OPS.2.2 Cloud Use
Cloud computing refers to the demand-driven provision, use, and billing of IT services over a network. The range of services offered within the framework of cloud computing covers the complete spectrum of information technology.
Description
Introduction
Cloud computing refers to the demand-driven provision, use, and billing of IT services over a network. The provision and use of these services takes place exclusively via defined technical interfaces and protocols. The range of services offered within the framework of cloud computing covers the complete spectrum of information technology and includes, among other things, infrastructure (e.g. computing power, storage space), platforms, and software.
Cloud computing offers many advantages: IT services can be used on demand, scalably, and flexibly and billed according to the functional scope, duration of use, and number of users. Specialized knowledge and resources of the cloud service providers can also be accessed, which can free up internal resources for other tasks. In practice, however, it frequently turns out that the advantages that institutions expect from cloud use do not fully materialize. The reason for this is usually that important critical success factors are not sufficiently taken into account prior to cloud use. Therefore, cloud services must be strategically planned, and (security) requirements, responsibilities, and interfaces must be carefully defined and agreed upon. Awareness and understanding of the necessarily changed roles, both on the side of IT Operations and the users of the contracting institution, is also an important success factor.
In addition, the topic of governance should also be taken into account when introducing cloud services (cloud governance). Critical areas include, for example, contract design, the implementation of multi-tenancy, ensuring portability of different services, billing of used service capabilities, monitoring of service provision, security incident management, and numerous data protection aspects.
Objective
The building block describes requirements that enable cloud services to be used securely. It is aimed at all institutions that already use such services or intend to use them in the future.
Scope and Modeling
The building block OPS.2.2 Cloud Use is always to be applied to a specific cloud service. If an institution uses different cloud service providers, the building block is to be applied for all cloud service providers. The interface between the cloud service providers is also the subject of the building block and must be considered for all cloud services.
In almost all deployment models, apart from the use of a private cloud on-premise, cloud services represent a special form of outsourcing (see building block OPS.2.3 Use of Outsourcing). The threats and requirements described in this building block are therefore frequently also applied in outsourcing. However, cloud services have some special features that are found exclusively in this building block. Building block OPS.2.3 Use of Outsourcing is therefore not to be applied to cloud services.
The threats and requirements described in this building block apply in principle regardless of the service and deployment model used.
Security requirements with which providers can protect their cloud services are not the subject of this building block. Threats and specific security requirements that are to be considered relevant through the connection of a cloud service via corresponding interfaces (API, Application Programming Interface) are also not considered in this building block.
Demarcation from Classical IT Outsourcing
In outsourcing, work, production, or business processes of an institution are outsourced wholly or partly to external service providers. This is an established component of today’s organizational strategies. Classical IT outsourcing is usually designed such that the entire rented infrastructure is used exclusively by one customer (single tenant architecture), even if outsourcing providers normally have multiple customers. In addition, outsourcing contracts are usually concluded for longer terms.
The use of cloud services is similar in many respects to classical outsourcing, but there are some additional differences to be taken into account:
- For economic reasons, multiple users in a cloud often share a common infrastructure.
- Cloud services are dynamic and therefore scalable upwards and downwards within much shorter timeframes. This allows cloud-based offers to be more quickly adapted to the actual needs of users.
- The cloud services used are generally controlled by the cloud users themselves via a web interface. They can thus automatically tailor the services used to their needs.
- The technologies used in cloud computing make it possible to dynamically distribute IT performance across multiple locations, which can be geographically widely dispersed both domestically and abroad.
- Users can easily administer the services used and their resources via web interfaces or appropriate interfaces, with little interaction with the cloud service providers required.
Threat Landscape
Since IT-Grundschutz building blocks cannot address individual information domains, typical scenarios are used to illustrate the threat landscape. The following specific threats and vulnerabilities are of particular importance for the building block OPS.2.2 Cloud Use.
Missing or Insufficient Strategy for Cloud Use
Deploying cloud services in an institution is a strategic decision. A missing or insufficient strategy for cloud use can, for example, lead to an institution choosing unsuitable cloud services or cloud service providers. The selected cloud services could also be incompatible with the institution’s own IT, internal business processes, or protection needs. This can have a negative organizational, technical, or financial impact on business processes. In general, a missing or insufficient strategy for cloud use can lead to the associated objectives not being achieved or the security level declining significantly.
Dependency on Cloud Service Providers (Loss of Control)
If an institution uses external cloud services, it is more or less heavily dependent on the cloud service providers. This can lead to the institution no longer being able to fully control the outsourced business processes and the associated information, in particular their security. The institution is also dependent, beyond a certain point despite possible controls, on the cloud service providers correctly implementing security measures. If they do not do so, business processes and business-critical information are inadequately protected.
In addition, the use of external cloud services can lead to the institution losing knowledge of information security and information technology. As a result, the institution may no longer be able to assess whether the protective measures taken by the providers are sufficient. A switch to another cloud service also becomes very difficult. The cloud service providers could also exploit this dependence, for example to enforce price increases or reduce the quality of the service.
Inadequate Requirements Management in Cloud Use
When an institution decides to use a cloud service, many expectations are usually attached to this. For example, employees hope for higher performance or a larger range of functions for the outsourced services, while top management speculates on lower costs. Inadequate requirements management before cloud use can, however, lead to expectations not being met and the service not delivering the desired added value, e.g. with regard to availability.
Violation of Legal Requirements
Many providers offer their cloud services in an international environment. This means that they are often subject to other national laws. Cloud customers frequently see only the advantages associated with cloud computing (e.g. cost advantages) and incorrectly assess the legal framework conditions, such as data protection, disclosure obligations, insolvency law, liability, or information access for third parties. This could result in applicable guidelines and requirements being violated. The security of the outsourced information could also be compromised.
Missing Multi-Tenancy at Cloud Service Providers
In cloud computing, different institutions usually share a common infrastructure, such as IT systems, networks, and applications. If, for example, the resources of the different institutions are not sufficiently securely separated from one another, one institution may be able to access the areas of another institution and manipulate or delete information there.
Inadequate Contractual Arrangements with Cloud Service Providers
Due to inadequate contractual arrangements with cloud service providers, a wide variety of serious security problems can arise. If areas of responsibility, tasks, performance parameters, or expenditures were insufficiently or ambiguously described, it can happen that the cloud service providers unintentionally or due to a lack of resources do not implement, or only inadequately implement, security measures.
Even if situations arise that are not clearly regulated contractually, disadvantages can result for the contracting institution. For example, cloud service providers frequently use the services of third parties for their services. If there are inadequate contractual agreements here or if the dependencies between the service providers and third parties have not been disclosed, this can also have a negative impact on the information security and service performance of the institution.
Inadequate Planning of Migration to Cloud Services
Migration to a cloud service is almost always a critical phase. Through inadequate planning, errors can occur that affect information security within the institution. If an institution, for example, carelessly foregoes a phased migration due to an insufficient planning phase, this can lead to significant problems in practice. If there are no test phases, pilot users, or a time-limited parallel operation of existing infrastructure and cloud services beforehand, important data can be lost or services can fail completely.
Insufficient Integration of Cloud Services into the Institution’s Own IT
It is necessary for cloud services to be appropriately integrated into the IT infrastructure of the institution. If the responsible persons implement this only inadequately, it can happen that users cannot fully access the contracted cloud services. The cloud services may thus not deliver the required and agreed performance, or they may not be accessible at all or only to a limited extent. This can slow down or completely halt business processes. If cloud services are incorrectly integrated into the institution’s own IT, serious security vulnerabilities can also arise.
Insufficient Regulations for the End of a Cloud Use Project
Insufficient regulations for a possible termination of the contractual relationship can have serious consequences for the institution. Based on experience, this is always particularly problematic when an event that is critical from the perspective of the institution occurs unexpectedly, such as the insolvency or sale of the cloud service providers or serious security concerns. Without sufficient internal precautions and precise contractual regulations, the institution may find it difficult to disengage from the contract concluded for the cloud service. In this case, it is difficult to impossible to transfer the outsourced cloud service promptly to another cloud computing platform or to reintegrate it into the institution’s own operations.
Insufficient regulation of data deletion after the contract ends can also lead to unauthorized access to the institution’s information.
Insufficient Administration Model for Cloud Use
When cloud services are used, the role concept within IT Operations on the side of the using institution often changes. For example, administrators often develop away from classical system administration towards service administration. If this process is not sufficiently accompanied, this can have a negative impact on cloud use, for example if the administrators do not bring the necessary understanding for the changes or are not trained, or only inadequately trained, for their new task. As a result, the cloud services may not be properly administered and thus only limitedly available or may fail completely.
Insufficient Emergency Preparedness Concept
Insufficient emergency preparedness has quickly serious consequences in cloud use. If the cloud service or parts of it fail, omissions in the emergency preparedness concepts of cloud service providers and at the interfaces always lead to unnecessarily long downtime with corresponding consequences for the productivity or service of the contracting institution. In addition, poorly coordinated emergency scenarios between the contracting institution and the service providers can lead to gaps in emergency preparedness.
Failure of the IT Systems of the Cloud Service Providers
At cloud service providers, the processes, IT systems, and applications operated there can fail partially or completely, which consequently also affects the cloud customers. If the institutions are insufficiently separated from each other, a failed IT system that is not attributed to the institution can also lead to this institution no longer being able to retrieve its contractually guaranteed service. Similar problems arise if the connection between cloud service providers and customers fails or if the cloud computing platform used is successfully attacked.
Requirements
The following are the specific requirements of building block OPS.2.2 Cloud Use. The Information Security Officer (ISO) is responsible for ensuring that all requirements are met and verified in accordance with the established security concept. The ISO MUST always be involved in strategic decisions.
The IT-Grundschutz Compendium additionally defines further roles. They should be staffed insofar as this is reasonable and appropriate.
| Responsibilities | Roles |
|---|---|
| Primarily responsible | IT Operations |
| Additional responsibilities | Specialist Responsible Persons, Data Protection Officers, Top Management, HR Department |
Exactly one role should be Primarily responsible. Beyond that, there may be Additional responsibilities. If one of these additional roles is primarily responsible for fulfilling a requirement, this role is listed in square brackets after the requirement heading. The use of singular or plural says nothing about how many persons should fill these roles.
Basic Requirements
The following requirements MUST be fulfilled as a priority for this building block.
OPS.2.2.A1 Creation of a Strategy for Cloud Use (B) [Specialist Responsible Persons, Top Management, Data Protection Officers]
A strategy for cloud use MUST be created. In this, objectives, opportunities, and risks that the institution associates with cloud use MUST be defined. In addition, the legal and organizational framework conditions as well as the technical requirements that arise from the use of cloud services MUST be examined. The results of this examination MUST be documented in a feasibility study.
It MUST be specified which services are to be procured from cloud service providers in which deployment model in future. In addition, it MUST be ensured that all fundamental technical and organizational security aspects are sufficiently taken into account already in the planning phase for cloud use.
For the planned cloud service, a rough individual security analysis SHOULD be performed. This SHOULD be repeated when technical and organizational framework conditions change significantly. For larger cloud projects, a roadmap SHOULD also be developed that specifies when and how a cloud service is introduced.
OPS.2.2.A2 Creation of a Security Policy for Cloud Use (B) [Specialist Responsible Persons]
Based on the strategy for cloud use, a security policy for cloud use MUST be created. It MUST contain specific security requirements with which cloud services can be implemented within the institution. In addition, special security requirements for cloud service providers and the defined protection level for cloud services with regard to confidentiality, integrity, and availability MUST be documented therein. If cloud services from international providers are used, the specific country-specific requirements and statutory provisions MUST be taken into account.
OPS.2.2.A3 Service Definition for Cloud Services (B) [Specialist Responsible Persons]
A service definition MUST be developed for each cloud service. In addition, all planned and used cloud services SHOULD be documented.
OPS.2.2.A4 Definition of Areas of Responsibility and Interfaces (B) [Specialist Responsible Persons]
Based on the service definition for cloud services, all relevant interfaces and responsibilities for cloud use MUST be identified and documented. It MUST be clearly recognizable how the areas of responsibility between the cloud service providers and the contracting institution are demarcated from each other.
Standard Requirements
Together with the basic requirements, the following requirements correspond to the state of the art for this building block. They SHOULD generally be fulfilled.
OPS.2.2.A5 Planning of Secure Migration to a Cloud Service (S) [Specialist Responsible Persons]
Before migrating to a cloud service, a migration concept SHOULD be created. For this purpose, organizational regulations and the distribution of tasks SHOULD first be defined. In addition, existing operational processes SHOULD be identified and adapted with regard to cloud use. It SHOULD be ensured that the institution’s own IT is sufficiently taken into account in the migration process. The responsible persons SHOULD also determine whether employees on the institution’s side need additional training.
OPS.2.2.A6 Planning of Secure Integration of Cloud Services (S)
Before a cloud service is used, careful planning SHOULD be done on how it is to be integrated into the IT of the institution. For this purpose, it SHOULD at least be checked whether adjustments to the interfaces, the network connection, the administration model, and the data management model are necessary. The results SHOULD be documented and regularly updated.
OPS.2.2.A7 Creation of a Security Concept for Cloud Use (S)
On the basis of the identified security requirements (see OPS.2.2.A2 Creation of a Security Policy for Cloud Use), a security concept for the use of cloud services SHOULD be created.
OPS.2.2.A8 Careful Selection of Cloud Service Providers (S) [Top Management]
Based on the service definition for the cloud service, a detailed requirements profile for cloud service providers SHOULD be created. A performance description and a specification document SHOULD be created. Supplementary information sources SHOULD also be consulted for the evaluation of cloud service providers. Likewise, available service descriptions from cloud service providers SHOULD be carefully reviewed and questioned.
OPS.2.2.A9 Contract Design with Cloud Service Providers (S) [Top Management]
The contractual arrangements between the contracting institution and the cloud service providers SHOULD be adapted in type, scope, and level of detail to the protection needs of the information associated with cloud use. It SHOULD be regulated at which location the cloud service providers provide their service. In addition, escalation levels and communication channels between the institution and the cloud service providers SHOULD be defined. It SHOULD also be agreed how the institution’s data is to be securely deleted. Likewise, cancellation regulations SHOULD be fixed in writing. The cloud service providers SHOULD disclose all subcontractors that they require for the cloud service.
OPS.2.2.A10 Secure Migration to a Cloud Service (S) [Specialist Responsible Persons]
Migration to a cloud service SHOULD take place on the basis of the created migration concept. During migration, it SHOULD be checked whether the security concept for cloud use needs to be adapted to potentially new requirements. All emergency preparedness measures SHOULD also be complete and current.
Migration to a cloud service SHOULD first be checked in a test run. Once the cloud service has gone into productive operation, it SHOULD be verified that the cloud service providers meet the institution’s defined requirements.
OPS.2.2.A11 Creation of a Contingency Concept for a Cloud Service (S)
A contingency concept SHOULD be created for the cloud services used. It SHOULD contain all necessary information on responsibilities and contact persons. In addition, detailed regulations regarding data backup SHOULD be made. Specifications for redundant management tools and interface systems SHOULD also be recorded.
OPS.2.2.A12 Maintaining Information Security in Ongoing Cloud Use Operations (S)
All documentation and guidelines created for the cloud services used SHOULD be regularly updated. It SHOULD also be periodically checked whether the contractually guaranteed services are being delivered. The cloud service providers and the institution SHOULD also coordinate regularly if possible. It SHOULD also be planned and practiced how to respond to system failures.
OPS.2.2.A13 Proof of Sufficient Information Security in Cloud Use (S)
The institution SHOULD regularly have the cloud service providers demonstrate that the agreed security requirements are being met. The proof SHOULD be based on an internationally recognized framework (e.g. IT-Grundschutz, ISO/IEC 27001, Cloud Computing Requirements Catalog (C5), Cloud Controls Matrix of the Cloud Security Alliance). The institution SHOULD check whether the scope and protection needs cover the cloud services used.
If cloud service providers use subcontractors to provide the cloud services, cloud service providers SHOULD regularly demonstrate to the institution that these subcontractors perform the necessary audits.
OPS.2.2.A14 Orderly Termination of a Cloud Use Relationship (S) [Specialist Responsible Persons, Top Management]
When the service relationship with the cloud service providers is terminated, it SHOULD be ensured that the business activities or specialist tasks of the institution are not thereby impaired. The contracts with the cloud service providers SHOULD regulate how the respective service relationship can be orderly terminated.
Requirements for High Protection Needs
The following are exemplary proposals for requirements for this building block that go beyond the level of protection corresponding to the state of the art. The proposals SHOULD be considered for high protection needs. The specific determination is made within the framework of an individual risk analysis.
OPS.2.2.A15 Ensuring the Portability of Cloud Services (H) [Specialist Responsible Persons]
The institution SHOULD define all requirements that make it possible to change cloud service providers or to bring the cloud service or the data back into the institution’s own IT infrastructure. In addition, the institution SHOULD regularly perform portability tests. Specifications SHOULD be recorded in the contracts with the cloud service providers to ensure the necessary portability.
OPS.2.2.A16 Performing Own Data Backups (H) [Specialist Responsible Persons]
The institution SHOULD check whether, in addition to the contractually agreed data backups of the cloud service providers, its own data backups should be created. In addition, it SHOULD create detailed requirements for a backup service.
OPS.2.2.A17 Use of Encryption in Cloud Use (H)
If data is encrypted by cloud service providers, the encryption mechanisms and key lengths that may be used SHOULD be contractually regulated. If own encryption mechanisms are used, appropriate key management SHOULD be ensured. When encrypting, any special features of the chosen cloud service model SHOULD be taken into account.
OPS.2.2.A18 Use of Federation Services (H) [Specialist Responsible Persons]
It SHOULD be checked whether federation services will be used in a cloud use project.
It SHOULD be ensured that in a SAML (Security Assertion Markup Language) ticket only the required information is transmitted to the cloud service providers. The authorizations SHOULD be regularly reviewed so that a SAML ticket is only issued to authorized users.
OPS.2.2.A19 Security Vetting of Employees (H) [HR Department]
With external cloud service providers, it SHOULD be contractually agreed that it is checked in an appropriate manner whether the personnel deployed are qualified and trustworthy. For this purpose, criteria SHOULD be jointly defined.
Additional Information
Good to Know
The BSI describes in its publication “Cloud Computing Requirements Catalog (C5)” criteria for assessing the information security of cloud services.
The Cloud Security Alliance (CSA) provides in its publication “Security Guidance for Critical Areas of Focus in Cloud Computing” recommendations for the use of cloud services.
The National Institute of Standards and Technology (NIST) provides in NIST Special Publication 800-144 “Guidelines on Security and Privacy in Public Cloud Computing” recommendations for the use of cloud services.
The European Union Agency for Network and Information Security (ENISA) has published the following additional document “Cloud Computing: Benefits, Risks and Recommendations for Information Security” on the topic of cloud computing.
The Information Security Forum (ISF) makes requirements for the use of cloud services in its standard “The Standard of Good Practice for Information Security,” in Chapter SC 2 - Cloud Computing.