By: Heather Fiebing and Sarah Wolfe, through support provided by the SPAWAR Office of Polar Programs, are the Information Security Lead and the Polar Contract Program Manager for the NSF Division of Polar Programs
(See: Information Security and Risk Management Program for Arctic Sciences in Witness, Fall 2012.)*

Sarah Wolfe, through support provided by the SPAWAR Office of Polar Programs, is the Polar Contract Program Manager for the NSF Division of Polar Programs, Photo courtesy of Heather Fiebing.

Heather Fiebing, through support provided by the SPAWAR Office of Polar Programs, is the Information Security Lead for the NSF Division of Polar Programs Arctic Sciences Section, Photo courtesy of Andrew Archer.

Cloud computing—using a set of hardware, networks, storage, services, and interfaces that combine to deliver data storage and management over the internet—presents a paradigm shift in how we think about information technology (IT) services, solutions, and risks. The Space and Naval Warfare Systems Command (SPAWAR, security arm of the U.S. Navy) is working with the NSF Arctic Sciences Section Information Security and Risk Management Program to help protect the confidentiality, integrity, and availability of information supporting and generated by the Arctic research community.

Aside from the technology considerations, cloud services require thorough evaluation of business and contracting options to determine the best fit for your needs. The Information Security and Risk Management Program offers the following advice.

Step 1: Have your own house in order

  • Document requirements: Clearly define what you require from a cloud solution and why the cloud is the best approach to addressing your needs. How will the system be used, what information will be stored, who will be using it, and how will the data and services be managed?
  • Understand the data. Know what information you'll be sending to the cloud and how that information should be protected. Evaluate the potential outcomes of lost, deleted, stolen, or misused data.
  • Recognize that the responsibility is ultimately yours. Even with a thorough contract and service level agreement (SLA), the integrity, confidentiality, and availability of information is ultimately your responsibility, so always have a backup plan.
  • Protect information in transit and at rest. All information should be encrypted when transmitted via the internet, including when traveling to and from the cloud. Be sure the cloud service provides a secure mechanism for transmitting information. Additionally, encrypt individual files stored in the cloud that require privacy and confidentiality.

Step 2: Select a cloud deployment model and service

Deployment Models:

  • Private: For use by a single organization.
  • Public: For use by the general public.
  • Community: For use by a specific community of organizations with a shared purpose.
  • Hybrid: A composition of two or more models (public, private, community).

Cloud Services and Responsibilities:

  • Infrastructure as a Service (IaaS) - Provider is responsible for the cloud infrastructure. Customer is responsible for all aspects of system and application management and security.
  • Platform as a Service (PaaS) - Provider is responsible for the cloud infrastructure. Provider and customer are responsible for different aspects of system and application management and security depending on the service.
  • Software as a Service (SaaS) - Provider is responsible for the cloud infrastructure, systems, and hosted applications. Customer is only responsible for limited, application-level preference configurations and administrative settings.

Step 3: Review agreements and contract

Every cloud service provider requires end user agreements and terms of use, and every customer should require their provider to adhere to an SLA. The SLA should define performance expectations, how performance will be measured (response time, resolution/mitigation time, availability, etc.), and what enforcement mechanisms will ensure the SLA is met (timely notification of a failure to meet a requirement, and evidence that problems have been resolved or mitigated). Usually providers have an SLA that covers services rendered for all customers rather than agreeing to a unique SLA for each customer they serve. Therefore you should review SLAs from numerous providers to identify the level of service your solution requires. Other details to consider:

  • Defined delineation between the responsibilities of the customer and provider.
  • Agreed upon standards for cloud service procurements and performance.
  • Requirements for provider responsibilities to maintain the security and integrity of data.
  • If managing privacy data, identify potential privacy risks and responsibilities. How and when will you be notified in the case of a suspected breach of confidentiality?
  • If the provider outsources some services to a third party, protections should be equally strong regardless of who is providing the service.
  • How data is handled in the cloud environment when deleted/removed by the customer. Are there any restrictions for how customers remove data and files from the cloud ?
  • Conditions for canceling services and switching providers. Ensure the provider agrees to delete all of your data from their environment if services are canceled.
  • By default most SLAs do not address penalties if the agreement is not met. Ensure the service provider agrees to an appropriate consequence in the case of a failure to provide services.

Step 4: Review provider ability to provide services

  • Research the ability of the service provider to meet your expectation for services. Request details from the provider on the size and capabilities of their infrastructure and storage capacity, and the method they use to determine the amount of resources to dedicate to individual customers.
  • The provider suite of services should include a clear plan for business continuity and disaster recovery. Be sure to understand the scenarios this plan applies to, the roles and responsibilities of the provider and customer, and the mechanisms the provider uses to respond to and recover from a disaster.
  • Research the history, financials, and quality of provider services. Request references and perform internet searches to inquire with other customers. Also inquire if the provider undergoes independent audits and is willing to provide audit results to customers.
  • Where will your data reside? How do they respond to government inquiries for information on customers? How do they respond to complaints regarding their services?

For further information, please contact Heather Fiebing (fiebing_heather [at] bah.com) or Sarah Wolfe (wolfe_sarah [at] bah.com).