After my
first post
on BES Cyber System Information (BCSI) in the cloud on Monday, Kevin Perry, formerly Chief CIP Auditor for SPP
RE, emailed me
“I believe
the following model goes a long way to protect BCSI in the cloud:
- The cloud service provider furnishes the servers and
network infrastructure necessary for the NERC entity to store and manage its
BCSI.
- The entity manages security for its own network and
servers.
- The entity owns and manages the data itself. BCSI should be protected by encrypting
it.
- The entity needs to control the encryption keys, as well
as who has the ability to decrypt the data.
- BCSI access is limited to the entity’s staff who are
authorized to access it.
- The encryption tools should automatically encrypt the BCSI
any time it’s copied or moved to the CSP. If this doesn’t happen, the
staff moving the data to the cloud must ensure the data is encrypted prior
to the move.
- The CSP’s staff has absolutely no access to or control
over the encryption keys and the encryption/decryption process.”
I agree with
Kevin that this is a good model.
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I
would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that
if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or
challenges like what is discussed in this post – especially on compliance with
CIP-013. To discuss this, you can email me at the same address.
No comments:
Post a Comment