What would your reaction be to someone who told you that “The Cloud” is so secure you don’t need to do anything else to protect your data? I would hope that your reaction would be somewhere between the RCA Dog head tilt and Dramatic Chipmunk. But from anecdotes I’ve been hearing, this gem of very questionable advice is becoming increasingly common.
The truth is, Cloud Computing is not some magic security sauce that you can liberally apply to make your data safer. It’s unfortunately apt that two dictionary definitions of the word “cloud” are “making less clear or transparent” and “cause of gloom, suspicion, trouble, or worry”. Cloud services are very much what you make of them, and you need to apply at least an equivalent level of rigorousness, in terms of risk assessment, as you would with assets that are hosted on your own network.
Because the Cloud can make risks and responsibilities less clear, you’ll need to be extra dogged about asking vendors what steps they take to secure their services. When choosing a new vendor, you should be thoroughly vetting their security policies and procedures. It’s also a good idea to clearly spell out what responsibilities fall to the vendor and what you need to do on your organization’s end to protect yourself.
Cloud security policy questions
Before approaching a vendor, you should be clarifying the answers to a few questions about the needs of your organization:
- What types of Cloud services will you be using?
Will you be using the Cloud simply to store files, to host software applications, or to host virtual machines?
- How will these services be deployed?
Your Cloud could be deployed publicly, privately, or somewhere in between depending on your specific needs and tolerance for risk.
- How sensitive is the functionality or data that they’ll be hosting?
Keep in mind that the Cloud is another way of saying “someone else’s computers”. Quantify how much risk it would create for your organization if this vendor were to experience a breach or go out of business.
- Who will have access to this functionality?
In keeping with the Principle of Least Privilege, it may be that not all of your users need access to the Cloud in order to do their jobs effectively.
- What legal or regulatory compliance requirements do you need to consider?
Each industry has its own relationship with the alphabet soup of national and international data security regulations. Something that would work well for a retail establishment may not be sufficient for a legal or financial business, for instance.
- What will need to be included in an Acceptable Use Policy for your users?
Training and education are crucial to making sure best practices are followed. These should be spelled out for Cloud services explicitly, so that users know what constitutes safe behavior.
- What will be the consequences of failing to adhere to best practices?
This goes for both the Cloud vendor and your users, though consequences for the former will likely be the product of negotiation or existing Service Level Agreements. It should be clear to all concerned what will happen if someone fails to live up to their responsibilities in safeguarding your data.
Cloud security procedures
Once you’ve clarified your goals and boundaries for Cloud services, you can start asking vendors about their procedures. The Gulf Cooperation Council eGovernment site has a document discussing Cloud Computing policy that includes (in Appendix A) a very thorough list of questions that could be great food for thought as you come up with your own list of questions for vendors. Here’s a list of possible topics you may wish to consider:
- Does the vendor have regular 3rd-party security audits?
- What is their policy on updates and patching?
- Do they have anti-malware or intrusion detection products scanning their machines?
- What types of authentication are available with their service?
- What types of controls are available for Identity and Access Management of your user accounts?
- Is encryption available for traffic to and from the cloud, or in storage?
- How will Intellectual Property rights relating to data stored on their servers be protected?
- What types of alerting and reports of events are available to you?
- How are their customers’ resources segmented from one another?
- How often do they make and test backups, and how are they stored?
- Do they have an established incident response policy?
- Do they have a published responsible disclosure policy?
- Do they have event logging that would allow forensic analysis in case of a security incident?
- In what country are their servers located physically?
- What are their policies regarding data mobility and retention?
- What options are available for secure data deletion or destruction?
Clouds don’t have to bring opacity or uneasiness, if you do some homework before implementation. The ability to access files and services from wherever you are is a powerful one, which can either introduce new risks to your environment, or it can be an opportunity to enlist the services of a trusted partner to improve your overall productivity. The coming of Clouds can actually clear the air and provide a welcome respite.
written by Lysa Myers, ESET We Live Security