Guidance on the Security of Cloud Services

This is a guide about things to consider when thinking about storing or managing your data "in the Cloud".

More generally, it offers advice on things to consider when using any third party to provide software, storage or computing resources. It does not endorse any particular product or service and should not be taken as a statement that a product or service is suitable or secure; this can only be determined through risk assessment, assurance, and matching against your business requirements.

What is the Cloud?

When we say "the Cloud" we usually mean "somewhere on the Internet", and when we talk about "Cloud services" such as Dropbox and Google Drive we usually mean services provided over the Internet with little or no information about how they are provisioned. In a commercial context, "the Cloud" represents a business model that delivers services in a flexible and responsive way, and where customers only need to know how to access them. Nevertheless, it should be remembered that services are implemented on physical computers by people in offices somewhere in the real world, and threats to the physical infrastructure will be the same as for anywhere else.

This guide focuses on cloud services provided by third parties over the Internet. However, "the Cloud" can also refer to services provided over a private network via a similar delivery model. As a relatively new technology, the Cloud lends itself to confusing jargon and acronyms. Terms are sometimes ill-defined, used inconsistently or combined with marketing buzzwords.

Why Should I Worry?

Cloud services are provided by third parties who are outside the direct control of UCL. As a consequence, use of those services involves balancing your level of acceptable risk against your level of trust in that third party to deliver those services is a secure and reliable way. However, it will not always be possible to establish the requisite level of trust through substantive assurance and legally binding contractual obligations. Often, services are provided with limited guarantees over security, geographical location of storage, performance or continuity. Remember, a lack of due caution could lead to the only copy of your thesis being on a system that suddenly and without warning disappears, or the application that provides a critical function for your department having bugs that will never get fixed because there is no support or the company goes out of business.

The level of "trust" in a service should not be confused with the "trustworthiness" of a third party. For example, you may consider Microsoft to be a trustworthy organisation but, for commercial reasons, its free cloud services may come with limited guarantees over confidentiality and availability.

What's on Offer?

As well as data storage, services might include:

File synchronisation with desktop and mobile devices
File sharing capabilities and collaboration tools (software and applications)
File creation and editing tools, similar to MS Office
Online backups
Various claims for the level of resilience and security, and evidence to that effect

Not all services are free. As a rule of thumb, the more you pay, the more control and assurance you are likely to get. An interesting comparison of file hosting services can be found on Wikipedia: Comparison of file hosting services

There are pros and cons to the Cloud. For example, synchronisation across devices may be useful, but a view should be taken whether it is appropriate to copy your data, say, to a mobile device that doesn't provide much security. Whilst the Cloud can help with access and sharing, you can easily lose control of your data once you lose visibility of where it is being stored.

General Security and Assurance of Cloud Services

Cloud-based file hosting services such as Dropbox and Google Drive are third parties and you therefore have no direct control over the management and security of data you choose to entrust to them. Instead, you must seek assurance through due diligence and contractual obligations, whilst ensuring compliance with UK law and applicable regulations. Bear in mind that your data:

is being entrusted to a third party
is accessible from the Internet
can be accessed by anyone connected to the Internet if they provide the right credentials
may cross international boundaries and legislative regimes without you knowing

Whilst it may be possible to transfer commercial or financial risk, the information risk always remains with UCL; you may be able to offload responsibility, but never accountability. Consider, for example, the impact of negative publicity that could follow a security breach.

Things to Consider

Important considerations include:

Is the cloud service secure enough for this type of information?
Is it compliant - and will it remain compliant - with relevant legislation, contractual or regulatory requirements?
Are the other risks that arise from using this service acceptable?

The answers to these questions will come out of risk assessment combined with assurance.

i. Is the cloud service secure enough for this type of information?

Before deciding whether to store your data in the Cloud, you should perform a risk assessment to a level of detail commensurate with its sensitivity. From this you can determine your security requirements, i.e. what needs to be provided by the service in order to manage and control those risks. You can then seek assurance that the service meets these requirements, and based on the response you get, make a decision as to whether the service is suitable. It follows that if you can't be reasonably well assured that a service will offer the necessary level of security then it probably shouldn't be used.

Knowing the information classification of your data will give an indication of: how concerned you should be about the risks, the minimum level of security needed to adequately protect it and the level of risk assessment required.

The UCL Information Classification Scheme defines 4 levels:

Classification should reflect the most sensitive information in the file or database, even if it represents only one item amongst many. Special attention should be given to "personal data" and "sensitive personal data", as defined in the UK Data Protection Act. Similarly, there is a specific set of requirements for payment card data since this will be covered by the PCI DSS regulatory framework. Patient data may be subject to specific NHS requirements. Seek advice from ISG if you are handling any of this information.

Assurance can take a variety of forms, including security certifications, audit reports and terms and conditions of service. You should look for evidence that the service will manage and control each of the risks you have identified during your assessment.

ii. Is it compliant - and will it remain compliant - with relevant legislation, contractual or regulatory requirements?

The Data Protection Act

Specific requirements exist in law when the information includes personal and sensitive personal data, as defined by the UK Data Protection Act. As a Data Controller, the legal obligation and accountability lies with UCL to ensure continued compliance, even if the data is entrusted to a third party. In the event of a breach, full liability is likely to sit with UCL and the onus would then be on UCL to demonstrate it had been duly diligent. Special attention should be given to Principles 7 and 8:

Principle 7: Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
Principle 8: Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

In practice, compliance with Principle 7 requires a formal contract to be in place between UCL (acting as Data Controller) and the cloud service provider (acting as Data Processor), making it clear the service provider must maintain adequate security of the data. Having a contract is not itself sufficient and you would need to seek assurance that the service provider does - and continues to - provide an adequate level of protection. For example, certification to ISO 27001 or attested compliance to ISO 27018 may provide strong assurance. Responsibilities should be defined and procedures put in place to review security and compliance on a regular basis e.g. annually.

Adherence to Principle 8 is assured if it can be shown that data is never physically stored outside an EEA country or, if it is, that an adequate level of protection is in place. Demonstrating an "adequate level of protection" may be challenging unless UK-recognised agreements are in place. One such agreement was the US Safe Harbor Programme where US-based companies could self-certify themselves as compliant. However, following a test case in October 2015, Safe Harbor can no longer be used for this purpose. As at July 2016 the replacement to Safe Harbor, "Privacy Shield", is being negotiated, and an EU-wide update to data privacy legislation, the General Data Protection Regulation (GDPR), has been agreed. However, it may be some time before these initiatives take effect and in the meantime, you should seek advice from the UCL Data Protection Officer.

Just because a cloud service provider states that your agreement is with a part of their organisation that resides within the EEA it does not mean necessarily that your information will be stored within the EEA.

In addition, as a Data Controller, you need to consider:

How will you satisfy subject access requests under the UK Data Protection Act?
How might you satisfy Freedom of Information requests?

For example, your contract with the service provider might require them to assist with requests and to inform you immediately if approached by someone making a request.

For further information, please see the UCL Data Protection Office website.

The UK Information Commissioner's Office has published some helpful Guidance on the use of Cloud Computing

Also:

Payment card data is subject to the Payment Card Industry Data Security Standard (PCI DSS). Compliance is regulated by card schemes such as Visa and MasterCard, and must be formally validated. Please see the UCL PCI DSS guidance for further information.
Use of cloud services for NHS person-identifiable data will be subject to NHS information governance requirements (as well as the UK Data Protection Act). Please see the UCL Information Governance web pages for more information.

iii. Are the other risks that arise from using this service acceptable?

Considerations may include the cost, reliability and usability of the service, which are business-led decisions. Here are a few other things to consider:

Bigger is better?

It should not be assumed that your data will be secure because the service provider is a big and well-known company. Services may be offered as "one size fits all", having no particular focus on security. Cloud services make a good target for hackers since the rewards are potentially great, and whilst service providers may have the resource and expertise to manage security, it needs to be balanced against the greater level of threat. You should ensure that the service you plan to use is covered by their security management framework and it is wise to seek substantive assurance and not make any assumptions. The trustworthiness of a service provider should not be equated with the level of trust you place in the service, though the former may influence the latter.

Intellectual Property and Copyright

Attention should be given to the terms and conditions of service to ensure upload of information does not forfeit your or UCL's intellectual property rights. This is particularly important if the service will be used as a platform to develop new applications or services, since the cloud service provider may have some rights over what is created. Consideration should be given to whether uploading images, audio recordings and other media could infringe copyright.

Allen & Overy LLP have produced a useful publication, Intellectual Property in the Cloud

USA PATRIOT Act

This US legislation is concerned with investigation of terrorism. At time of writing, parts of the Act have "expired", but similar legislation could replace it and may already exist in other jurisdictions. In particular, it permits US security services to search business records and obliges US-based companies and their subsidiaries to disclose customers' information, even if stored in a European data centre. It is a matter for debate as to how likely this is to happen and how it would impact on the customer. Nevertheless, whilst this or similar legislation is in force, there is a risk of disclosure of confidential and sensitive information.

Continuity of Service

Many Cloud and third party services, especially the free ones, come with little or no guarantee of availability or continuity, and may be discontinued with little or no warning. You should make sure that the risks are understood, communicated to and accepted by all affected stakeholders. It is your responsibility to ensure there is a clear plan of what to do if the service is temporarily unavailable or permanently discontinued, and consideration should be given to how you might recover your documents and data e.g. from a local (UCL) backup copy. Ideally, contractual agreements between UCL and the service provider should address these situations.

Encryption of Stored Data

Encryption can be a good way to protect the confidentiality of your stored data but will not protect against other threats such as accidental deletion or corruption. Encrypting large volumes of data may not be trivial and consideration should be given to when and where the encryption occurs i.e. before or after it is uploaded to the Cloud. For example, it may involve local installation of high-performance hardware encryption devices (HSMs). Encryption may present challenges to sharing of information when collaborating outside UCL. It should be noted that even the strongest encryption algorithm can never be stronger that the secrecy of the keys, so consideration should be given to where the keys are stored and who can access them. For example, some solutions involve having a trusted third party store your keys under an escrow agreement. Remember: if your keys are lost, then so is your data.

Your Admin Access to the Service

In order to configure and use the service, someone at UCL will need to have administrative access e.g. to configure settings, create new users or manage access to the information. That person will have highly privileged and trusted access to the service and its information, so any compromise of their admin account, whether accidental or deliberate, could have significant consequences. Similarly, if that person left UCL without handing over their admin account, or for any other reason was not available, then administration of the service may be hindered. The service provider may or may not be willing to intervene. You might wish to consider options such as dual control of admin tasks or holding of an admin account in escrow.

Other things to think about…

The following is a generalised list of things to consider. It is not exhaustive and some items may not be applicable:

Ongoing costs of the service - will these become excessive?
Who will manage continuous assurance, including the periodic review of security and compliance?
How will Freedom of Information Requests be satisfied?
How will Data Protection Subject Access Requests be satisfied?
Will data be stored, or accessed from, outside the UK or EEA?
If a US-based company, will it be subject to the US Patriot Act or similar legislation?
What is the impact on IPR and copyright?
Do you remain the owner of data uploaded to the service?
Will you need to monitor for copyright infringements by your own users? If so, who and how?
Will the service provider gather and use for their own purposes (or sell on) information about usage of the service? This may include targeted advertising.
Does this place business-critical processes and resources under the control and availability of a third party?
What come-back to you have if the service is unavailable for a significant length of time? Do you have a business continuity plan?
What would happen if the service changed significantly, e.g. following a takeover?
Can the service provider change their terms and conditions with little or no notice?
What would happen to your data if the service provider is sold or goes into liquidation?
Does the service provider say they will share your data with third parties for the purposes of law and order, irrespective of whether a warrant has been taken out?
If audited, could you obtain from the service provider the necessary evidence to show your data is secure?
Can the service provider access your data? If so, under what circumstances?
Can you tell who has accessed your data? Is there an audit trail?
For cloud services accessed over the Internet, is the data transmitted securely, e.g. encrypted over SSL?
Do you have full control over access to your data? How would you know if access permissions were changed?
How are new user IDs, passwords and other credentials managed?
What happens when someone forgets their password?
What happens when someone leaves?
How long is information retained by the service provider?

Risk Assessment Guidance

Risk should be considered throughout the entire information lifecycle, including transfers to other systems, and deletion of data if you migrate to another service provider. Information classification will help identify sensitivity in terms of confidentiality, but you should also consider:

Risks that arise from loss of integrity, such as missing or corrupted data
Risks that arise from loss of availability, such as loss of Internet access or if the service provider goes out of business.

The following spreadsheet includes lists of risks, opportunities and other considerations that may help with your risk assessment:

Cloud-Risk-Assessment-Guidance-v1-2.xls

The main sources of this information are two publications by ENISA, the EU Agency for Network and Information Security, guidance published by CESG and guidance published by the UK Information Commissioner:

Cloud Computing Information Assurance Framework (2009) - a fairly detailed and technical analysis of risks and assurance requirements: ENISA 2009 Cloud Computing Risk Assessment
Cloud Security Guide for SMEs (2015) - a discussion of risks and opportunities. The text includes questions you should ask when selecting a vendor: ENISA 2015 Cloud Security Guide for SMEs
NCSC Cloud Security Guidance - for public sector and enterprise organisations that are considering use of cloud services: NCSC Cloud Security Guidance
NCSC 14 Cloud Security Principles - details about and technical implementation of the 14 Cloud Security Principles: NCSC 14 Cloud Security Principles
ICO Guidance on the use of Cloud Computing - information about cloud computing and compliance with the Data Protection Act: Cloud Computing Guidance

Classification	Brief Description	Guidance on use of 3rd Party Cloud Services
Normal	e.g. information that is publicly available or would not cause embarrassment if it became publicly available	Cloud storage and services may be used, subject to a basic level of assurance that integrity and availability of data will be maintained. Consideration should be given to backup and recovery, and the ability to transfer-out should the need arise. Note: access should not necessarily be "public" even if data is not sensitive in any way; data can still be misused or taken out of context.
Restricted	e.g. information that you would not expect to be available in the public domain	Cloud storage and services may be used subject to strong assurance on security. Access should be controlled and auditable, with strong authentication of users. Encryption is preferred. Anonymisation may be beneficial. Assurance should be obtained regarding secure deletion of data and the ability to transfer-out should the need arise.
Highly Restricted	e.g. financial data, administrative information about named personnel or sensitive commercial information. This classification includes personal information subject to the Data Protection Act	Cloud storage and services are probably not suitable unless a specialised and highly-secure service. Use should be subject to written contracts, signed by both parties. Very strong assurance should be obtained as to the security of data. Strong access controls and audited access should be in place. Encryption should be used, with encryption keys stored locally and under control of UCL i.e. not within the cloud itself. Techniques such as anonymisation and tokenisation are also worth considering.
Secret	e.g. highly sensitive information, including sensitive personal information and medical records	Cloud storage and services should not be used under normal circumstances. Some specialised and highly-secure services may exist as private or community cloud offerings e.g. for the UK government and the NHS, but expert advice should be sought regarding the suitability and use of these services.