The real estate industry, like many others, has not been slow to appreciate the benefits of cloud computing. Cloud computing makes a pool of computing resources, including hardware, software, networks, and storage, available on demand without the need of making major capital investments. The cloud makes it easy to achieve business goals such as high availability, redundancy, flexibility, and agility. At the same time, attaining these objectives is not painless or thought-free, especially when it comes time to consider information security. Care must be taken when trusting an outside contractor with your sensitive data, no matter if that contractor is a household name. While the real estate industry has various software providers that have committed to information security best practices, there are still many individuals promoting the use of, or integration with, “consumer-grade” cloud computing software; such software must be approached with special caution in terms of information security.
Other industries that, like our industry, handle personal and financial data, have issued specific information security rules and guidance for the use of cloud computing. These rules and guidance are used to examine companies for certification, either as cloud computing “software as a service” (SaaS) consumers or as the cloud computing infrastructure providers on which the software is hosted. While the real estate industry has thus far escaped similar scrutiny, adhering to the higher standards these rules and guidance provide will not just mean a better state of computer security or a lesser degree of liability in the event of a breach, but also a move toward compliance with potential future regulation and certification requirements in our own industry.
Real Estate Professionals Manage Sensitive Information
The information gathered and handled by real estate professionals contains many pieces of PII: “personally identifying information.” This may include everything from driver’s license numbers to credit scores to Social Security numbers in real estate files, as well as copies of checks. Images of checks are so sensitive that, if one or more client or transaction files were lost, stolen, or accessed by an unauthorized individual, one would be obligated to follow any or all relevant breach notification laws, which can be devastating for the reputation of one’s business.
Different Types of Clouds
It is important to understand what is meant by cloud computing versus traditional application hosting, and also to distinguish between the different types of clouds, as they relate to software you may be using to store or transmit such sensitive information. Traditional application hosting involves the purchase or lease of computers which, for secure applications, are dedicated to the use of a single company, and it is that company’s responsibility to securely configure and manage the computers and network surrounding them. In contrast, cloud computing allows a company to purchase shared computing resources in whatever amount they need.
In terms of the security ramifications of cloud computing, software applications hosted in the cloud generally use computers that are also used by other companies’ applications, and security depends on specialized software that is supposed to prevent one company (or “tenant”) from accessing another tenant’s information. While the company using the cloud still has a level of responsibility for security configuration of their servers, additional security management is needed at the level of the owners of the cloud. There are other risks of such multi-tenant systems as well. Several times over the past few years, law enforcement officials have seized shared servers because of the illegal activities of one tenant, with consequences for other tenants (https://www.google.com/#q=cloud+servers+seized).
It is important to understand though that there are three different types of clouds, each of which has a different level of risk:
- Public cloud - the entire cloud is available to the public, and is managed by an organization that provides cloud services. It exists on the cloud provider’s premises.
- Private cloud – the cloud is used by only one entity. It can be managed by a cloud services provider or by the organization itself. It can be located on the client’s premises or at the provider’s.
- Community cloud – the cloud is shared by several organizations in the same industry or with the same purpose. It can be managed by a cloud services provider or by the organization itself. It can be located on the client’s premises or at the provider’s.
A private cloud may seem to offer the most restrictive environment, over which you can have the most control. But even a private cloud does not intrinsically safeguard your personally identifying information. Your unencrypted information may still be visible in the cloud, in databases, in the operating system, in the hypervisor, and in memory. Employees of the cloud provider may still be able to see your data at will, and it is important to include secure disposal into your contract.
With public clouds and community clouds, the need to segment your data becomes more intense, because there are multiple areas of contact between your data and those of other companies; they are almost certainly using the same physical computers as other companies’, and may be as close as the next virtual machine or segment of shared memory. Your data may travel over the same networks as your competitors.
Public clouds running Software as a Service (SaaS), such as Amazon’s or Google’s, are perhaps the hardest to deal with from a security standpoint, because there can be very little transparency on the part of the cloud provider as to where the data is stored, how they are kept separate from those of others, and how they are secured internally. Almost all of the cloud applications commonly used by real estate professionals are running on a public cloud.
In order to mitigate the risks of storing sensitive information in the public cloud, two levels of protection need to be defined in guidance: steps taken by the cloud hosting provider, and steps taken by the software application provider.
Guidance from Other Industries
The real estate industry has no regulations or guidelines for cloud security yet. If and when that occurs it is mostly likely to be similar to those found in the financial industry, which safeguards much of the same sensitive data as our own industry. There are two sets of guidance from the financial industry that are of interest:
- The FFEIC (Federal Financial Institutions Examination Council), a Federal agency overseeing the banking industry, issued brief guidance on cloud computing in 2012 (FFIEC OCC), and also lengthier relevant guidance on data security (FFIEC IS).
- The PCI’s Data Security Standards 2.0, which apply to the handling of credit card data, have extensive guidelines on cloud computing (PCI CCG).
(The above abbreviations will be used for references.)
Guidance for Selecting Cloud Based Software
Let’s say you, as a Realtor® or Broker, or as an MLS or Realtor® Association staff-person, are trying to determine whether a cloud-based document management system provides sufficient security, such that you might sign up for it. Following are criteria that you would have to ensure are documented by the software provider, and answered in a way that you believe implies sufficient care has been taken to protect sensitive data:
- Controls to ensure integrity and confidentiality of sensitive data that shares network or server resources with other companies. (FFIEC OCC p. 2)
- Encryption of non-public personal information and other data whose disclosure could harm the [organization] or its customers. (FFIEC OCC p. 2)
- “Access to customer data is restricted appropriately through effective identity and access management. A multi-tenant cloud deployment, in which multiple clients share network resources, increases the need for data protection through encryption and additional assurance that proper controls are in place to restrict tenant access solely to their respective data.” (FFIEC OCC p. 3)
- Verifying the data handling procedures, the adequacy and availability of backup data (FFIEC OCC p. 3)
- Security audits covering not just internal controls but the cloud service provider’s controls. This may include continuous monitoring of cloud service provider controls. (FFIEC OCC p. 3) the security auditor must be independent. (FFIEC IS)
- “Effective monitoring of security-related threats, incidents, and events on both [software company and cloud provider] networks; comprehensive incident response methodologies; and maintenance of appropriate forensic strategies for investigation and evidence collection.” (FFIEC OCC p. 3)
- Responsibilities are spelled out with respect to security controls for data, interfaces (APIs, GUIs), application, solution stack (programming languages / platforms), operating systems, virtual machines, etc. – especially where they are shared between the cloud service provider and software provider. (PCI CCG 3.3, 6.1.3)
- Assurance that appropriate protections have been taken by their upstream cloud service provider. (PCI CCG 3.4)
After reviewing even this small subset of the FFIEC and PCI guidelines, a real estate practitioner may determine that a cloud-based solution for document management (i.e. Dropbox, Skydrive, or Google Drive) does not provide the type of individually keyed encryption to assure that proper controls are in place to restrict tenant access (let alone individual user access) solely to their respective data. This may mean that such services should not be utilized for that type of application – or may mean that they need to be supplemented with additional controls, for example, using products like BoxCryptor, Viivo, or CloudFogger to add additional encryption security.
Guidance for Cloud Service Providers
The cloud service provider (CSP) hosting the application should be guaranteeing many of the same things as the software provider, and also:
- Contractual guarantees that the cloud provider will implement any changes needed to meet regulatory requirements. (FFIEC OCC p. 3)
- How will the service provider ensure continued service in event of disaster? (FFIEC OCC p. 2)
- Service level agreements (FFIEC OCC p. 3) that are specific as to the ownership, location(s) and format(s) of data, and dispute resolution. (FFIEC OCC p. 3)
- The ability to remove non-public personal information from all locations where it is stored. (FFIEC OCC p. 4)
- “Contracts with the cloud-computing service providers should specify the servicers’ obligations with respect to … responsibilities for compliance with privacy laws, for responding to and reporting about security incidents, and for fulfilling regulatory requirements to notify customers and regulators of any breaches.” (FFIEC OCC p. 4)
- Security controls for physical facilities, network, data storage (hard drives, backups, etc.), processing and memory, hypervisors, virtual network infrastructure, virtual machines, operating systems – especially where they are shared between the cloud service provider and software provider. (PCI CCG 3.3)
- “Segmentation on a cloud-computing infrastructure must provide an equivalent level of isolation as that achievable through physical network separation. Mechanisms to ensure appropriate isolation may be required at the network, operating system, and application layers; and most importantly, there should be guaranteed isolation of data that is stored.” (PCI CCG 4.4, 6.1.3)
- Tracking and monitoring of all access to network resources and PPI. Logging should allow for detailed forensics isolated to the individual tenant. (FFIEC OCC, p. 4; PCI CCG 4.2; 6.5.3)
- Evidence that security controls are in place and being updated. (PCI CCG 3.3)
Again, the preceding items are just a small subset of a much larger set of guidance that should be considered.
Actively working and even pushing to obtain documentation of concrete, forthright answers to these questions, on your part and on the part of your software provider, is crucial. In the event of a breach or other mishap, your decisions in selecting a SaaS provider and/or CSP will be subjected to scrutiny, and the question that will be asked is, “Did you perform due diligence when selecting and working with your provider?” As the PCI cloud computing guide says, simply asking your provider, “Is my data safe?” or relying on your provider’s marketing materials, does not represent due diligence.
The security controls for both software providers and cloud service providers listed above are just the tip of the iceberg. The complete guidelines – composed of rules, guidance, and information put out by PCI and FFIEC – put the power in your hands to ask smart questions about both the software services and the cloud services you intend to purchase and use to transmit sensitive information. These guidelines should help you answer the question, “Is this cloud software and/or cloud hosting provider appropriate for handling my most sensitive data?”
These guidelines represent a higher standard for information security than is prevalent in the real estate industry today which, unlike other industries handling sensitive information, currently lacks formal guidance. Following this approach should also provide you with a higher level of preparation should more stringent and well-defined regulation of the industry’s IT practices be imposed.
Even though doing due diligence on cloud security, using appropriate guidelines, may be significant work, the fact is that companies in many sectors are following these practices. They’re the ones who don’t show up in the news because of a security breach or a dispute with their provider. The cloud is not going away because security is “too hard.” The goals are attainable, and the rewards of flexibility and on-demand provisioning that the cloud provides can’t be ignored. More cloud is in our industry’s future, not less. It just has to be “done right.”
Cloud Special Interest Group and PCI Security Standards Council. “Information Supplement: PCI CCG Cloud Computing Guidelines.” PCI Data Security Standard (PCI CCG) v. 2.0. Wakefield, MA: PCI, 2013. https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_Cloud_Guidelines.pdf
Federal Financial Institutions Examinations Council. Information Security IT Examination Handbook. Arlington, VA: FFIEC, 2006. http://ithandbook.ffiec.gov/it-booklets/information-security.aspx
FFIEC Information Technology Subcommittee. Outsourced Cloud Computing. Arlington, VA: FFIEC, 2012. http://ithandbook.ffiec.gov/media/153119/06-28-12_-_external_cloud_computing_-_public_statement.pdf