I’m just beginning to investigate cloud security. What advice can you give me, and what steps should I take to make sure I’m covering all my bases?
Starting out, we would suggest that you look for transparency from your cloud vendor. If they have a SAS 70 standard for their platform, insist on being able to review the controls they have adopted. Also look for their involvement in industry groups such as the CSA and standards such as cloud audit. Industry benchmarks are key to educated buying decisions.
Organizations that are starting their cloud journey will need to identify how their cloud strategy helps them achieve their overall business objectives. As an integral part of the cloud strategy, they will need to ensure that their cloud security governance process can provide policies, procedures, and standards for a smooth and secure transition to the new business computing model. They need to map out their cloud security architecture and implement cloud security solutions accordingly. If they engage cloud service providers, they should also insist on a strong service level agreement (SLA) that specifies requirements for data confidentiality, integrity, and availability. In addition, they should also discuss their rights to audit.
Read the fine print. Test everything (especially failure conditions). And plan for a loss of connectivity to the cloud and ensure that your business is still operational. With the right architecture and business resumption planning, even the occasional glitch won’t result in damaging downtime and loss.
Don’t shy away from asking the more difficult questions regarding architectures and data controls. Don’t take a SAS 70 or SSAE 16 as the end-all document guaranteeing security. Do treat cloud-based services like you would any other outsourced or hosted platform. Do inspect what you expect of your providers—how providers operate and their control and testing processes. Do thoroughly review all SLAs and ask for security elements to be included in those SLA terms. Make a physical site visit so that you can see that what is represented on paper is followed in real-world operations.
At its core, the cloud is enabled by a combination of technologies and solutions from a variety of vendors, but virtualization is perhaps the most critical element. Thankfully, a number of organizations—NIST, SANS Institute, PCI-DSS, CIS, and more—have published guidelines for securely migrating workloads onto virtual infrastructure. These same guidelines should be referenced before migrating into the cloud because the methods for securing virtual infrastructure are perfectly applicable.
35 Intel IT Center Vendor Round Table | Cloud Security