operational data security in an increasingly complex regulatory environment. Cloud computing offers multiple benefits for utilities in Canada, but it also raises many security concerns, which, if not well understood and managed by utilities, can increase fear and turn the cloud experience into an information security disaster, due to loss of visibility and control over software and operational data assets. Many utilities are taking a cautious attitude toward cloud computing because of concerns that cloud solutions might not comply with their security policies and regulatory obligations. Thus, the adoption of cloud technologies should always be subject to careful evaluation and, in particular, be aligned and integrated with risk management processes and information security governance in the utility.

In many instances, it is not clear who is responsible for data security and regulatory compliance in the cloud: the cloud service customer (utility), the cloud service provider, or both. This article is based on professional experience working with clients who are beginning the process of adopting cloud computing. It offers a practical approach and real solutions for utility leaders implementing cloud services, migrating software applications, and storing sensitive operational data in the cloud, all while seeking to satisfy regulatory requirements.

INTRODUCTION

Over the past decade, cloud computing has evolved from a new innovation to an environment that is increasingly relied upon by businesses across all industry sectors in Canada. Cloud computing brings a significant change to the traditional platforms upon which business and operational services are translated, used, and managed. Business drivers for moving to cloud computing include: optimized resource utilization, better responsiveness, a faster cycle of innovation, reduced time for implementation, increased resilience, and cost savings. However, moving to the cloud also incorporates a unique set of technical and business challenges for utilities in Canada to overcome. These challenges are commonly related to data protection, compliance management, and maintaining service level agreements (SLA). In addition, expectations must be properly set as the business adjusts to the new demands of maintaining services in the cloud. One of the main tasks for both cloud service providers (CSPs) and cloud service customers (CSCs) is to rigorously protect data while satisfying regulatory compliance. In many cases, the most valuable asset of the utility, besides its people, is its operational data. Operational data assets in the cloud are under constant threats in the form of data breaches, data corruption and destruction, temporary or permanent loss of access, and temporary or permanent loss of operational data. Any of these failure modes can cause failure to meet statutory, regulatory, or legal requirements. The most common and most critical question posed by utilities in Canada evaluating the benefits of moving sensitive operational data and operation-critical applications to the cloud is, “Who is responsible for operational data security and regulatory compliance in the cloud?”

SECURITY OF THE CLOUD VS. SECURITY IN THE CLOUD

When considering operational data assets and software applications in the cloud, utilities must understand a general concept of shared responsibility between providers (CSPs) and customers (CSCs). While CSPs manage “security of the cloud,” “security in the cloud” is the responsibility of the customers (utilities). In other words, utilities will retain control of what security they choose to implement to protect operational data and applications no differently than they would manage it with on-premise platforms and infrastructures. According to the Cloud Security Alliance (CSA), “Cloud computing is about gracefully losing control while maintaining accountability even if the operational responsibility falls upon one or more third parties”. This means that as cloud solutions are adopted, utilities in Canada are choosing to place a great deal of trust in their CSPs. The level of trust and the degree to which control is shared or granted will depend on the cloud service model adopted: Infrastructure as a Service (IaaS), Platform as a Service (PaaS), or Software as a Service (SaaS). Additionally, there are also multiple cloud deployment models to consider. According to the ISO/IEC 17788 standard and NIST definitions, there are four cloud deployment models: a private cloud, community cloud, public cloud and hybrid cloud.

If one takes into account both the characteristics of cloud service models and cloud deployment models, the utility loses more control, and eventually more of the risk is assumed by the cloud provider. In cloud computing (cloud service vs. cloud deployment models), security risk is directly proportional to the amount of control the customer organization (utility) loses over computing resources. To identify, analyze, and manage the responsibilities associated with operational data security and regulatory compliance in the cloud, utility can use the cloud responsibility matrix. This matrix can also be used to define ownership and shared responsibilities between the CSC and the CSP, and ensure both parties have a clear understanding of the implications of operational data security.

Consider the situation in which utility in Canada decides to build its own virtual network using a public cloud that includes operational data and software applications that leverage the CSP’s infrastructure (an IaaS configuration). Operational data security and governance, risk, and compliance (GRC) are the complete responsibility of the CSC (utility). The CSC (utility) is also responsible for application security, with the exception of the SaaS service model, where it may be a shared responsibility between the CSC and CSP. In the case of SaaS, one reason is that the CSP is responsible for software applications, but operational data used or generated by software applications can fall under the responsibility of the CSC. CSCs are still expected to manage operational data assets in terms of data storage, backup, data encryption, and so on. As for platform security: a) the CSC is responsible in the case of the IaaS service model; b) there is a shared responsibility in the case of the PaaS model; and c) the CSP is responsible for platform security in the case of the SaaS model. In terms of infrastructure security, the CSP has full responsibility in the cases of PaaS and SaaS service models, with the exception of the IaaS model, which can be a shared responsibility with the CSC. The CSP has ultimate responsibility for physical security for all cloud service models.

The utility possesses the legal ownership and has full control of operational data assets stored in the cloud regardless of the physical location in which they are hosted. The service provider typically is not provided with access to operational data at all. It applies to all operational data states and any phase of the operational data life cycle, from data creation to data deletion. The CSP is legally responsible to protect any hosted data assets that are owned by their customers based on SLA legally binding documents, so the CSP cannot delete, modify, copy, or even sell customer (utility) data without the customer’s knowledge.

For successful adoption of cloud computing services, utility in Canada needs assurance that its CSP is trustworthy and is taking all possible precautions to reduce vulnerabilities and protect customer data. This assurance often comes in the form of industry-recognized security certifications (for example, ISO 27001) obtained by the CSP, confirming that the provider complies with certain standards and regulations, and (when possible) providing the customer access to audit reports.

An effective and trusted cloud environment is implemented through a combination of effective risk management and compliance with regulatory requirements (including legal responsibilities and standards). Both parties (CSP and CSC) are required to satisfy legal requirements and standards, but this must be considered from two different views. From the CSP perspective, they have to satisfy the laws and regulations governing their own business, as well as the legal obligations defined by the SLA. For example, the CSP cannot make multiple copies of operational data outside of its own national borders if this is not legally permitted, and it cannot sell operational data to someone else to make a profit. On the other hand, CSCs (utilities in Canada) must satisfy regulatory requirements with regulatory bodies. In terms of standards, this is primarily related to CSPs, since they want to attract business and customers. For example, one of the basic standards that every CSP should follow is ISO 27001. However, a CSC does not need to be ISO 27001 certified. An effective, trusted cloud environment also requires operational data asset security governance, audit management, and alignment of business needs to the SLA. This alignment should be ensured by constructing a legal contract between the CSP and the CSC to capture roles, responsibilities, and service requirements.

CLOUD SECURITY GOVERNANCE, RISK, AND COMPLIANCE

Utility in Canada is responsible for establishing its own data security governance in the cloud within the context of its risk management and regulatory compliance processes. According to the National Institute of Standards and Technology (NIST), “security considerations are key to the early integration of security, and to the assurance that threats, requirements, and potential constraints in functionality and integration are considered” (NIST800-53). Information security governance processes ensure information security strategies are aligned with business objectives, consistent with applicable laws and regulations through adherence to security controls, and provide assignment of responsibility, all in an effort to manage risk in the cloud. Utilities in Canada should utilize security governance to reduce organizational risks in the areas of operational data security and regulatory compliance. And they should not stop here, because utilities have a mandate to ensure cloud providers manage their own information security governance. They must also follow applicable standards and regulations and possess recognized security certifications.

OPERATIONAL DATA SECURITY MANAGEMENT

Utility typically takes full responsibility for configuring and implementing data encryption techniques to prevent unauthorized access to its data in the cloud, and also maintains responsibility for the security of its operational data as it is being transmitted to and from the cloud. Data encryption helps utilities follow the model of the confidentiality, integrity, and availability (CIA) triad commonly applied in information security. In addition to confidentiality (the data are only available to authorized users), integrity (the data are trusted), availability (the data are available when and where needed), it protects authenticity (users can prove their identity), privacy (sensitive customer data are protected and only available for authorized users), and nonrepudiation (a trusted audit trail is maintained to ensure that users cannot deny activities related to managing data).

OPERATIONAL DATA SECURITY AND SERVICE LEVEL AGREEMENT

Regulatory controls can influence configurations for, and the selection of, an appropriate cloud computing environment. One of the utility’s requirements can be that the utility’s operational data must be stored within its own national boundaries. However, the CSP might not be able to determine exactly where the data are physically stored, particularly when redundant cloud infrastructures are implemented. The physical locations of the servers that are used to store and process customer data can become a critical contractual issue. At the very least, requirements for the physical location of the stored data must be clearly defined under the SLA. If the CSP cannot provide this information, it will sometimes be difficult for a utility to prove compliance with certain regulations.

OPERATIONAL DATA SECURITY AND RISK MANAGEMENT

One of the most critical aspects of managing risks in the cloud is to understand the nature of security threats.

As part of risk management, the utility must identify all operational data and software assets in the cloud and articulate any threats against them, and then prioritize those risks to determine what security controls must be put in place. The CSC (utility) is responsible for continuous monitoring of implemented security controls and the corresponding threats for risk management to be effectively applied. Risk management processes also allow utilities to audit security activities and have visibility over the technical details of their cloud implementations, which can ease the practices associated with regulatory compliance.

CLOUD VISIBILITY

How does the CSC (Utility in Canada) know whether the CSP is performing its job effectively?

To answer this question, the utility must have full and continual visibility of operational data and software assets in the cloud. In addition, cloud auditing should be implemented. Managing these audits is also the responsibility of the utility, and it is required for regulatory compliance. Satisfying regulatory requirements in the cloud is no different than satisfying regulatory requirements apart from the cloud. In other words, if the utility is by now not familiar with the regulatory requirements it has to satisfy, this is bad news, and it has nothing to do with clouds—it is just bad business practice and not because of cloud computing. Cloud security is paramount, and participating organizations find value in cloud visibility, cloud monitoring, and cultivating a trusted cloud environment. “Participating organizations” are defined in ISO/IEC 17788 and include the CSP, CSC, and others, such as the cloud service partner, cloud service broker, and cloud service auditor. Since this article examines these issues from the utility’s perspective, participating organizations are utilities in Canada that decide to adopt cloud computing and use some of the available cloud models for operational and business processes.

CONCLUSION

Cloud computing is primarily concerned with consolidating operational data and software resources, and in this process utilities in Canada delegate some control over those resources (and the processes and procedures that protect them) to their CSPs. Since the utility does not have physical access to the equipment that represents “its cloud,” visibility and control are commonly encountered fears for utilities as they begin to move data and software applications to the cloud. Naturally, the adoption of cloud computing services can be uncomfortable for any utility that is new to it. Effective risk management, continually monitoring and updating security controls, and developing active SLAs with CSPs and ISPs (Internet Service Providers), can help mitigate risk. At all times, the utility should attempt to avoid any dependencies on providers, and outline an exit strategy to avoid vendor lock-in and preserve the ability to move operational data assets and software applications back on-premises, if desired.

(Disclaimer: The views and opinions expressed in this article are solely my own and do not necessarily represent the views or opinions of my employer)