CloudTech1 takes pride in connecting with people in need of IT Network Solutions and providing the most efficient solution. Have a question, comment or concern? Fill out the form below and we will respond shortly.
Not live. Will update
Guidance for Selecting Cloud Based Software
Let’s say you, as a Realtor® or Broker, or as an MLS or Realtor® Association staff-person, are trying to determine whether a cloud-based document management system provides sufficient security, such that you might sign up for it. Following are criteria that you would have to ensure are documented by the software provider, and answered in a way that you believe implies sufficient care has been taken to protect sensitive data:
- Controls to ensure integrity and confidentiality of sensitive data that shares network or server resources with other companies. (FFIEC OCC p. 2)
- Encryption of non-public personal information and other data whose disclosure could harm the [organization] or its customers. (FFIEC OCC p. 2)
- “Access to customer data is restricted appropriately through effective identity and access management. A multi-tenant cloud deployment, in which multiple clients share network resources, increases the need for data protection through encryption and additional assurance that proper controls are in place to restrict tenant access solely to their respective data.” (FFIEC OCC p. 3)
- Verifying the data handling procedures, the adequacy and availability of backup data (FFIEC OCC p. 3)
- Security audits covering not just internal controls but the cloud service provider’s controls. This may include continuous monitoring of cloud service provider controls. (FFIEC OCC p. 3) the security auditor must be independent. (FFIEC IS)
- “Effective monitoring of security-related threats, incidents, and events on both [software company and cloud provider] networks; comprehensive incident response methodologies; and maintenance of appropriate forensic strategies for investigation and evidence collection.” (FFIEC OCC p. 3)
- Responsibilities are spelled out with respect to security controls for data, interfaces (APIs, GUIs), application, solution stack (programming languages / platforms), operating systems, virtual machines, etc. – especially where they are shared between the cloud service provider and software provider. (PCI CCG 3.3, 6.1.3)
- Assurance that appropriate protections have been taken by their upstream cloud service provider. (PCI CCG 3.4)
After reviewing even this small subset of the FFIEC and PCI guidelines, a real estate practitioner may determine that a cloud-based solution for document management (i.e. Dropbox, Skydrive, or Google Drive) does not provide the type of individually keyed encryption to assure that proper controls are in place to restrict tenant access (let alone individual useraccess) solely to their respective data. This may mean that such services should not be utilized for that type of application – or may mean that they need to be supplemented with additional controls, for example, using products like BoxCryptor, Viivo, or CloudFogger to add additional encryption security.
Guidance for Cloud Service Providers
The cloud service provider (CSP) hosting the application should be guaranteeing many of the same things as the software provider, and also:
- Contractual guarantees that the cloud provider will implement any changes needed to meet regulatory requirements. (FFIEC OCC p. 3)
- How will the service provider ensure continued service in event of disaster? (FFIEC OCC p. 2)
- Service level agreements (FFIEC OCC p. 3) that are specific as to the ownership, location(s) and format(s) of data, and dispute resolution. (FFIEC OCC p. 3)
- The ability to remove non-public personal information from all locations where it is stored. (FFIEC OCC p. 4)
- “Contracts with the cloud-computing service providers should specify the servicers’ obligations with respect to … responsibilities for compliance with privacy laws, for responding to and reporting about security incidents, and for fulfilling regulatory requirements to notify customers and regulators of any breaches.” (FFIEC OCC p. 4)
- Security controls for physical facilities, network, data storage (hard drives, backups, etc.), processing and memory, hypervisors, virtual network infrastructure, virtual machines, operating systems – especially where they are shared between the cloud service provider and software provider. (PCI CCG 3.3)
- “Segmentation on a cloud-computing infrastructure must provide an equivalent level of isolation as that achievable through physical network separation. Mechanisms to ensure appropriate isolation may be required at the network, operating system, and application layers; and most importantly, there should be guaranteed isolation of data that is stored.” (PCI CCG 4.4, 6.1.3)
- Tracking and monitoring of all access to network resources and PPI. Logging should allow for detailed forensics isolated to the individual tenant. (FFIEC OCC, p. 4; PCI CCG 4.2; 6.5.3)
- Evidence that security controls are in place and being updated. (PCI CCG 3.3)
Again, the preceding items are just a small subset of a much larger set of guidance that should be considered.
Actively working and even pushing to obtain documentation of concrete, forthright answers to these questions, on your part and on the part of your software provider, is crucial. In the event of a breach or other mishap, your decisions in selecting a SaaS provider and/or CSP will be subjected to scrutiny, and the question that will be asked is, “Did you perform due diligence when selecting and working with your provider?” As the PCI cloud computing guide says, simplyasking your provider, “Is my data safe?” or relying on your provider’s marketing materials, does not represent due diligence.