Security Experts:

Cloud Service SLA Security Tips - What Should You Be Asking Your Provider?

Cloud Service SLA Survival Tips - What should you be asking your cloud provider?

So you’ve decided to test the waters of cloud computing, but you have some concerns. You don’t know what you don’t know. Let’s start with a few tips you may want to consider when defining your SLA with the Cloud Provider.

Cloud Security Checklist

First off, expectations need to be managed. You should have an understanding of how your application works on a local network, with local resources and associated metrics, so you have something to compare back to when you move to the cloud. At the end of the day, that SLA will help define what services, expectations and guarantees are in place.

Today, we’ll talk about cloud security. Before you become overwhelmed by the idea of addressing security with your cloud provider, remember that you’re the expert. You should expect from them what your company and boss expect from you. Best practices for security don’t change just because you’re moving from the old datacenter model to a cloud-based environment. And it doesn’t change who’s responsible (ultimately, you), but it does affect who’s in control and how close you are to the processes and technologies that are put in place.

This is, of course, where the SLA comes in. As with any security program, there are three aspects of security to discuss when developing your SLA with the cloud provider: Digital Security, Physical Security and Compliance.

Digital Security

The first question you should ask is how your cloud provider protects you digitally. You always want to assume that your cloud provider has the same, if not stronger, information security controls in place as you employ in your home environment. You can verify that by starting with the basics.

First, how will your data be stored? This will likely depend on the type of data in question: are we talking credit card data, PII or proprietary information like your company’s IP? In public cloud environments, you’re almost always dealing with multi-tenancy, so when protecting sensitive data, encryption is of the utmost importance. Encryption can get a bad rep for slowing performance, but that’s the cloud provider’s responsibility to overcome, not yours. Don’t take chances -- insist that all ‘at rest’ data is encrypted.

It’s also important to hammer out who’s responsible for maintaining a secure backup of your data in the event of an outage or crisis. It may not always be feasible for you to keep a secure backup, depending on the size of the data, so be sure to insist that your cloud provider keeps a backup of their own, and can offer you a snapshot on a regular basis. Now that the ‘at rest’ data is secure, what happens if the password is lost? Bad news. For safety’s sake, having a local or backed up copy of your unencrypted data isn’t a terrible idea.

Cloud Security Provider Checklist

The next question to address is how the cloud provider handles their network security. This would include firewalls, IDS/IPS, and SOC operations. If I were looking for a cloud provider, I’d verify that they have a dedicated team of security professionals that monitor for any threats on the network. Some providers don’t have an SOC – instead they have a more reactive operational center that falls to the network operations team. You can take your chances here, but seeing a dedicated SOC would help me believe that my cloud provider takes security as seriously as I do.

Another question worth asking is whether they have a SIEM for proactive attack information and an audit trail for retroactive investigations in the event of an incident. Accountability is an extremely important question when it comes to cloud security, and your cloud provider should really step it up in this area. Do you they employ log management and database activity monitoring? What about access management? Knowing who accessed your data and where it has lived is crucial to a number of compliance mandates, and is an accepted security best practice. There are number of vendors who sell virtual versions of these appliances directly to cloud hosting companies as a means of providing more flexible security in the cloud. You shouldn’t have a hard time finding a cloud provider that has these technologies in place.

Next, ask about vulnerability assessments. In general, I like to see a weekly vulnerability scan, and I want to know that an active regular patch process is in place—not just your every-6-month update, but a timely process that ensures each device is up-to-date.

Finally, be sure to ask if the cloud provider’s network is audited on a regular basis. I’d recommend that you look for a provider that is audited at least quarterly if not monthly.

Some of these requirements may seem a bit basic and some may seem a bit stringent – but when giving up control of your data, you should be able to demand that your cloud provider puts digital security at a premium.

Physical Security

Digital security is only as good as the physical security of the datacenter, and vice versa. As we all know, the easiest way to steal data is through actual physical access. You’ll want a datacenter that has dedicated on-site security 24 hours a day, 365 days a year to protect the cloud provider’s security policies and your data. The hiring process for this security position should include a background check and a reference check. Insist on reviewing your cloud provider’s hiring policies for any datacenter security guard or professional.

You may also want to inquire about which level of security has access to the datacenters themselves, and whether there’s an audit trail there as well. Lastly, how are visitors authenticated?

Generally, you need to be on a pre-approved list, show ID and be accompanied by an escort at all times. If your cloud provider expects to have third parties or customer visitors to the datacenter, make sure they can show a defined process for visitor authentication and on-site security.

Compliance

If you are bound by some form of compliance mandate, which most of us are, make sure that you know where your data lives. In some European countries, data is required to stay in that country. Moving it outside the country, even involuntarily via a cloud provider, can be a serious offense. So, be sure to define where your data will live via the SLA. You can get specific here – and you should. Cloud-hopping, as its often called, can cause problems for an organization should data be lost or breached while out of country, since different laws apply.

If your data is being hosted in a foreign country, what will the Cloud Provider do in the event of political strife or potential social upheaval that could affect communications or the Cloud Provider datacenter? Best practice says to look for a cloud provider that can easily move your data and infrastructure to another data center should a local crisis break out. And again, don’t forget about those secure backups.

Two other issues to keep in mind when building out your security SLA: breach or data loss notification and the use of third parties. Not all cloud providers will be mandated by law to notify you if your data was lost or if a breach occurred. If your company is mandated to do so, be sure this caveat makes its way into your SLA. It’s not uncommon for cloud providers to leverage third party providers for certain components of their cloud service. If this isn’t okay with you, say so, or ask for first right of refusal. You may not always get it, but it’s worth the extra effort if you can’t get clarity on the use of third parties.

While there isn’t any silver bullet for security in the cloud, considering these elements as you build your SLA can put you in a better place to rest assured that your data is properly protected in this new environment. Another great place to look for cloud security tips is the Cloud Security Alliance’s website. It offers a good deal of useful information on security, architecture and general best practices for Cloud Computing.

Remember, best practices don’t change. Insist on the level of security that you’ll be expected to deliver and don’t be afraid to hold your provider accountable.

view counter
Dimitri McKay is a Security Architect and technology evangelist at Splunk. He has over 13 years experience working with Fortune 500 companies on network and systems engineering and security administration. McKay is a regular speaker at security events and frequent contributor to industry blogs and trade magazines on topics related to network and cloud security, compliance, SIEM and big data. He studied computer science and information technology at NYU and Harvard University. You can follow him on Twitter via @dimitrimckay.