What you need to know when it comes to keeping security on the systems you outsource to a cloud service provider
The promises associated with cloud computing are well known – IT agility, lower (hopefully) total cost of ownership, data portability, faster time from idea to the market, among many others. As organizations embrace the cloud, the security and privacy of proprietary data remains the number one concern. Compliance with an ever growing number of government and industry regulations is another critical requirement that needs to be satisfied.
However, even when organizations hand over many of their security and compliance controls to a service provider, they necessarily sacrifice security, privacy, or compliance. Over the next few columns, we will tackle each area in depth so you know what you need to consider when it comes to keeping data safe, private, and compliant. Today, we will focus on security and the requirements you should consider when moving data or processes to an external cloud service provider.
While we have found the practices below to be among the most important, they certainly can’t be considered all-inclusive. Every enterprise is different, and will need to adjust its cloud strategy to its particular business and own tolerance for risk. Yet, by focusing on these important areas, you’ll certainly be able to make much better security and cloud computing decisions.
Are these applications and data viable for cloud?
The first question you must answer is whether the organization should be outsourcing certain data or applications at all. Is the enterprise comfortable with losing a certain amount of control over the handling of this information to a vendor? What would happen to the business should the vendor be breached? How are customers likely to react to their data having been outsourced? Your enterprise needs to conduct a thorough risk assessment that involves business leaders, IT, and security before making this decision.
What Identity and Access Management practices are in place?
How does the provider manage, or help you to manage the access rights and identities of customers, partners (both your own and those of the provider), and employees? How are users on-boarded, managed, and de-provisioned? This is important to ask in both outsourced private clouds and so-called “multi-tenancy” environments, where there needs to be solid logical and network segmentation among tenants. This is one crucial way to make certain that no one who has access to shared resources can access the data of other customers.
How are logs collected and maintained?
Every device, application, and system generates reams of event data and alerts. Much of this data is security related, and it is crucial that it’s properly collected and maintained so that security events can be investigated and data that support regulatory compliance are available.
How are their security operations managed?
Attackers are constantly adapting their techniques to remain successful. Catching them requires real-time intelligence into the activities taking place in the enterprise. How does the service provider analyze and correlate the security events across its systems? Without such ability, there is no way organizations can make well-informed security and business decisions.
Other areas of security operations you want to ask about include things like change management processes: how do they handle application enhancements, system upgrades, or patch management? Also, does the cloud provider give you access to any security and compliance-related data? To what level can you monitor who has had access to your data and detect security anomalies, failed log-on attempts, and other helpful security information?
Read the cloud vendor’s security policy. While the cloud provider may be using identity and access management systems, patch managers, security event and information systems, log managers, and others, how are all of these abilities orchestrated through policy and processes? Does the vendor have the appropriate policies and operation teams in place to make sure everything runs cohesively? Does it test its security and abilities through third-party risk assessments and penetration tests?
They need a plan: business continuity and disaster recovery.
Bad things happen – there’s no way to avoid that. But you can do everything within your power to prepare. Just as you have your business continuity and disaster recovery plan in place, does the cloud provider have enough redundancies built into its systems so that in the event of a disaster, the data remains available and systems can function reasonably well? How well prepared is the provider for more mundane problems such as server and system failure? Do they have the systems in place to failover gracefully when needed?
Get it in writing.
The best intentions aside, there are always the risks of miscommunication, poorly set expectations, and mistakes – so it’s important to get your security objectives detailed in your contract. Who has access to your data should be one detail. So should be the specifics for the provider’s response to security incidents: who will be notified and under what conditions. If these types of elements are not explained thoroughly in a contract, you leave yourself completely at the discretion of the provider. Not a good idea.
You’ll never eliminate risks entirely, but there’s no reason why your risk should rise substantially when moving data to cloud. The key is to ensure that you’re comfortable sharing the data or applications with a third party, and that you can validate that this part has the right policies and procedures in place – and the ability to keep your data safe. This way, there’s no reason why you cannot reap the benefits of cloud, without taking any undo risk. In our follow-up article, we’ll take a deep look into pressing cloud privacy concerns.
Read More in SecurityWeek’s Cloud and Virtualization Security Section