7 Point Plan to Assess Cloud Security
Security concerns and data integrity are rightly a high priority for any IT decision. However we need to be clear on the real risks when it comes to the cloud and how they compare with other available solutions. Inaccurate or over-stated estimates of the risks, and the assumption that all cloud providers offer the same levels of security are common place.
Here we assess the state of cloud services and pass on some tips for investigating how your provider stacks up on the security front.
Uptake of Cloud Services
With growth for cloud services purportedly at around 34% per annum in Australia, you could be forgiven for thinking that most businesses have already overcome their security fears with the technology.
However, word travels fast these days and a few rumblings on social media sites can become “established fact” very quickly. Although the average executive doesn’t make decisions based upon rumour, security remains somewhat of a “dark cloud” for boardrooms and is something that must be addressed methodically, as with any new technology.
The Top Concerns in Surveys
The major concerns regularly raised by businesses include security concerns with the actual technology, data and information safety, disaster recovery, unauthorised access to files, encryption, application security and identity management issues.
Of course there are several tiers in cloud services and they offer different challenges with security.
With Software as a Service (SaaS), where the customer uses the provider’s applications within the cloud infrastructure, you are handing virtually your entire network security responsibility over to the provider, as well as the physical and environmental aspects of security.
Infrastructure as a Service (IaaS) allows the responsibilities for security for applications and the operating system to remain largely with the client, though there are physical and environmental security challenges that need to be met by the provider.
How to Conduct a Step by Step Security Analysis of your Cloud Provider
Check Your Provider’s PHYSICAL Security
One of the biggest threats as a customer is in not understanding what security is in place and how to address the gaps. How is the physical security around the data centre? What are their security policies? Who can access what information? How do they enforce the policies? Take a visit and see for yourself that these policies are practiced. What disaster management practices do they have?
Check What “Authorised Access Only” Means
Human beings are often the weakest link in the security chain.”A big concern is someone within the cloud provider organisation itself gaining unauthorised access to your information and abusing it by passing it to outsiders.Of course this can equally happen when you are running the services in-house, but make sure that your provider has a rigid screening process before hiring employees – including police checks. Also check exactly who is included in “authorised access” to your data – the more people who have access the higher the likelihood of problems.
Remember that your Provider uses Other Providers“Are the third parties equally protected against hackers?”This is a key point. Your provider is usually reliant upon third parties for some of its services, so you need to make sure that those providers are also robust.Are rigid security measures enforced when interacting with other suppliers, thereby protecting your data end to end?
Check Network Security
A denial of service is the most important security threat to cloud computing.”There are several questions you need to ask of your cloud provider here – check what devices they are using to ensure that hackers are kept out and Denial of Service attacks can be avoided. Are they using the most robust firewalls? Do they keep the software updated? What IDS/IPS systems are they using and how are they monitoring network breaches?
Check Access Control Security
Insufficient access control can lead to numerous security threats that eventually threaten availability.”This is another common area of concern that you need to check: authentication, user management and provisioning.Ask your provider how they are currently addressing this issue, who is in charge of the credential management process, how identities are verified, whether open IDs can be used for registration and authentication etc.
Check Web Application Security
Clouds are generally homogeneous and any attack can be rapidly replicated and amplified across the cloud tenants. Another area where breaches can occur with cloud providers that don’t have adequate security is through web applications.Of course this can happen in your own environment too, but cloud providers may be higher “on the radar” than your own network managed in-house, so you need to ensure that security is beefed up here.Ask your provider how they secure themselves against XSS, SQL Injection, CSRF and Session Management breaches, what types of encryption they are using for API integrations, who is responsible if there is a security breach and what happens afterwards; also check whether they routinely scan for vulnerabilities in applications and whether they allow you, the client, to run your own assessment tools.
Check about Data Deletion
There can be a problem with insecure or incomplete data deletion that may lead to access to former tenants’ data.”You will likely not be with your cloud provider forever! What happens to your data when you move to another service? Make sure this is clearly laid out in writing for you by any provider you are considering.
Ensuring your Cloud Provider is Right for You
Ensuring that your provider has top level security measures in place is just as important as ensuring that the cloud service is always available and performing.
Before signing with any cloud service you would need Service Level Agreements (SLAs) in place to guarantee things like network performance and “Up” time.
When it comes to judging the security robustness of your provider it’s best to do your homework upfront and to ask the hard questions that we have outlined above, so that you arrive at an SLA that you know covers all your key concerns.
There are huge benefits in cost savings, flexibility and storage capacity from moving to the “cloud” but no company will do this at the expense of the security of their data.
Therefore it’s vital to know what the general risks are, what are the specific risks to you and your business, who is responsible for what and what happens in the event of security breaches.