Considering a move to the cloud? Before migrating your data and applications to HOSTING (we’d love to have you!) or another cloud service provider (CSP), understand the potential security benefits and risks associated with cloud computing. The HOSTING team of certified information security and compliance experts stands ready to answer any of your cloud security questions. In the meantime, we’ve listed 5 cloud security steps for you. Use them as a starting point in which to evaluate the security postures of potential CSPs.
Step 1 – Examine your CSP’s governance, risk and compliance processes
While security controls for cloud environments are similar to those found in traditional IT environments, you should be aware of the unique risks involved in the cloud, due to the following:
- The customer and cloud service provider each have responsibilities for securing the cloud environment
- The CSP is responsible for the technical design and operational control of the cloud service
Before moving your business assets to a cloud provider, verify that they can meet your organization’s security and compliance needs by reviewing their Service Level Agreement (SLA). If your organization must meet HIPAA/HITECH compliance requirements, insist that the CSP enter into a Business Associate Agreement (BAA).
Step 2 – Audit the CSP’s operational and business processes
This is particularly important if your organization adheres to compliance mandates as prescribed by HIPAA/HITECH or PCI DSS. At a minimum, you should expect to receive a report of the cloud provider’s operations by independent auditors. If you are a HIPAA-compliant organization, the CSP should produce a report from an independent auditor approved by the Department of Health and Human Services (HHS) Office of Civil Rights (OCR). If your organization is PCI-compliant, the report should come from an approved quality security assessor (QSA).
Cloud security is an essential element of any compliance framework. Therefore, you should educate yourself on the following security methods for cloud computing that are of particular importance to auditors.
- Understanding the CSP’s internal control environment, including risks, controls and governance related to a customer’s assets in the cloud
- Access to the CSP’s corporate audit trail including workflows and authorizations
- How the CSP’s facilities for cloud services are controlled and secured
Also examine how the CSP implements the following cloud controls:
- How customer data and applications are isolated in a shared, multi-tenant environment
- How they safeguard customer assets from unauthorized access by the provider’s staff, vendors and/or partners
Step 3 – Understand how the CSP manages their people, roles and identities
According PWC’s 2015 Global State of Information Security Survey, the total number of security incidents detected climbed to 42.8 million this year, an increase of 48% from 2013. And the worst part? Many of them were the result of actions by internal employees. If you are planning to migrate your information assets to the cloud you should expect that the CSP’s employees will have the ability to access your data and applications.
Before signing up with any CSP, make sure that they have acceptable processes and functionality in place to govern who has access to your assets. Conversely, the cloud provider must also allow you to assign and manage the roles and associated levels of authorization for each of your employees, per their security policies. These roles and rights can be applied on a per resource, service or application basis.
The cloud provider must also have a secure system for provisioning and managing unique identities for their users and services. And any user access to the CSP’s management platform should be monitored and logged as part of your audit trail.
Step 4 – Ensure the CSP can secure all of your data and applications
Review a complete list of the data assets you plan to store in the cloud with your potential CSP. Data assets in the cloud can also include applications or machine images, which have similar security needs as the content found in databases or data files. Make sure your CSP can handle all of your data security needs. Ask if their security methods apply to both data in rest (data that is held in a storage system, such as a database), and to data in transit (data that is transferred over a communication link).
A key consideration when using cloud services is encryption. Insist that your data be encrypted both in transit and at rest. Also have a clear understanding of where the CSP stores the encryption keys and how they are made available (i.e., to application code that needs to decrypt your data for processing). Make sure the CSP keeps the encyption keys and data separate. They should also follow a “split knowledge” policy in which no one person or group has access to both your data and the encryption keys.
Step 5 – Understand how the CSP enforces their cloud security and privacy policies
Your potential CSP should understand the difference between security and privacy when it comes to safeguarding your data. The primary role of cloud security is to defend against cyber attacks – not all of which are focused on stealing data. Privacy pertains to personal data held by an organization, which may be put at risk by a variety of factors such as employee negligence or a software bug – but not necessarily by a deliberate, malicious act.
Ultimately you the customer are responsible for ensuring the security and privacy of your data, even when it’s stored by a CSP. Make sure you have detailed SLAs and BAAs (if applicable) in place that clearly define security and privacy requirements. These agreements should also list specific responsibilities that you and your CSP have agreed upon.
While cloud adoption remains strong, it’s essential cloud customers and their CSPs work together to ensure a strong cloud security posture. Download the 2015 Alert Logic Cloud Security Report for more insights on today’s cyber threats and how to protect yourself against them.