Editor’s Note: The following Blog is excerpted from Peak 10’s White Paper: “Building Security Controls into the Cloud.”
By Laura DiDio
Strong security is a foundational element of every public, private and hybrid cloud implementation no matter how big or small. Any business whose cloud security is weak or porous will suffer severe consequences to its business productivity and bottom line.
While there’s no such thing as a 100 percent secure environment, organizations can and should work with their cloud providers to build additional layers of security into their public and hybrid cloud deployments. This raises the degree of difficulty for would-be internal and external hackers. It also increases overall network reliability and minimizes the corporation’s and cloud provider’s risk of litigation.
Whatever type of cloud service an organization implements, proactive security practices, procedures and products should be a priority from design to deployment to ongoing maintenance. Businesses should be the biggest investors in their cloud security.
Before an organization begins to tackle cloud security it needs to review and most likely revamp/upgrade the security policies, procedures and products it is currently using for its in-house physical and virtual networks. Given the rapid advances in technology and the proliferation of Bring Your Own Devices (BYOD) and mobility, it’s advisable for corporations to upgrade their computer security policies and procedures at least annually — and more if needed.
The “attack surface” is now much larger. A knowledge workers accesses the corporate network, including cloud-based data, using an average of three different devices. Typically, these include a corporate desktop/notebook (an increasing number of which are employee owned), a tablet and a smart phone. Simple arithmetic tells us that creates at least three times as many opportunities for hackers and malicious code to invade the company network. It also equates to triple the number of devices for overburdened corporate and cloud IT departments to defend and monitor.
“You need a clear idea of what you’re trying to achieve in the cloud as well as what kind of service your firm is purchasing – an IaaS or a PaaS service. The considerations are different for each,” says Mike Edwards, a senior technical staff member at IBM in Winchester, UK and a contributing author to the Cloud Standards Customer Council 2012 White Paper “Security for Cloud Computing 10 Steps to Ensure Success” .
“A company that opts for an SaaS cloud implementation, for example, will find that it is renting the application from the cloud provider who will make the security choices for the company,” Edwards says. “You have to consider that and be confident they can do the job.”
Organizations should meet with their cloud providers in advance and carefully review the contracts as well as the procedures, policies, disaster recovery (DR) and backup and response mechanisms the cloud providers have in place to deal with any security breaches/hacks in a timely effective manner.
“Outsourcing your data and assets to a public cloud doesn’t mean you relinquish oversight of your firm’s security,” observed Andrew Baker, founder of Brainwave Consulting, a security and IT consulting firm in Gassaway, West Virginia. He recommends that prior to meeting with your hosted cloud or managed service provider (MSP), your firm’s IT staff construct its own security and DR/backup checklist.
“Assemble all the appropriate security stakeholders among the C-level executives, including the CIO and CTO, the IT manager and security administrators, as well as any department heads whose data will either reside in the cloud or connect to the cloud via any type of hybrid network. This group should compare the internal corporate security checklist and DR/backup and response plan with the contingency and response plan of the prospective cloud,” Baker said.
“This serves two purposes. First, it will convince them that your firm is knowledgeable and proactive with respect to security. Second, it will provide your organization with valuable insight as to the security preparedness or lack thereof, of your prospective cloud MSP,” Baker said.
The more detailed information and insight you have regarding your cloud provider/MSP’s security practices, the more prepared your organization will be to proactively participate in defending its data assets. Your corporation needs to know the answers to the following questions regarding the cloud provider’s data defenses:
- Does your cloud provider incorporate the latest encryption methods?
- How is encryption managed?
- What are the backups and controls?
- How is security validated?
- Does the cloud provider deploy the latest multi-factor authentication, authorization, intrusion detection and tracking tools?
- What firewalls does it utilize to secure the perimeter and is it up-to-date on the latest patches?
- What are the vendors’ policies in terms of data movement?
- Where will the data be stored?
- Does it have VPNs and extra layers of security installed?
- Who are your co-tenants in the cloud and how is your data secured/separated from theirs?
- Has the cloud provider suffered any successful security penetrations or hacks in the last one to three years? How severe were the outages and what were the cloud MSP’s remediation efforts and mean time to recovery (MTTR)?
- Does the cloud provider indemnify your firm against lost or stolen data due to a security breach? If so, are there limits to the indemnification and cloud provider’s liability ?
- Can the cloud vendor provide customer references?
The answers to all of the aforementioned questions are vital components to constructing and maintaining the security of your firm’s data assets residing in the cloud, Brainwave’s Baker said. “Organizations should make sure their cloud vendors provide detailed answers to all of these questions on an ongoing basis, “he said.
The issue of where cloud data is stored/resides has significant security implications. It would be unwise for companies in highly regulated industry verticals like finance and healthcare to have sensitive employee financial records or patient medical records stored overseas because of potential compliance issues with the Securities and Exchange Commission (SEC) or HIPAA regulations. Organizations also need transparency around the policies and procedures the cloud provider has established around information security. Specifically, companies should require their cloud vendors to provide them with operational transparency on security on at least a weekly basis, Baker advised.
Disaster Recovery (DR)/Backup and Latency Checklist
DR/backup and latency are also crucial to shoring up security. The ability of a cloud vendor to quickly and effectively identify and respond to any type of security threat or an actual breach is absolutely critical to security, protecting your data assets and minimizing data loss and downtime. A cloud provider/MSP should readily be able to provide its DR and business continuity plan, noted both IBM’s Edwards and Brainwave’s Baker. Once again, establish a checklist. The cloud provider’s DR/backup plan should detail:
- A definitive response time and latency involved in responding to both the incident itself and informing your corporation of any issues. Your cloud provider may have guaranteed latency and response times based on myriad factors such as how much business you do with their firm; what type of service contract your company purchased to the severity of the security incident.
- The specific methods and mechanisms they use to identify any emergency.
- The types of security emergencies they are equipped to manage.
- How the cloud provider’s internal security practitioners will respond, react and communicate with each other to respond to and resolve the issue and take the necessary remedial actions.
- How the cloud provider will then communicate with your organization.
- How any change in the cloud provider’s operations in an emergency may affect your business.
- How your company will have to authenticate to a different location in the event of a security incident.
- Any different processes for accessing the cloud provider. For example, will your IT department and end users have to connect and access data using a different MAC or IP address during a security emergency?
- The duration of an emergency that the cloud vendor can sustain.
- The specific processes for failover/fail back to the primary operations mode.
Beware of any cloud provider contract that contains nebulous or non-specific Terms and Conditions (T&Cs) such as cloud provider “will provide or undertake best efforts to get the services and equipment restored and operable .”
In summary, the cloud provider should have a readily available game plan that outlines the rules of engagement and provides your organization with contact names and numbers as well as a “To Do” list in the event of an emergency.