As the NERC community starts to move toward making full use
of the cloud “legal” for all systems owned or operated by NERC entities, it is
inevitable we will all learn of security issues that only come up with respect
to cloud-based systems, and which are most likely not addressed by FedRAMP, ISO
27001/2 and other certifications.
One issue that I have learned about in the last two months,
which only comes up with respect to SaaS (software as a service), is called “multi-tenancy”.
It comes about when what was previously a software product sold to individual
organizations, for installation in their individual environments, is moved to
the cloud and offered to many organizations. The problem comes up because:
1.
Many applications have their own database to
store user data. Of course, the database will have originally been designed to accommodate
multiple users from a single organization. There should always be controls to
prevent one user from seeing another user’s data, but they are never completely
foolproof. However, since every user is presumably from the same organization, this
normally does not create a big problem.
2.
When the application is moved to the cloud and
becomes SaaS, often the vendor will assume that the controls that are already
in place to prevent one user from seeing another user’s data are adequate to
prevent a user from Organization A from seeing data of a user from Organization
B, where A and B are both customers of the SaaS product.
3.
Often, this will be a good assumption, especially
if there were no problems reported with the existing controls when the product
was sold for standalone use.
4.
However, critical infrastructure (CI) is
different. CI users are often sensitive to even a small possibility that someone
from outside their organization – and especially someone from an organization or
country that might be contemplating an attack on their CI in the future – will be
able to see their data. When these users, or at least the organizations that
employ them, learn that the data of the users of a SaaS product, no matter
where they reside or work or who they work for, will all be stored in a single
database, they may be concerned about this. And their regulators may be very
concerned.
Two months ago, I learned of a previously standalone software
product that was moved into the cloud as SaaS, without making any changes to
the database. Users from all over the world and all industries are using the
common database.
A staff member of the vendor assured me that none of their
users had even mentioned this issue, let alone objected to it. However, it is
safe to say that no NERC entities with high and/or medium impact BES Cyber
Systems are using the SaaS product now (the standalone product is still being
offered, although that will end in the future). I stated my opinion that such
NERC entities may well have objections when they hear they will have to share this
database.
I want to make it clear that “multi-tenant” databases (where
“tenant” refers to separate organizations, not to individuals within an
organization) are not in any way “forbidden” by NERC CIP. Of course,
since the existing CIP standards were all drafted without any consideration of
the cloud, this isn’t surprising. And even though a new standards drafting
process has been scheduled to start in July,
it isn’t at all certain that the new standards will in any way restrict or
prohibit multi-tenancy in SaaS applications used by NERC entities.
This is because it isn’t clear whether and how muti-tenancy
poses a risk to organizations that use SaaS, and if it does, what exactly that
risk is. Especially when you consider that eliminating multi-tenancy altogether
(i.e., each organization using the SaaS product having its own database
instance) would be very expensive for the SaaS provider – and they would need
to pass this cost on to their customers. Any “solution” to this problem would
have to be weighed against its cost by considering risk: i.e., will the dollar
value of risk avoided by the solution be greater than the dollar value of the
costs of providing that solution?
Because this isn’t an open-and-shut cybersecurity question (like
the question whether a critical infrastructure system should require strong
passwords or multi-factor authentication), my guess is there won’t be a
specific requirement – in whatever comes out of the new “Cloud CIP” standards
drafting process) – forbidding multi-tenancy. At most, there may be a requirement
for the NERC entity to consider this and other risks when choosing a new SaaS
provider, and document how they (and/or the provider) are addressing those
risks.
In fact, maybe this will just be an item for auditors to
look at in a performance audit, and document an Area of Concern (with recommended
mitigation steps and a fixed timeline) when needed. Not everything has to be a
requirement with $1MM/day penalties!
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. If you would like to comment on what you have
read here, I would love to hear from you. Please email me at tom@tomalrich.com.
I lead the OWASP SBOM Forum. If
you would like to join or contribute to our group, please go here, or email me with any questions.
No comments:
Post a Comment