Cloud Security Guidelines for eCommerce based Businesses

In today’s world critical information used by ecommerce passes across dozens of systems. many of which are controlled by third parties. For example, the most sensitive of ecommerce data, including credit cards and other personally identifiable information (PII) frequently passes through Content Delivery Networks before being sent to third party fraud detection systems and then finally to third party payment gateways. That data travels securely across thousands of miles over multiples networks to data centers owned and managed by third parties

It is highly unlikely that you even own the data center of the hardware you serve your platforms from, as most use a managed hosting service or a colocation center. Your data is already out of your physical possession but is firmly under your control. Control is far more important than possession. The adoption of Infrastructure as a service or platform as a service for the core ecommerce platform is an incremental evolution over the current approach. Next to legacy backend systems, your ecommerce platform is the last to be deployed out in the cloud. Now we are witnessing right in front of our eyes these legacy systems being replaced with cloud-based systems.

There is a disturbing perception that cloud providers are somewhat secure when in fact they are more secure than traditional hosting arrangements. Clouds are multitenant by nature, forcing security to be a forethought rather than an afterthought. Cloud Providers can go out of business overnight because of security issues. They go out of their way to demonstrate compliance with rigorous certifications and accreditations such as the Payment Card Industry Data Security Standard (PCI DSS), ISO 27001, Federal Risk and Authorization Management Program (FedRAMP) and a host of others.

Cloud Providers have the advantage of being able to specialize in making their offering secure. They employ the best professionals in the world and have the luxury of building security into their offering from the beginning, in a uniform manner. Cloud Providers have also invested heavily in building out tools that you can use to make your deployment in the cloud very secure. For example, most vendors offer an identity and access management suite that’s fully integrated with their offering as a free value add. The ability to limit access to resources in a cloud in a fine-grained manner is a defining feature of cloud offerings.

The use of cloud offering doesn’t absolve you of responsibility. If your cloud provider suffers an incident and it impacts your customers, you’re fully responsible, but cloud vendors spend enormous resources staying secure and breaches are many times more likely to occur as a result of your code, your people, or your lack of process.

GENERAL SECURITY PRINCIPLES

Security issues are far more likely to be caused by a lack of process or to be a consequence of a lack of process. Security encompasses hundreds or even thousands of individual technical and non-technical items. Think of security as an ongoing system as opposed to something you do.

According to a survey from Intel, respondents said 30% of threats come from within an organization and 70% of threats come from the outside (Center, 2012). Of the threats coming from the outside. Rackspace quantified them in another study as follows (Rackspace, 2013):

1. 31% of all incidents involved SQL injection exploit attempts
2. 21% involved SSH brute-force attacks
3. 18% involved MySQL login brute-force attempts
4. 9% Involved XML-RPC exploit attempts
5. 5% involved vulnerability scans.

These issues are equally applicable to both traditional environments and clouds, there isn’t a single vulnerability in this list that is more applicable to a cloud. The tools to counter internal and external threats are well known and apply (but sometimes differently) to the cloud. What matters is that you have a comprehensive system in place for identifying and mitigating risks. These systems are called information security management systems (ISMS). We quickly cover a few so you can have an understanding of what the most popular framework calls for.

Adopting an Information Security Management System

An Information Security Management System (ISMS) is a framework that brings structure to security and can be used to demonstrate a baseline level of security. They can be built, adapted, or adopted. Adherence to at least one well-defined framework is a firm requirement for any ecommerce deployment. Whether or not it’s in the cloud. Full adoption of at least one of these frameworks will change the way you architect, implement, and maintain your platform for the better.

All frameworks call for controls, which are discrete actions that can be taken to prevent a breach from occurring, stop a breach that’s in progress, and take corrective actions after the breach. Controls can take a form that’s physical (security guards, locks), procedural (planning, training) or technical (implementing a firewall, configuring a web server settings)

ISO 27001 outlines a model framework, which most cloud providers are already compliant with. Its central tenants are as follows:

PLAN

Establish controls, classify data, and determine which controls apply, assign responsibilities to individuals

DO

Implement Controls

CHECK

Assess whether controls are correctly applied, and report results to stakeholders

ACT

Perform preventive and corrective actions as appropriate

Other well-known frameworks include PCI DSS and FedRAMP, which all call roughly the same plan/do/check/act cycle but with varying controls. Rely on these frameworks as a solid baseline, but layer on your own controls as required. For example, PCI DSS doesn’t technically require that you encrypt data in motion between systems within your network, but doing so would just be common sense.

The check part of the plan/do/check/act cycle should always be performed internally and externally by a qualified assessor. An external vendor is likely to find more issues than you could on your own. All the major frameworks require third party audits because of the value they offer over self-assessment.

For cloud providers, compliance with each of the frameworks is done for different reasons. Compliance helps to ensure security and most important, helps to demonstrate security to all constituents, Compliance with some frameworks such as FedRAMP is required in order to do business with the US government, if there ever is a security breach or issue, cloud providers can use compliance with frameworks to reduce legal capability. Retailers who suffer breaches routinely hide behind compliance with PCI DSS. These frameworks are much like seat belts. Being complaint doesn’t guarantee security any more than wearing a seat belt will save your life in a car crash. But there’s a strong causal relationship between wearing a seatbelt and surviving a car crash.

Your reasons for adopting a security framework are largely the same as the reasons for cloud providers, except you have the added pressure of maintaining compliance with PCI DSS.

PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) is a collaboration between Visa, MasterCard, Discover, American Express and JCB for the purpose of holding merchants to a single standard. A merchant, for the purpose of PCI, is defined as any organization that handles credit card information or personally identifiable information related to credit cards. Prior to the introduction of PCI DSS in 2004, each credit card issuer had its own standard that each vendor had to comply with, by coming together as a single group, credit card brands were able to put together one comprehensive standard that merchants could adhere to.

PCI DSS is not a law, but failure to comply with it brings consequences such as fines from credit card issuers and issuing banks and increased legal culpability in the event of a breach.

The PCI DSS standard calls for adherence to 6 objectives and 12 controls as Table 9-1 demonstrates.

                                                           PCI DSS Control Objectives and Requirements

ISO 27001

ISO 27001 describes a model Information security management system, first published in 2005 by the International Organization for Standardization (ISO). Whereas PCI is a pragmatic guide focused on safeguarding credit card data, you’re free to choose where ISO 27001 applies and what controls you want in place.

Compliance with ISO 27001 is sometimes required for commercial purposes. Your business may require your compliance with the standard to help ensure that their data is safe. While compliance does not imply security, it’s a tangible step to show that you’re taken steps to mitigate risk. Compliance with ISO 27001 is very similar to the famed ISO 9000 series for quality control but applied to the topic of information security. As with ISO 9000, formal auditing is optional. You can adhere to the standard internally. But ti publicly claims that you’re complaint, you need to be audited by an ISO approved third party.

In addition to the plan/do/check/act cycle we discussed earlier, ISO 27001 allows you to select and build controls that are uniquely applicable to your organization. It references a series of controls found in ISO 27002 as representatives of those that should be selected as a baseline:

Information security policies

Directives from management that define what security means for your organization and their support for achieving those goals.

Organization of Information Security

How you organize and Incentivize your workforce and vendors. Who’s responsible for what mobile devices/ teleworking policies.

Human resource security

Hiring people who value security, getting people to adhere to your policies, what happens after someone leaves your organization.

Assets management

Inventory of physical assets, defining the responsibilities individuals have for safeguarding those assets, disposing of physical assets.

Access Control

How employees and vendors get access to both physical and virtual assets.

Cryptography

Use of Cryptography, including methods and applicability, as well as key management.

Physical and environmental security

Physical security of assets, including protection against manmade and natural disasters.

Operations Management

Operational procedures and responsibilities including those related to backup, antivirus, logging/monitoring, and patching.

Communication security

Logical and physical network controls to restrict the flow of data within networks, nontechnical controls such as nondisclosure agreements

System acquisition, development, and maintenance

Security of package software, policies to increase the software development lifecycle, policies around test data.

Supplier Relationship

Policies to Improve Information Security within your IT supply chain.

Information security incident management

How you collect data and respond to security issues.

Information security aspects of business continuity management

Redundancy for technical and non-technical systems.

Compliance

Continuous self-auditing, meeting all legal requirements.

In summary e-commerce based business should take a proactive approach to cloud security and they should understand that the security of their data, applications and systems is their responsibility. a trusted advisor is paramount whose responsibility will be to give industry standard recommendations and best practices to strengthen the overall cybersecurity posture of the business.

ShieldForce has invested in building capacity to help businesses overcome cybersecurity challenges by combining multiple ground breaking technologies together to increase your overall security posture. We strongly recommend multi-factor authentication for all user account. Contact ShieldForce Today for your FREE 30 days Business Trial below and one of our super excited customer success consultant will respond at the speed of light.

We seek to acknowledge the wonderful work of Kelly Goetsch ( O'REILLY MEDIA)  whose book, eCommerce in the Cloud; Bringing elasticity to ecommerce was the foundation upon which this article was based on. Thank you sir.