Risk Assessing iCloud (and other online backups) – UPDATE 2, DropBox
Update 2 (8/2012) – Cloud-based storage vendor DropBox confirmed recently that a stolen employee password led to the theft of a “project document” that contained user e-mail addresses. Those addresses were then used to SPAM DropBox users. The password itself was not stolen directly from the DropBox site, but from another site the employee used. This reinforces the point I made in a previous post about LinkedIn. If you have a “go-to” password that you use frequently (and most people do) you should assume that it’s out there in the wild, and you should also assume it is now being used in dictionary attacks. So change your DropBox password, but also change all other occurrences of that password.
But passwords (and password change policies!) aside, serious questions remain about this, and other, on-line storage vendors:
- Do they hold themselves to the same high information confidentiality, integrity and availability standards required of financial institutions?
- If so, can they document adherence to that standard by producing a third-party report, like the SOC 2?
- Will they retain and destroy information consistent with your internal data retention policies?
- What happens to your data once your relationship with the vendor is terminated?
- Do they have a broad and deep familiarity with the regulatory requirements of the financial industry, and are they willing and able to make changes in their service offerings necessitated by those requirements?
Any vendor that can not address these questions to your satisfaction should not be considered as a service provider for data classified any higher then “low”.
________________________________________________________
Update 1 (3/2012) – A recent article in Data Center Knowledge estimates that Amazon is using at least 454,400 servers in seven data center hubs around the globe. This emphasizes my point that large cloud providers with widely distributed data storage make it very difficult for financial institutions to satisfy the requirement to secure data in transit and storage if they don’t know exactly where the data is stored.
________________________________________________________
Apple recently introduced the iCloud service for Apple devices such as the iPhone and iPad. The free version offers 5GB of storage, and additional storage up to 50GB can be purchased. The storage can be used for anything from music to documents to email.
Since iPhones and iPads (and other mobile devices) have become ubiquitous among financial institution users, and since it is reasonable to assume that email and other documents stored on these devices (and replicated in iCloud) could contain non-public customer information, the use of this technology must be properly risk managed. But iCloud is no different than any of the other on-line backup services such as Microsoft SkyDrive, Google Docs, Carbonite, DropBox, Amazon Web Services (AWS) or our own C-Vault…if customer data is transmitted or stored anywhere outside of your protected network, the risk assessment process is always the same.
The FFIEC requires financial institutions to:
- Establish and ensure compliance with policies for handling and storing information,
- Ensure safe and secure disposal of sensitive media, and
- Secure information in transit or transmission to third parties.
These responsibilities don’t go away when all or part of a service is outsourced. In fact, “…although outsourcing arrangements often provide a cost-effective means to support the institution’s technology needs, the ultimate responsibility and risk rests with the institution.“* So once you’ve established a strategic basis for cloud-based data storage, risk assessing outsourced products and services is basically a function of vendor management. And the vendor management process actually begins well before the vendor actually becomes a vendor, i.e. before the contract is signed. Again, the FFIEC provides guidance in this area:
Financial institutions should exercise their security responsibilities for outsourced operations through:
- Appropriate due diligence in service provider research and selection,
- Contractual assurances regarding security responsibilities, controls, and reporting,
- Nondisclosure agreements regarding the institution’s systems and data,
- Independent review of the service provider’s security though appropriate audits and tests, and
- Coordination of incident response policies and contractual notification requirements.*
So how do you comply (and demonstrate compliance) with this guidance? For starters, begin your vendor management process early, right after the decision is made to implement cloud-based backup. Determine your requirements and priorities (usually listed in a formal request for proposal), such as availability, capacity, privacy/security, and price…and perform due diligence on your short list of potential providers to narrow the choice. Non-disclosure agreements would typically be exchanged at this point (or before).
Challenges & Solutions
This is where the challenges begin when considering large cloud-based providers. They aren’t likely to respond to a request for proposal (RFP), nor are they going to provide a non-disclosure agreement (NDA) beyond their standard posted privacy policy. This does not, however, relieve you from your responsibility to satisfy yourself any way you can that the vendor will still meet all of your requirements. One more challenge (and this is a big one)…since large providers may store data simultaneously in multiple locations, you don’t really know where your data is physically located. How do you satisfy the requirement to secure data in transit and storage if you don’t know where it’s going or how it gets there? Also, what happens if you decide to terminate the service? How will you validate that your data is completely removed? And what happens if the vendor sells themselves to someone else. Chances are your data was considered an asset for the purposes of valuing the transaction, and now that asset (your data) is in the hands of someone else, someone that may have a different privacy policy or may even be located in a different country.
The only possible answer to these challenges is bullet #4 above…you request, receive and review the providers financials and other third-party reviews (SOC, SAS 70, etc). Here again, large providers may not be willing to share information beyond what is already public. So the answer actually presents an additional challenge.
Practically speaking, perhaps the best way to approach this is to have a policy that classifies and restricts data stored in the cloud. Providers that can meet your privacy, security, confidentiality, availability and data integrity requirements would be approved for all data types, providers that could NOT satisfactorily meet your requirements would be restricted to storing only non-critical, non-sensitive information. Of course enforcing that policy is the final challenge…and the topic of a future post! In the meantime, if your institution is using cloud-based data storage, how are you addressing these challenges?
* Information Security Booklet – July 2006, Service Provider Oversight