Five Security Questions You Should Ask Your Cloud Services Provider
If you’re in the market for a cloud services provider, you should have several security questions at the ready. Consider it a shopping list of must-haves to run through with any provider, and the best way to ensure you’re getting the most secure and trusted IaaS offering possible.
1. Can you ensure isolation of my virtual machines (VMs) from those of your other customers? In a multi-tenant environment, for any offering to be secure, it must include proper isolation of customers’ VMs. Without VM isolation, you can’t be assured that infections or malware won’t proliferate from some other customers’ VM to your organizations VM or that your sensitive and valuable information will remain protected from unauthorized access. That’s why your IaaS provider must offer both highly granular firewall-based isolation for each VM or group of VMs via virtual firewall technology, as well as an automated security-enforcement process. This way, newly created VMs within a group inherit the security policy being applied to the resources of that group, ensuring that virtualization security and firewall protection is applied and enforced consistently and that your business remains decisively your business (and vice versa).
2. Are you able to deliver PCI-compliant operation of my VMs? Any business that processes credit card information needs to be in compliance with regulatory mandates, such as PCI. In a virtualized environment, to remain compliant, you will need the ability to restrict VMs to a single function and this can only be done with virtual firewall technology that can granularly restrict a VM to accepting and forwarding only certain types of traffic (i.e. by application, port, protocol). Therefore, you should ask your IaaS provider if they incorporate a virtualization security solution that offers granular visibility, segregation, and access control of VM use for PCI compliance. To boot, your provider should also offer the means to fulfill compliance reporting requirements in an automated manner.
3. As the customer, do you allow me to manage the security of my own VMs? Self-service options are always a plus. Ask if your IaaS provider can offer you visibility and manageability over your own security. While the cloud service provider may offer you properly configured and secured VMs you may want to ask if you can manage parts of the security policy governing access on your own. This way you can adjust VM access to quickly meet time-sensitive business objectives. An ideal model is one where the security experts of the cloud service provider deliver a properly configured VM that they secure and isolate but you are offered the option to make adjustments to your policy in concert with their security administrators.
4. How do you ensure maximum availability of my VMs? No business can afford downtime. That’s why your cloud services providers should be able to offer SLAs of three- to four-nines (99.9% and 99.99%) availability per individual VM workload that is inclusive of fault-tolerant, continually enforced security. In other words, you want maximum availability and security for your VMs – as opposed to one delivered at the cost of the other. To be sure that the IaaS provider has the latest and best technology you’ll want to ask if the virtualization security solution incorporated within is fault-tolerant. What happens to business flow and security enforcement if the firewall module that enforces security policy fails? What happens if that same module loses communication with its management system? The answer to both should be – business as usual. Traffic and security continues with a hot-standby mechanism providing the required protections.
5. Can I get reports of access activity and compliance for my VMs? When it comes to maintaining optimal VM security, compliance and peace of mind for that matter, the best offering from your IaaS provider is comprehensive reporting delivered on a schedule. You want to know the security health of your VMs and granular reporting can give you that picture. These types of reports should contain a complete inventory of your VMs, VM groupings, and their security state; a comprehensive list of all applications installed on VMs, including operating system patch levels and application versions; and an overall compliance assessment that gives the state of each VM relative to the desired state or policy (i.e. proof of white list enforcement).
Keep in mind that as you evaluate your cloud services providers, they will have different offerings for security that will vary based on the underlying architecture that the provider has installed. Ultimately you want the most granular security and proof that this level of protection is continually in effect even in the highly dynamic world of cloud computing.