Risk Assessment and Risk Management
Until recently most manufacturing operations have been segmented with no connectivity to the internet unless there was a specific business need for highly restricted remote support, site-to-site communications through a VPN tunnel, or other less common purposes. With today’s desire to send information to cloud-based services, one must consider the risk verses reward proposition of sending manufacturing data to trusted cloud applications. According to organizations such as Rockwell Automation, Cisco Systems, and Open Web Application Security Project (OWASP), the following risks should be considered:
- Data Ownership and Protection
The traditional approach to business software applications is to run the software applications in-house on an infrastructure built and maintained by the organization using the applications. Therefore, all data resides within the organization and the organization has complete control over the data and how it is protected. An organization using cloud services must understand to what extent the cloud provider’s personnel have access to the organization’s data. When an organization uses these cloud-enabled services, the organization is outsourcing business processes to the cloud provider and the cloud provider therefore requires access to the organization’s data to perform these services. The manufacturer must ensure the cloud provider is trusted and provides the necessary network and security services to protect connectivity and data as required by the manufacturer’s business and security policies. The manufacturer should also ensure that the Internet Service Provider (ISP) is trusted and provides network and security services to protect connectivity and data as required by the manufacturer’s business and security policies.
- User Identity Management and Federation
Organizations must understand how cloud providers identify users and manage user accounts for accessing data in the cloud. Organizations must understand the risks associated with logon accounts and how the cloud provider mitigates these risks. These risks include password guessing, password theft, password reset, hijacking of user login sessions, and revocation of access. As an alternative to creating a separate island of user names and passwords, some cloud providers may offer integration with an organization’s in-house authentication systems. Through integration, existing in-house log on accounts managed by the organization can be used to access data in the cloud.
Organizations using cloud providers face different challenges with respect to regulatory compliance for data stored in the cloud. Organizations must consider whether data entrusted to a cloud provider carries legal/regulatory protection and breach notification requirements, such as protected health information (PHI) governed by HIPAA and HITECH, personally-identifiable information (PII) governed by state privacy laws, and payment card information regulated by the Payment Card Industry’s (PCI's) Data Security Standard (DSS).
- Business Continuity and Resiliency
Business continuity and resiliency refer to the ability of an organization to conduct business operations in adverse situations. Adverse situations include disruptions not only to the information technology infrastructure, but also any disruptions affecting the ability of the cloud service provider to deliver its services at defined service levels, including, for example, the loss of key personnel or the loss of access to business offices.
When an organization uses a cloud provider, the organization cedes control of business continuity planning for the data and services entrusted to the cloud provider. As a result, the organization must consider carefully the ability of the cloud provider to provide continuity of services when adverse situations affect the cloud provider.
- User Privacy and Secondary Uses of Data
Organizations considering the use of cloud services must understand how a cloud provider protects and uses information about both types of users. Organizations should consider to what extent a cloud provider can disclose information about its employees, its customers, or its business. This information includes specific information or aggregate statistics. It includes information collected from an individual’s use of the cloud provider’s information systems, such as characteristics of user behavior (such as links clicked, options selected, etc.) and productivity measurements.
- Service and Data Integration
Organizations must understand how their users will access the data and services of a cloud provider. Typically this access will be over the internet or a virtual private network (VPN) using a web browser or a software application downloaded from the cloud provider. If the organization will be interfacing any of its systems with the cloud providers systems, for example to implement “back-end” or batch processing of Health Level 7 (HL7) or Electronic Data Interchange (EDI) transactions, the organization must understand the technical aspects of how the interface will work. In both cases (user access and system interfaces), organizations must understand the risks associated with electronic communication across the internet or wide area networks (WANs), including interception of data in transit, falsification or corruption of data, and verification of client and server endpoints.
In a cloud computing environment, multi-tenancy refers to the sharing of information technology infrastructure among multiple clients (different customers of a single cloud service provider). This infrastructure includes telecommunications circuits, network equipment, servers, storage, and application software. Multi-tenancy allows cloud providers to achieve economies of scale which would be impossible for an individual organization to attain, allowing organizations to obtain higher levels of service at lower costs.
Risks with multi-tenancy include one client accessing the data of another client, unintentional mixing of one client’s data with another client’s data, one client affecting the quality of service provided to another client, and cloud provider application software upgrades affecting client business operations. While cloud providers can be expected to have adequately mitigated these risks given that multi-tenancy is core to the cloud business model, an organization should understand how the cloud provider achieves isolation between clients. Isolation approaches include use of virtualization technologies such as virtual machines, application-level isolation through processes, threads, or application-managed contexts, and database-level isolation through the use of separate database instances, tablespaces, or record identifiers
- Incident Response and Forensic Analysis
Incident response and forensic analysis refer to activities conducted by an organization when there is a security incident requiring immediate response and subsequent investigation. These incidents include malicious acts or mistakes by the organization’s employees or former employees resulting in data breaches. When an organization uses a cloud provider, it does not have access to the underlying log files and other low-level system-level information typically used for forensic examination.
- Infrastructure and Application Security
When an organization uses a cloud service provider, it trusts the cloud service provider to properly secure its applications and infrastructure. Securing applications and infrastructure is a highly complex activity requiring an extensive array of personnel with advanced technical skill sets and threat knowledge.
- Non-production Environment Exposure
A cloud provider typically operates multiple environments where cloud data and services exist. These environments include what is normally referred to as a production environment, which is where cloud subscribers have the primary copy of their data and where they conduct their business operations.
Cloud providers also typically operate other environments for purposes such as software development, testing, training, and demonstrations to potential customers. These other environments may be populated with copies of data from the production environment. In other words, an organization’s data may be copied into several places to support the necessary business operations of the cloud provider. The data contained in these copies may or may not be de-identified, a process whereby individual patient information is rendered untraceable to a specific patient and individual business information is made untraceable to an organization.