Sunday, January 29, 2012

Microsoft Cloud SLA

Cloud services are not based only on technical requirements but on different non-technical requirements that enterprises require. These requirements (e.g., application performance, uptime, reliability, connectivity and availability) are expressed and negotiated by means of Service Level Agreements (SLAs). In the following posts we will look at the standard SLA’s for Microsoft; Amazon and Google’s SLA’s covering their cloud services.

My objective here is to make sure we can compare SLA’s between vendors and make sure points that need to be understood are out in the open so they can discuss with IT, Legal, Business and our vendors.

In this post we will look at Microsoft’s SLAs for its Azure cloud services (Compute, storage, sql, service bus and access control).

You or your organizations are responsible for determining whether our security meets your requirements.

You are entirely responsible for maintaining the confidentiality of your password and account.

You are entirely responsible for any and all activities that occur under your account.

You could be held liable for losses incurred by Microsoft or another party due to someone else using your account or password.

Microsoft will store the information you provide on computer systems with limited accesses, which are located in controlled facilities. 

Microsoft when transmits highly confidential information (such as a credit card number or password) over the Internet, they will protect it through the use of encryption, such as the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocol.

Microsoft only uses data encryption on data that they believe to be private. Microsoft recommends any data you feel to be private that you use encryption.

Information collected:
Like any corporation today Microsoft loves to know information about its customers. So in your dealings with Microsoft; in setting up accounts, etc, for cloud services be cogitative the following information is being collected.

Including the site you came from.

The search engine and the keywords you used to find Microsoft sites.

The pages you view within Microsoft sites.

Your browser add-ons.

Your browser's width and height.

The pages you view.

Links you click and other actions you take on our sites and services.

Your Internet Service Provider.

Your IP address.

Browser type and language, access times and referring Web site addresses.

They also can and will supplement information they collect with information obtained from other sources. I.e., derive your general geographic area based on your Internet Protocol (IP) address.

Data Locality:
Information you provide or upload to the Portal may be stored outside the country in which you reside.

Information that is collected by or sent to Microsoft may be stored and processed in the United States or any other country in which Microsoft or its affiliates, subsidiaries, or service providers maintain facilities.

Microsoft abides by the Safe Harbor framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of data from the European Union, the European Economic Area, and Switzerland.

I asked a Microsoft Senior Developer Evangelist what he knew about data locality his response was “OK – I checked around a bit, and although I am not a lawyer, the general consensus is that it’s based on the physical location of where the data center is located, not the location of the company that owns the data, or the location of company that owns the datacenter.” Given the point of having cloud services is suppose to release us from knowing where the actual data is or where is has been replicated for backup purposes I think this is a big concern if you are storing data in the cloud where privacy laws or government regulations may apply.

Basic SLA is 99.9% (“Three nines”) for Azure services. This would give your organization 8.76 hours of downtime per year, 43.2 minutes per month and 10.1 minutes per day. 
Failure to comply with the SLA uptime percentages would result in a 10% or 25% discount on the monthly billing for the service, depending on the degree of the failure.


Question for cloud vendors. Part Two

Infrastructure as a Service (IaaS) & Platform as a Service (PaaS)
·      Will the cloud vendor clearly communicate network topology and security practices?

Software as a Service (SaaS)
       Is cloud vendor willing to provide documented secure coding practices and security (penetration) testing results from 3rd parties?
       Does cloud vendor communicated information about OS-level patches and updates and how does Cloud vendor provide information of schedules of patches so not to affect customers businesses?
       What is the cloud vendor’s terms with respect to ownership of the data?
       How does the cloud vendor delete the data when the customer is no longer a customer?

       What about e-discovery?
       Can we be locked out due to legal action taken against another one of your customers?

Questions for cloud vendors. Part One

Before we move applications/data into the cloud we need to consider vendor’s SLA and their security and our audit needs. Let’s get a basic list of questions together as we review vendors SLAs to help frame what information we need to consider. Some of these questions are basic but getting the answers will not easy.

Access Control:

       What security controls are in place to protect our data?
       How many instances of live data are maintained and where is our data physically located?
       How many copies of backup data are maintained and where is our data physically located?
       Who has access to the data?
       What is the nationality of people who have access to our data?
       Can we specify who shares physical (or logical) resources with us?

    Is our cloud provider SLA in conflict with any of our customer SLAs (right to audit, 

    What ability do we have to conduct audits or assessments?
    Will a 3rd party be allowed to audit the system and can we have the results of that 
    Can you provide assurance of data destruction?
    What ability do we have to conduct pentests?
    Is operational-level information available for review both by enterprise security personnel and by internal/external auditors?

    What is the defense-in-depth architecture of the system?
    How will we be notified if a security breach occurs?

    Who is managing our data?
    Where is our data replicated?
    What dependencies do our cloud providers have?
    What about a denial of service that comes from a peak load of one of your other customers?
    What is the financial viability of the provider and what happens if the provider 
    What is the cloud vendor’s backup and disaster-recovery procedures/plans in the event of an earthquake, tsunami or other natural disaster?
    What tools will the customer’s IT team use for administration control of cloud services?

What is the Cloud?

Cloud computing is a product service you use. Hun? Best way to understand what the cloud is to think of it like a utility. We all use utility services like electricity, natural gas, and cable television. Very few of us understand the entire infrastructure of the service. All we know is we turn on a switch we have light, turn up our thermostats we have heat or turn on our televisions and we can see our favorite TV show. 

Cloud computing is the same thing. Any device connected to the Internet can access applications, files, or data. It can access these files by using Cloud computing vendor infrastructure.  The potential for Cloud computing is for IT professionals to stop putting resources (Time and Money) into the infrastructure to support their applications and move those resources into delivering better services for their companies and customers. This can become especially appealing when dealing with large surges in demand or cyclic demand for seasonal products and services.

The National Institute of Standards and Technology (NIST) has identified three service models of clouding computing[1].

1.     Software as a Service (SaaS): If you have used Hotmail, gmail or yahoo mail then you have used Software as a Service. In most cases you have little control over the Service. If you have contracted a vendor to provide SaaS then your Service Level Agreement (SLA) will be your major document what control you have. Make sure if you are entering into an agreement your legal department reviews your SLA.
2.     Infrastructure as a Service (IaaS): Allows you to deploy our application to a cloud-based host. But does not provide control over operating systems, network servers or storage. In most cases your application is going to be deployed as a virtual instance on your cloud providers infrastructure.
3.     Platform as a Service (PaaS): Provides IT with the most control even limited control over network access, firewalls, etc. You have control over operating system, network servers and storage. You still may be deployed in a virtual instance and you have no control of the underlying hardware infrastructure.

Ok, that that we are on the same page as to what is the cloud, I will be blogging on security and privacy issues concerning Cloud services. So stay tuned-in and please RSS this blog and tell your friends.

Friday, January 27, 2012

What is Security?

I blogged asking you what your definition of security is without giving you my own definition. Well here is my definition…

Security is the means to establish, maintain and sustain a trust relationship of data between the business, employees, customers and business partners and a safe physical environment for employees and customers. Security must by verifiable, accountable, and sustainable without placing an undue cost or processes on any one group. It must be a continuous process, every changing while keeping it core values intact. It must be a self healing process where flaws are made known to each group as needed and those flaws are quickly and transparently resolved. Security must continually be taught, and publicized without becoming a meaningless sound bite.

Enjoy J

What is your definition of security?

Without paraphrasing a tired definition defining security specifically Information Security is not easy. Many definitions of security are out there but if your boss walked up to you what would your definition be? Or would you just copy a definition of security from a security book or the Internet and give it to our boss? Your definition would have to be something you could live and work with.
Part of my frustration to define security comes from the fact we don’t actually control very much in regards to our own security either personally or for our companies. Operating Systems for all major computer platforms we don’t own we lease them, there is no way to test their actual security except to test their outward behavior. We can’t look at the actual code and test it. Instead we rely on media and security professionals to tell us what is and what is not secure. When we move away from our own computers/environment and begin to consider the many digital partners and connections in our life we realize that we have little control of our own security. Does our definition of security take that into consideration of what don’t control? Given all of these different facets what is our definition of security that we want everyone to use to safe guard our families, employers, our government, and ourselves.

1.     The state of being free from danger or threat.
2.     The safety of a state or organization against criminal activity such as terrorism, theft, or espionage: "national security".

Andrew Toy[1]:  Past VP, mobile applications at a major Wall Street investment.
“Security is not a goal but a means to deliver value and manage risk in sustainable ways”.

U.S. Code Title 44 Chapter 35 SubChapter 3 § 3542[2].
The term “information security” means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide—
(A) integrity, which means guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity;
(B) confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; and
(C) availability, which means ensuring timely and reliable access to and use of information.

Bruce Schneier: The Psychology of Security[3].
Security is both a feeling and a reality. And they're not the same.
The reality of security is mathematical, based on the probability of different risks and the effectiveness of different countermeasures.

All of the above definitions are correct and within their own context you can’t argue with the definitions.

I agree with Andrew Toy in that security needs to deliver value and manage risk in sustainable ways. Though I don’t want my bank to come up with the idea that “good enough is good enough” in relationship to their bottom line and my financial security. I want enough measures in place to safe guard my money and identity.

I agree with Mr.Schneier that security is based on probability. We all know that bad things happen to good individuals and companies. I just don’t want it to happen to me, my family, or my job.

Of course we all have to agree with our laws and §3542 is very clear-cut. I agree with it but I just can’t relate its definition to my life or a definition of security that really means something to me that I can carry around.

We have little influence in how our security is handled by financial firms. The idea that we can “vote with our feet” is nonsense. The other bank uses the same computers, operating systems and maybe even the same banking software. In fact any firm we deal with only gives us statements like the following “To protect your personal information from unauthorized access and use, we use security measures that comply with federal law. These measures include computer safeguards and secured files and buildings[4]”.

So in the end we come back to Mr.Schneier definition of security. It is a crapshoot and we hope it’s the other guy who loses. Not really very ensuring but it is honest.

Does Security Matter?

Of course it matters if you are a government agency involved in delicate matters of state. It matters if you are a network terrorist group such as al Qaeda. On an individual level we want security in our lives. We know that violent crime exists and we can become victims of it. We are willing to pay for door locks, location of where we live, and security systems to help ensure our lives are as secure without giving up our individual freedoms.

During 2003 to 2005 hacker had access to TJX computer systems. This hack the biggest computer break-in in commerce history. The computer break-in did not depend on online transactions and it was not only one computer system at TJX that was vulnerable but several. From storing credit card information to customer driver’s license information stored when a merchandise transaction was done. Customers standing in front of the cashier not online transactions created all of this information.

To be fair to TJX it was the victim of a horrendous crime.  Subsequent analysis of what TJX was doing it was found that TJX was not in complaint with all PCI rules but TJX was working towards meeting all of the PCI rules at the time it was hacked.

Ok let’s get back to our original question; “Does Security Matter?”

Under TJX settlement agreement, TJX has agreed to fund up to $40.9 million for customers affected by the data breach. TJX has reported in SEC fillings that it has had to absorb $118 million charge related to its massive security breach.

Looking at other financial indicators for TJX;

·       15 consecutive years of annual comp sales increase.
·       Comps outperformed retail index 8 of last 10 years.
·       Increase in Profit Margins (FY06-FY11) except FY09.
·       15 consecutive years of dividend growth.

Sony’s recent data breach involving its online videogame services has cost it more than 1.25 billion from lost of business. Sony may never recover all of it’s lost online business.

In both cases the businesses and customers were impacted by security. So yes security does matter.

Today the leading reason for companies to move to secure coding is compliance to governmental and industry regulations not for other aoristic reasons. If you have to tell your CIO or CEO a data breach occurred where private details of 45 million customers was violated then I think you answer is yes security matters. If you are the corporate security officer then security matters but you have to relate to the CIO and CEO that security is not foolproof. If you are the CEO, CFO and CIO is security important or getting out the next product release or new functionality to further your goals important or can you afford both?

I cannot talk for TJ MAX or Sony nor do I talk for any other organization but security does matter for me. In this is blog we are going to talk about security and current issues. We are going to focus on Privacy, Cloud security, NIST 800 series publications and other topics. Please join me while we investigate these topics.