Security Information for Entering the Cloud
Deciding to Enter the Cloud: Risk Assessment
1) Organizations should examine the services that they are outsourcing to the cloud provider. Choose which services best fit the cloud and your needs. Also, analyze any risks involved with transporting these services to the cloud such your industry standards for privacy.
2) Gather information on the efficiencies that will be gained or lost for each service that you are moving to the Cloud. Is a service better placed where it’s at or in the Cloud?
3) For your service level agreement (SLA), you will need to decide the Cloud offering that is best for your organization and analyze any benefits from each – SAAS (Software as a Service), PAAS (Platform as a Service), and IAAS (Infrastructure as a Service). For instance, the IAAS option will enable you to put language in your SLA to build your own control infrastructure in managing their Cloud.
Any quality cloud provider should be able to provide a flow for risk assessment, but you know your organization the best and should analyze each service you are moving to the Cloud.
Questions to Ask the Cloud Provider before Moving to the Cloud
1) Who is capable, at the Cloud provider, of troubleshooting a given problem?
2) Who has access to the logs and can look at the relevant configurations? Does your local IT team have access to the logs; generally you will want access to the logs. Logging is a primary means of IT accountability since most users system actions can be recorded in logs.
3) Will the provider allow outside personnel access to your Cloud if you requested and if so how quickly?
4) Who is responsible for troubleshooting for problems and at what level?
5) Is your provider going to be responsive if symptoms of a problem fall technically out of scope?
Be sure to establish in the contract where your Cloud falls in their priority list compared to other Clouds (other customers of theirs). If the worst case scenario happens at the Cloud provider, when will they deal with your service to get it fixed? Can you live with their worst-case recovery time for your business’ Cloud?
Disaster recovery is an important part of Cloud security as you don’t want to have to keep moving your files around to other Cloud providers and possibly slip up on security.
However, still make sure that your contract gives you the ability to move your operations quickly if that provider can’t recover within your needed timeframe.
Preparation is Vital when moving to the Cloud
Plan your migration out step-by-step starting with the smaller parts of your technology. You must know that a move to the Cloud, when done right, takes time and that your IT team must test the migration along the way and at the end of the migration.
Benefits of Moving to the Cloud are Immense
• Flexibility to develop and deploy software.
• When in-house resources aren’t available, in the Cloud virtualized resources are available on demand.
• Economy of scale of the Cloud lowers costs as your enterprise grows.
• Companies of any size can pick and integrate best-of-breed applications.
• Applications can be protected with strong authentication.
• A company’s customers gain convenience, confidence and reliable access.
• Certified security by the Cloud provider can benefit customers.
• Bug fixes and upgrades applied by the Cloud providers.
• Ease of access to services across desktop, mobile and other devices for employees.
• Greater security than in-house when right Cloud Provider is chosen.
• Reduced costs.
• Business enabler.
• Better availability.
Service Level Agreement (SLA), What Your Business Needs to Know.
1) Does the Cloud provider’s service depend on all of the customers standardizing on the same offering? Or can you customize “your Cloud” to your application and service needs?
2) Is the Cloud provider responsible for anticipating problems and addressing them before they lead to failures? Basically, what constitutes a service failure under the terms of the SLA contract?
3) What is the established remedy for errors made by the provider that affect security?
As for performance, your business should baseline your current in-house service performance. Challenge the cloud provider in the SLA to maintain or improve that baseline.
In developing your baseline, break your baseline into as many components as you can such as operating system, local area network, databases, Web server application, end-user experience and all the other parts that make up your overall performance statistics.
Security in the SLA.
1) How secure is secure enough and how do you know whether a provider has reached that level of security?
There are two ways to evaluate security in the Cloud.
1) Auditable security – this includes everything you can measure and configure within the spectrum of effective security.
2) Effective security – This is a sum of the security measures in place including the level of attack that “your Cloud” and the overall provider service can withstand. Also, included is how quickly the Cloud provider can respond to a breach whether it is by bots, malware or hackers.
Today, systems are expected to use AES as a strong algorithm and others in the future as the standard changes.
Overall, your SLA should not be a cookie cutter. It should reflect your own risk tolerance. Choose a provider that can meet the unique needs of your business in the Cloud.
Good Security Habits Once in the Cloud
1) The Cloud provider should provide technical security controls, but the security of your business, customer/user data still falls on your organization. Data security must be thought of as your company’s responsibility and the liability is on you if it goes awry. Negotiate the highest data security possible in your SLA.
2) A well-recognized standard for information security in the Cloud is known as ISO 27001:2005 (information security standard). It sets up an outline of the most appropriate controls. The ISO information security standard was developed to provide a model for establishing, implementing, monitoring, reviewing, maintaining and improving an information security management system.
3) Identify and understand the scope of your offering and any loopholes in the code.
4) Identify your business information security assets.
5) Conduct regular risk assessments including determining the weakest link in your security and improving that. Repeating this process over and over, finding the weakest link.
6) Select the appropriate information security controls.
7) Trust, but remember to verify.
Compliance in the Cloud is Different for Different Industries
Look for Cloud providers that are certified as compliant for your industry. These niche Cloud providers can be the right move for your business as they focus on your industry and the configurations and security that are required specifically for it.
The Cloud used in this way can make compliance much easier and less costly. Certain industries that can benefit from niche providers include companies dealing with credit cards or healthcare information.
Also, sometimes companies must have a guarantee as to where their information is stored. This means the jurisdiction of the Cloud and jurisdiction of where you conduct your business.
Remember, the Cloud is About People
Technology has made possible what the people have come to expect, such as being able to access the information they need to do their job on the move from their mobile devices as well as in the office.
The Cloud is about empowering your staff in a better, more efficient manner.
With People Comes Possible Security Breaches Especially Mobile
We hope that most or all of your staff will be friendly and not out to ruin your Cloud IT systems. However, an employee could accidentally breach your Cloud security by not living by a certain set of rules.
A businesses IT department must set up policies, such as a mobile device policy. The mobile device policy (to protect the Cloud and in-house resources) needs to define the use of mobile devices in a manner that is compliant with the standards that your organization sets for their use. Limitations of mobile devices such as on the types of data used should be spelled out.
For instance, what if, while in a restaurant, an employee authenticates himself into the Cloud and then downloads customer data, then this data is stored locally on his mobile or laptop device? Then imagine that the device is stolen? This is why data must be controlled and spelled out in a policy to avoid such accidental breaches in data.
Lastly, and the one that is mostly looked over, is that your employees must be made aware of and compliant with the mobile device policy. Consider administering a test to your employees to make sure they understand the mobile device policy and the ramifications if it is not followed on your Cloud and in-house data.
The number of mobile and remote workers who rely on gaining data and services from the Cloud will increase long into the future. These workers will use these systems on a day-to-day basis.
Remote access technologies are important as mobile workers increase. IT staff should assist workers in connecting in order for them to understand the Cloud.
Don’t Forget the Physical Location of your Cloud
Ask your Cloud provider about its physical security of its data center.
Remember, your company still must follow relevant laws. Some laws do not allow you to store or transport customer data outside the borders of the country.
Considering that the Cloud is “anywhere” or “everywhere” this is a major hurdle.
Make sure of the following:
1) Understand the laws and regulations impacting you and the people for who you will be storing data.
2) Understand how you can verify compliance with laws and regulations.
3) Understand the impact on your organization if you fail to comply to laws and regulations that apply to your organization.
4) Understand the impact of laws and regulations on your proposed “cloud” solution.
Also, remember privacy:
1) Understand the privacy laws in the countries where your customers reside.
2) Understand the privacy laws in the countries where your data resides.
3) Understand the privacy laws in the countries where you maintain a business presence.
The Cloud Means Change
The only constant is change. Change is the only constant in IT systems and the Internet.
The Cloud is not fully mature yet, but it is rapidly becoming so. Your organization must dedicate itself to the cloud and continue to learn as other businesses study the Cloud. It can become a major competitive advantage for both large and small businesses and bring small businesses up to the level of large business. The Cloud helps to level the playing field.
A breach in security can be minimized to such a miniscule level when done right. The correct standards must be followed, employees must be educated and the right choices must be made on who your Cloud provider will be.