What every Cloud Customer should be asking their Provider

At this point, everyone has heard the term “cloud” but what is this mysterious terminology. The cloud can mean many things to different segments of the information technology  industry. In this scenario, It can simply be defined as the distribution of resources to companies that provide services across the Internet. Whether it is SaaS (software as a service), PaaS (platform as a service), or IaaS (infrastructure a service) the organization using these services must validate the provider for certain criteria related to the amount of risk the organization is willing to accept. Organizations deciding to move to the cloud need to understand the issues related to best practice when it comes to securing the cloud. Security policies for most organizations should address at least the following concerns:

  • SLA
  • Data Storage/Transport
  • Security Posture
  • Regional Laws

SLA or “Service Level Agreement” should be the first point discussed with any cloud provider. An SLA can define many aspects such as the confidentiality, integrity, and availability, along with a variety of mutual agreements. The CIA triangle is a good area to start. If your organization must meet certain requirements when it comes to additional resources or response times, then the cloud provider must be able to do the same. The provider should be able to scale according to the organizations needs and provide transparent security controls outlined in a contract. Securing data storage should be one of the key areas reviewed when moving data to the cloud. One must confirm that the provider is following policies that enforce both data and physical security controls. For example, encryption should be an important aspect of your organization when it comes to moving to the cloud. Valid encryption controls should be in place for the data at rest and any data moved across endpoints. For example, SSH, SSL, and VPN’s are are typical methods of encrypting data as it traverses the cloud. Physical security may involve building or data center access. Not everyone should have physical access to customer data. Another important question to ask the cloud provider, relates to their security posture. Are they using firewalls with granular ACL’s, do they use a layered defense, is your data shared with others, and do they patch on a regular basis? The typical security controls such as firewalls, IDS/IPS, isolated network segments, and hardened servers should all be in place before a contract is signed. Your data may be utilizing shared resources with other clients, so you must confirm that there is separation between the resources such as databases and virtual machine hosting hardware. The provider should have some type of isolation between clients such as VLANS and firewalls if required. Every company should go through the process of hardening their servers against attacks. However, hardening servers brings up the last question. Is the provider patching the servers on a regular basis? We all know what happens when long delays occur in patching vulnerable software, especially if it is public facing. Regional laws also play a factor when moving to the cloud. The cloud provider may store the data in a state or country that governs the provider  in a manner that effects the security or availability of the organizations data. Always determine the location of the data within the cloud so laws can be understood before an issue arises. While there are security controls and agreements that must be in place before a relationship is formed between the organization and the cloud provider, the advantage of the cloud persuades many organizations to move in this direction. The cloud can provide certain advantages over on-site infrastructures:

  • Cost savings on hardware/software/workforce
  • Efficient provisioning of resources
  • Scalability
  • Convenience

These are only a few of the benefits organization can obtain from the cloud. Depending the the use case, the advantages can be exponential.

Contributions By: Kevin Stevens, Security Researcher