You can't secure what you don't know you're using, including cloud computing services.
See Also: 2015 Financial Services Cybersecurity Agenda: An Inside Out Look at a New Risk Mitigation Approach
"Simply and frankly stated, if you do not know what IT systems, products and services you have, you do not know what you need to defend or how to defend it," says David McClure, chief strategist at cybersecurity adviser Veris Group, who led efforts to develop the U.S. government initiative to vet cloud providers known as FedRAMP.
Accurately tracking IT inventory is a problem facing many enterprises in and out of government, including the U.S. Department of Defense, which the DoD inspector general, in a recent report, contends doesn't maintain a complete inventory of contracted cloud services.
"Without accurate and complete inventories of cloud computing systems, [DoD] agencies did not know the extent to which their data resided outside their information system boundaries and were, therefore, subject to the inherent risks of cloud systems," Carol Gorman, DoD assistant inspector general, readiness and cyber operations, writes in an audit issued late last month titled: DoD Needs an Effective Process to Identify Cloud Computing Service Contracts. "Unless DoD components accurately classify their information systems as using cloud computing services, [the] DoD CIO will not be aware what security risks are specific to those services."
Identifying Third-Party Providers
McClure says it's critical to identify users, administrators and organizations - as well as services, applications, interfaces and networks - that have access to data and systems in order to understand security weaknesses and vulnerabilities in any IT architecture, but especially those hosted by third parties, such as cloud service providers.
"Inventories point to control points both inside and outside your organization," McClure says. "IT security services build from the asset layer to systems view, and both assets - hardware and software - and systems can be managed or hosted by a third party."
Not knowing who's responsible within an enterprise for managing cloud services contracts could result in the inventorying of cloud services falling through the cracks. "The decentralized procurement model of cloud creates situations where individuals and business units may use a cloud service outside of the purview of the central IT organization," says Jim Reavis, CEO of the Cloud Security Alliance, a not-for-profit that promotes use of cloud security best practices.
Confusion about who is responsible for cloud services contracts within the enterprise could lead to the failure to inventory each agreement. "Organizations fail to inventory their cloud services and other cloud-accessible devices because they fail to appreciate that cloud computing is not a technology decision," says Kevin Jackson, founder of the cloud computing consultancy GovCloud Network. "This is a business-mission process decision that needs to be done in concert with the business-mission owners."
Loss of Situational Awareness
Changes in personnel also can result in organizations losing track of their cloud assets. "When responsible officials and staff leave an organization, it often causes a loss of situational awareness, including that of contracts," McClure says.
An enterprise's culture also could play a role in the failure to inventory cloud contracts.
"IT inventories and asset management are often viewed as bean counting 'gotchas' with no know purpose or value-add to managers and executives, other than revealing cost control problems, management weaknesses or unknown cyber vulnerabilities," McClure says. "The government culture encourages under-reporting in order for executives to look their best."
In addition, he says, confusion often exists over accountability or ownership of maintaining cloud services contracts. "Who owns services, products and devices and who has administration responsibilities for them - these are two very different question," McClure says.
At the DoD, the OIG's Gorman recommended that the department's CIO issue guidance establishing a standard, departmentwide cloud computing definition or clarify the National Institute of Standards and Technology definition to consistently identify DoD units' cloud computing service contracts.
DoD Responds to Recommendations
DoD Deputy Principal CIO David De Vries, responding to Gorman, says DoD's CIO published in early 2015 a departmental cloud computing security requirements guide, which established a standard definition of cloud as well as requirements and processes for cloud computing security risk assessment. But Gorman contends the publication neither establishes standards nor clarifies the NIST definition or characteristics of cloud computing services. The differences between DoD and the IG on the matter have yet to be resolved.
Organizations struggling with inventorying cloud services should find ways to do so without being overburdened, McClure says. "It is not hopeless but requires disciplined and relentless attention," he says.
The first step: changing the culture to one where transparency and accuracy are rewarded, not just expected. "The locations and contacts of the third parties providing such services should be built into any high-level architectural explanation of IT to upper management in order to identify the scope of services provided as well as internal security plans and risk management strategies to manage those services," McClure says.