In the cloud, the classic paradigm of network perimeter security no longer applies. Depending on the cloud model being used -- among them software as a service, infrastructure as a service and platform as a service -- a varying amount of control is given to the cloud service provider.
Making the transition to the cloud requires a careful negotiation of the contract. Historically, the network group has complete control; however, moving to the cloud will require the organization to relinquish some control and oversight to the cloud provider. This transition will require networking professionals to move beyond their traditional packet-processing mindset in order to really grasp cloud computing.
Organizations must consider a variety of potential threats before they move to a cloud model. To that end, your cloud provider should agree in writing to provide the level of security you require. Here are 10 cloud security tips to keep in mind.
Who has access?
Access control is a real issue. How will cloud authentication be managed? Insider attacks are an ongoing threat. Anyone who has been approved to access the cloud can be a potential problem. Here's an example: An employee may quit or be terminated, and then you find out he or she was the only person who had the password. Or, perhaps the employee was the one responsible for ensuring the cloud provider gets paid. You need to know who has access, how he or she was screened and how access is terminated.
What are your regulatory requirements?
Organizations operating in the United States, Canada or the European Union have many regulatory requirements by which they must abide, including ISO/IEC 27002, EU-U.S. Privacy Shield Framework, IT Infrastructure Library and COBIT. You will need a framework that both parties can agree on, such as ISO 27001. You must ensure your cloud provider is able to meet these requirements and is willing to undergo certification, accreditation and review.
Do you have the right to audit?
This particular item is no small matter and one of the most important cloud security tips. Your cloud provider should agree in writing to comply with an auditing standard, such as SSAE 16. With cloud computing, proving to auditors and assessors that compliance is being met is becoming more challenging and even more difficult to demonstrate. Of the many regulations dealing with IT, few were written with cloud computing in mind. Auditors and assessors may not be familiar with cloud computing or with a given cloud service.
What type of training does the cloud provider offer its employees?
This is actually a rather important item to consider because people will always be the weakest link in security. Knowing how your provider trains its employees is an important item to review. Most attacks are both technical and social. The steps a provider takes to address social-engineering attacks stemming from email, malicious links, over the phone and other methods should be included in its training and awareness program.
What type of data classification system does the provider use?
Here, questions you should be concerned with include the type of standard being used to classify data and whether the provider supports it. Tokenization is a growing alternative to encryption and can help ensure compliance with regulatory requirements such as those under the Health Insurance Portability and Accountability Act, Payment Card Industry Data Security Standard, Gramm-Leach-Bliley Act and the EU data protection regulations.
Is encryption being used?
Encryption should be discussed. Will the original data leave the organization, or will it stay internal to satisfy compliance requirements? Will encryption be used while the data is at rest and in transit, or both? You will also want to know what type of encryption is being used. There are, for example, important differences between DES and AES. And make sure you understand who maintains the encryption keys before moving forward with a contract. Encryption should always be on the list of critical cloud security tips.
How is your data separated from the data of others?
Is the data on a shared server or a dedicated system? A dedicated server means your information is the only information on the server. With a shared server, the amount of disk space, processing power, bandwidth and so on is limited because there are others sharing this device. You will need to determine if you need a private cloud or public cloud and who is hosting. If it is shared, the data could potentially become comingled in some way.
What is the long-term viability of the provider?
How long has the cloud provider been in business, and what is its track record? If it goes out of business, what happens to your data? Will your data be returned in its original format?
What happens if there is a security breach?
If a security incident occurs, what support will you receive from the cloud provider? While many providers promote their services as being unhackable, cloud-based services are an attractive target to hackers. Side channel, session riding, cross-site scripting and distributed denial-of-service attacks are just some of the threats to data in the cloud.
What is the disaster recovery and business continuity plan?
While you may not know the physical location of your services, they are located somewhere. And all physical locations face threats from fire, storms, natural disasters and loss of power. In case of any of these events, how will the cloud provider respond, and what guarantee of continued services is it promising?
According to forecasts by Cisco, within the next three years, more than four-fifths of all data center traffic will be based in the cloud. This means if you have not yet already made the switch, it's likely you will by 2020. Use this time to make sure you migrate the correct way. Define your contract requirements upfront and don't just replicate the security you have on premises. Instead, use the migration to improve it.
Cloud security: What you should look for
Avoiding shadow IT in the cloud
Preparing for cloud security issues