Six Critical Considerations to Ensure Cloud Security for the Supply Chain

Companies across industries are leveraging Cloud-based solutions to increase efficiencies and improve supply chain relationships, but the Cloud is not without potential risks

1287532071061 10326192
Bookmark and Share
October 20, 2010 — The need for close collaboration and information exchange across your supply chain is not new but is arguably more important in today's global, real-time marketplace than ever before. Many enterprises have turned to B2B integration solutions or service providers; however, traditional EDI services and on-premise integration middleware or enterprise service bus (ESB) solutions often do not provide the simplicity, interoperability or scalability needed by today's real-time business processes.

Enter the "Cloud" and a new generation of integration solutions delivered as software-as-a-service (SaaS). Companies across industries are leveraging Cloud- and SaaS-based solutions in order to increase efficiencies, extend legacy infrastructure, minimize management overhead and improve supply chain relationships. By 2012, technology research firm IDC predicts spending on IT Cloud services will grow almost threefold, to $42 billion. In a recent survey conducted by Hubspan, more than half of the respondents had initiatives to move business processes to the Cloud or expand current Cloud initiatives.

But as with every technology, the Cloud is not without potential "holes" or risks. And there have been multitudes of articles and research claiming IT and business executives are leery of the Cloud because of the potential loss of control and fear over security issues. In my experience, the Cloud is no more or less secure than on-premise infrastructure and can be the ideal environment to effectively and efficiently manage supply chain processes. However, not all "clouds" are created equal, and there are major areas to evaluate when considering a Cloud vendor and service.

For executives in the manufacturing and supply chain spaces, security concerns can span from wondering if information transferred between partners in the Cloud is safe to what type of data is best stored in the Cloud. Below are the top six Cloud security critical considerations to be weighed during the evaluation stage to make sure your company's data and processes are secure. Importantly, these areas go beyond the technology or platform itself to cover the vendor's infrastructure, people and processes.

1. Find out how the vendor will secure your data.
2. Ensure that data is encrypted both in motion and at rest.
3. Make sure the vendor follows secure development principles.
4. Evaluate security certifications, audits and compliance mandates.
5. Determine the level of visibility into any intrusion or potential compromise.
6. Data security procedures and processes need to be an integrated part of the disaster recovery plan.

Let's explore each of these areas in more detail.

1. Find out how the vendor will secure your data.

The key is to understand how your provider's physical security, personnel policies, access controls and architecture work together to build a secure environment for the data ecosystem your partners and customers entrust with you. Additionally, determine whether secure coding and data encryption practices keep the data and applications safe from malicious users. Also, cryptographic key management is a vital part of any security scheme and should be reviewed and analyzed to ensure that it meets your security requirements.

Application Access Control
When it comes to application access control, you need to think both front-end and back-end. Most SaaS applications employ access management rules when the application is accessed via the user interface (i.e., the front-end), from basic user name and password to more advanced certificates or multiple authentication schemes. The part that is often missed is the back-end, or the access by the vendor's operational teams who must access the application during upgrades, maintenance, system optimization, etc. In addition, if the vendor is a managed services provider, you need to know how the services team accesses your data and the policies in place around this access. The vendor should also perform and report on security audits detailing who, what, when and how the data is accessed, viewed or handled.

Bookmark and Share
Infrastructure Security
Beyond the application, physical access control is just as important. Most people focus on the software, but that SaaS application is powered by traditional data centers and infrastructure, and your vendor should manage these with the highest level of physical security controls. Ask for a tour of the data center or a copy of a physical security audit. There should be strong physical security at every level of the data center. There should also be clear policies and technologies in place to limit physical access to not only the data center but to specific servers, network systems, storage drives and other assets to minimize vulnerability. Compliance mandates such as PCI DSS have clear requirements around physical controls and security.

Personnel Policies
The security of any platform depends on the people that run it. This is particularly important because you are outsourcing critical business processes to your Cloud vendor. You need to find out if they approach operations with a security-centric mindset. This means that HR practices can have a huge impact on your vendor's security operations. Smart vendors will institute background checks and special security training for their employees to defend against social engineering and phishing attacks. Ask the vendor about their hiring practices as well as continuing education policies to illustrate how personnel considerations are factored into security policies.

Data Segregation
With public Cloud solutions, your data are stored in the same "Cloud" with other companies. Therefore, you need to know how your Cloud vendor will ensure your data are segregated and can't be inappropriately viewed or accessed by any other company. The Cloud solution must have clear segregation capabilities, particularly if it's in a multi-tenant environment. Depending on your vendor's architecture, there may be customers with differing security needs operating within the same multi-tenant environment. In these cases, the entire system needs to be operating at the highest level of security to avoid the "weakest link syndrome."

As an example, at my company, Hubspan, we have clear data segregation and transactional boundaries within our platform. Within the multi-tenant environment, we establish boundaries of execution, creating filters around each transaction. Security context and strict access control rules are built into the business rules and choreography assigned to each transactional process. Every piece of data is tagged with security attributes, and access controls are wrapped around the data. Domain attributes and/or group attributes are assigned to the data based on the company and transaction.

2. Ensure that data is encrypted both in motion and at rest.

Data security needs to be addressed from a comprehensive point of view. While all Cloud applications tout strong encryption and security while the data are "moving" across the Cloud, many do not address data protection when the information is at rest or in storage.

End-to-end Data Encryption
Data needs to be protected at all stages of a process, from start to finish. Make sure your data are encrypted at rest, during back-ups and while in storage. Also, the data encryption process should be audited and reported to ensure compliance. Data at particular risk are those in back-up systems or devices, as these data could be stored for some time and can be an unexpected target of theft or manipulation.

The Federal Information Processing Standards (FIPS)-140 security standard provides strong guidance for data encryption. This standard specifies the requirements for cryptology modules. Ask your vendor if they adhere to FIPS guidelines.

Key Security
Review how encryption keys are stored, managed and secured. You can encrypt all of your data, but the encryption keys are the proverbial "keys to the kingdom" in your enterprise. Best practices call for splitting the knowledge of each key across two or more individuals — hence, to reconstruct an entire key, you need all those individuals present for authorization.

In situations where one person in the company has knowledge of the entire key (e.g., the CEO or security officer of the company), clear procedures and processes should be in place to ensure access to the actual data cannot be obtained without another layer of authorization to maintain a level of separation.

There has been a great deal of debate between whether companies should implement an end-to-end encryption strategy, as suggested above, or a tokenization approach. While both are valid strategies, if your data are moving across a Cloud platform or solution, a complete encryption approach leaves no chance of missing data that should be protected.

Bookmark and Share
3. Make sure the vendor follows secure development principles.

A truly secure Cloud platform is built for security through and through. That means security starts from "ground zero" — the design phase of the application, as well as the platform. It simply isn't enough to operate your system with a security-centric mindset; you have to design your system using the same guiding principles, following an unbroken chain of secure procedures from conception in the lab to real-life implementation. This means that design reviews, development practices and quality assurance plans must be engineered using the same strict security guidelines you would use in a production data center.

4. Evaluate security certifications, audits and compliance mandates.

There are many organizations in the market providing security, best practice guidance and compliance mandates. These range from PCI DSS guidelines for data security, SAS 70 internal control audits for service organizations and third-party industry groups focused on Web and data security risk factors.

Consider vendors that follow the industry standard PCI DSS guidelines, developed and governed by the Payment Card Industry Security Standards Council. It is a set of requirements for enhancing payment account data security. While created for the credit card and banking industries, it is relevant for any sector, as the goal is keeping data safe and personally identifiable information protected. PCI DSS facilitates consistent data security measures and includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures.

Another major security compliance certification is the Statement on Auditing Standards No. 70 (SAS 70) Type II. SAS 70 compliance means a service provider has been through an in-depth audit of their control objectives and activities. This independent audit includes a review and acceptance over information technology and related processes. SAS 70 certification and security recommendations are defined by the United States Department of Defense governing confidentiality, integrity, authentication, availability and non-repudiation.

In addition to these certifications, there are a couple of other associations and groups the vendor should acknowledge and use as guidance in prioritizing data security issues. They are the Open Web Application Security Project (OWASP), which has a top 10 list outlining the most dangerous current Web application security flaws along with the effective methods of dealing with them; and the Cloud Security Alliance (CSA), an industry group that advises best practices for data security in the Cloud.

In addition to third-party compliance, the Cloud vendor should be engaging in its own annual security audits. Audits of access systems for physical IT infrastructure are vital to protect the integrity of your provider's data center. General security audits from outside vendors and regular penetration testing are quickly becoming industry standards and should be discussed and evaluated. Audits for systems changes also need to be documented and evaluated.

Your vendor should have scheduled audits and include penetration tests using an independent third-party audit provider to evaluate the quality of the security provided with your Cloud vendor. Although the PCI version 1.2 specifications only mandate annual security audits, find a vendor that goes above and beyond. There are vendors that perform quarterly audits, four times what is considered typical industry specifications.

5. Determine the level of visibility into any intrusion or potential compromise.

Attempts by hackers to breach data security measures are becoming the norm in today's high-tech computing environment. Whether you maintain your infrastructure and data on premise or in the Cloud, the issues of securing your data are the same.

Bookmark and Share
There are two key pieces to consider — intrusion prevention, or keeping your data safe from attack or a breach; and intrusion detection, which is the ability to monitor and know what's happening with your data and if or when an intrusion happens. This latter part is critical, as many companies do something to encrypt and protect the data, but they still don't have visibility into what's happening, such as monitoring whether any illegal activity occurs. Although intrusion detection does not block traffic it gathers and logs the information necessary to issue alerts.

Intrusion detection and prevention systems (IDPS) should be implemented in your network, and if you are using a Cloud vendor, the provider should also have IDPS in place, along with related processes and policies. The vendor should be able to monitor, measure and react to any potential breach, and particularly monitor access to its systems and detect any unauthorized changes to systems, policies or configuration files.

Data centers are primary targets for hackers looking to damage and adversely affect your business. Taking precautionary measures and increasing the level of monitoring and visibility are not a guarantee you will not get attacked, but they do make it more difficult and therefore minimize the probability of such an event. And if it does happen, you will have the information you need to react quickly to try to minimize the negative impact.

6. Data security procedures and processes need to be an integrated part of the disaster recovery plan.

Your vendor's security story needs to include a comprehensive business continuity plan. First, there must be a failover system or backup data center. Additionally, you should be able to review the plan and understand the impact it could have on your processes and data. Many of the biggest Cloud computing outages in recent memory were the result of a failure of disaster recovery processes.

Beyond business continuity, all datacenters should have the same security processes and procedures applied as with the primary one. Since there is a potential for the backup center to be utilized, it needs to be security redundant.

Also, understand the vendor's communication plan in the event of a disaster recovery (DR) incident or other event affecting the data centers. Keep in mind that you may not always know where your data are physically located, so the onus of reporting is on your provider. Sometimes there are service level agreements (SLAs) around this DR communication process covering not only the initial information you receive but ongoing updates and status reports.

These considerations and your careful evaluation of any potential Cloud or SaaS vendor will ensure you are maintaining a secure operating environment for your supply chain business processes or applications. For references, I recommend reading the guidelines published by OWASP and the CSA.

About the Author: Ian Huynh is vice president of engineering at Hubspan. A technology executive with 20 years experience building and maintaining enterprise software, Huynh's background includes architecting enterprise applications in a variety of industries, including e-commerce, manufacturing, insurance, banking, telecom and transportation systems. Prior to joining Hubspan, Huynh served as Software Architect at Concur Technologies, and he has held technical leadership positions at 7Software and Microsoft Corp. More information on Hubspan at