Comment: Enterprise-Class Security for the Legal Cloud
Zapproved’s chief technology office Lee Harding outlines three key concepts that corporate legal teams can use to ensure data security in third party environments
The days of corporate resistance to the cloud are over. In fact, 95 percent of businesses are using cloud technology, according to the RightScale 2016 State of the Cloud Report which surveyed 1,060 IT professionals about their current cloud computing adoption plans. But at the same time headlines about the latest corporate or government security breach document the escalating risk we all face. Although it’s tempting to envision a world where all of our data is safely stored away — kept in a deep dark vault behind lock and key — we must acknowledge that in today’s interconnected world, access to our data is truly mobile and global, which means new considerations for keeping data secure.
A rising percentage of the IT department’s budget is going to security related expenditures, yet it isn’t clear that spending is delivering more effective protection. Corporate legal teams are typically handling the most sensitive corporate information and the loss or exposure of this sensitive data may be crippling to the business.
As enterprise workloads shift to the cloud, and legal departments are relying on third parties such as law firms and vendors, it’s critical to ensure that the technology in use by third parties also exercise the appropriate degree of care when handling and storing information.
In order for security to be effective, it requires technology and controls that reach every person and system with access to the data. This is a daunting task, in particular because the definition of “sufficient” security is a moving target. How do customers know if a vendor actually does business according to their declared practices? What should those cloud security practices be, and what creates the greatest risk when it comes to cybersecurity for most organizations? This article addresses three key security concepts that corporate legal teams should keep in mind as they evaluate the cloud security practices of their service and application providers.
Concept 1: Security Is a Shared Responsibility
Any system or person involved in the use or review of protected data is a potential source of information leakage. A vulnerability is possible at any point across the entire information supply chain. Hearken your existing supply chain management best practices, such as collaboration. Sharing information amongst all members of the ecosystem, including vendors and customers, is vital to success. Policies and practices that transparently consider factors of productivity and value in tandem with security and risk among the employees, contractors, application providers and infrastructure providers combine to protect information from unauthorized access, loss or inaccessibility.
Application Provider Responsibility
Application software providers are responsible for ensuring the secure development and operation of their systems. Applications should make accessing information easy and the ability to act on the information highly efficient. Application providers also must ensure strong data protection both horizontally and vertically. Horizontal protection means each organization can only access their own data only and none other. Vertical protection refers to controlling data access by the application and the infrastructure providers.
Customers/Users are responsible for assigning access that allows for effective use while protecting their information from unreasonable access and risk. Companies must determine their requirements for the kinds of information that are appropriate to transfer to cloud systems.
Infrastructure Providers Responsibility
Infrastructure providers such as Amazon Web Services (AWS) play an important role as well. Cloud applications are created from the tools and services implemented by infrastructure providers. When well implemented, these services provide the underlying features necessary to deliver data isolation and consistent availability, while protecting from corruption. Infrastructure services and applications operate in concert with one another, supporting a secure environment providing “trace-to-the-individual” logging for end-users and operators.
Concept 2 – Software That’s Secure By Design
Modern software designers understand that applications operate in a world of continuous threat and should be designed with security as a core consideration. This means that systems must be in place to minimize the impact of any single vulnerability, so that the overall system integrity can be ensured. Following are some key concepts that corporate legal teams should keep in mind when evaluating their systems for cloud security.
Least Privilege Access
The concept of least privilege originally put forth by Jerome Saltzer and Michael Schroeder in 1975, is that every program and every privileged user of the system should operate using the least amount of privilege necessary to complete the job. This concept is important in the design of an application’s functionality and security as well as in the operation of it, extending from user access, to processes, to infrastructure processes. Each entity in the the information security chain should abide by this principle limiting risk and raising standards. For example, an infrastructure provider should not have logical access to code and data contained in their system.
Uniform, ubiquitous and granular logging is core to modern cybersecurity and indicative of how modern cloud enterprise software has distinct advantages over on-premise systems. This type of logging identifies every activity in software as a time-stamped event traceable back to the individual user or operator, ensure that they are in the right role, and have an approved reason to perform an action.
Data must be encrypted at rest and in transit. For data at rest, secure it with encryption and role controlled access management with rotating keys and audit logs so that only people who should have access to the data actually have access to the data. For data in transit, use Transport Layer Security (TLS) to encrypt data as it moves through the web.
User authentication is how corporations manage employee access to the myriad enterprise systems continuously. Single Sign-On (SSO) is a form of “edit once, change everywhere” that allows employee access controls to be defined centrally providing authentication to external services. SSO greatly simplifies managing employee access permissions that are impacted as roles change. It also allows for uniform implementation of policy controls such as password strength, multi-factor authentication, hours-of-use or location-based restrictions.
Concept 3 – Trust But Verify
The large-scale breaches that dominate the news and originate as a result of attackers targeting third-party weaknesses will continue until the C-suite starts taking the risk more seriously. According to a recent Tone at the Top and Third Party Risk study of over 600 risk management executives, only 27 percent of respondents say preventing cyber attacks is a top objective for the organization. In fact, according to the same study, only about 30 percent of organizations assess security controls of business partners, vendors, and other third parties. While trust in the shared responsibility security approach is necessary, blind trust can leave a hole in security defenses.
Third party audits such as the SOC 2 Type 2 certification are a reliable way to establish the actual practices of vendors and confirms their consistent implementation of security practices. SOC2 audits are conducted by an Independent Certified Public Accountant who audit the controls relevant to the security principle under the standard that was formed under the American Institute of Certified Public Accountants (AICPA) Trust Services Principles and Criteria. Requiring audits or penetration testing to demonstrate processes and security defenses are appropriate as a contract stipulation of any third party vendor.
Value Principles Above Standards
Alignment between all parties regarding security operating principles helps establish the foundation and reasoning to evaluate that a system is protected, both logically and physically, against unauthorized access. Abiding by a framework of principles gives organizations the flexibility to protect against new threats via cooperative security management by customer, application and infrastructure providers. Of primary concern is having well documented principles regarding how an organization oversees: hiring and personnel management, physical security, network and systems management, data isolation, application development, business continuity and disaster recovery.
Commitment to continuous improvement
Security threats are continuously evolving as new vulnerabilities are discovered and new exploits created. The consequences of not managing third-party risk can be costly. In order to provide continuous protection, security practices must also continuously evolve and improve. A commitment to quickly adapt must be shared between all parties — providers and consumers. According to the 2016 SANS Institute IT Spending Trends Survey, only 22 percent of benchmark their security effectiveness — representing an important opportunity to improve security measures. Security measures can’t be static. No point-in-time standard will remain relevant going forward, which points to the high value of the continuous deployment model of software-as-a-service which allows infrastructure providers and application providers to act in real-time — resolving threats as they are identified.
As the world becomes more interconnected, and access to our data is mobile and global, we all have a responsibility for keeping data secure. Effective security practices require a collaboration with the information ecosystem and technology and controls that reach every person and system with access to the data. Corporations should incorporate the security concepts of shared responsibility, secure by design and trust but verify to ensure their cloud data security.