Top 10 Cloud Security Tips
By Mike McGee, Director and Collin D. Schuler, Associate, Coalfire
In a recent survey, 54% of professionals stated that security is their primary concern when moving data to the cloud, especially those that were in the financial services or healthcare industries. But the good news is that cloud security concerns seem to be disappearing…slowly but surely. According to the Wall Street Journal, 72% of small businesses and 63% of mid-sized companies claimed that cloud security was their primary concern back in 2008. Three years later, only 50% of small businesses and 47% of mid-sized companies reported the same concern. “Companies are rethinking cloud security,” says Ray Boggs of IDC, a leading technology research group.
Cloud security, however, is a two-lane road and requires obligations from both parties (the cloud provider and the cloud user). Although a significant number of details must be covered in order to make the relationship work, cloud security does not have to be a prolonged or painful experience.
For cloud users, we offer these tips when addressing cloud security:
- Do your homework when it comes to potential cloud service providers. It can be easy to bypass this simple step, but in the long run, due diligence can be extremely valuable and might spare future headaches. Cloud users should evaluate the services offered by a cloud service provider, and then match those services to their needs. Other questions should include: What kind of reputation does the cloud service provider have in the market? Is the cloud service provider flexible enough to customize services and solutions? Do they have qualifying credentials or has a third-party assessment been performed on the cloud service provider? This is not just a business transaction but a partnership, and therefore choosing a cloud service provider should be done wisely.
- Clearly define the roles and responsibilities. Both the provider and the user should have a distinct understanding of their security roles and responsibilities. Not defining these critical obligations can create conflict, threaten security to the overall cloud architecture, and potentially damage the reputation from both sides of the aisle. Roles and responsibilities should be documented and carried out by top management and executed in daily operational procedures. A good rule of thumb is to never assume anything within the cloud environment.
- Understand the compliance laws and regulatory standards. Laws are constantly changing, especially at the state and federal level. At the end of 2010, the National Conference of State Legislatures reported that 46 states had enacted legislation governing the disclosure of security breaches of personal information, and that at least 29 states had enacted laws governing the disposal of personal data that was held by businesses and government entities. It is important that compliance rules and regulations are closely followed and maintained. This is especially important for the cloud user because in the event of a security breach, the user is almost always held accountable, not the cloud service provider.
- Ensure that a Service Level Agreement (SLA) is established. The relationship between a cloud service provider and a cloud user is headed for collision when a SLA is ignored in the original contract. When a network unexpectedly goes down or a system experiences malfunction, what do the policies and procedures explicitly state? Is there an estimated time frame of recovery when an outage occurs? When and how does scheduled maintenance take place and who monitors for such events? According to the National
Institute of Standards and Technology (NIST), an estimated 4.38 hours of downtime should be expected in a year at a minimum (excluding scheduled downtown maintenance and upgrades).
- Identify where your data will be stored. It is not enough to know that your data is within a cloud environment. One researcher has suggested that if a cloud consumer cannot physically point at a machine and confidently state that is where their data is located, then the overall architecture of security is insufficient. Additionally, other questions that should be addressed include: How is data separated from other data and where does the cloud provider store the backup data? All of these questions should be answered before signing a contract.
- Ensure that physical security is adequate. Safeguarding of information assets is nothing new to businesses and IT service providers. In the cloud, this does not change but rather, most responsibility for physical security simply shifts to the cloud provider. Cloud users should verify that the cloud provider has enforced preventive, detective, and corrective controls, including video surveillance, locked doors, and alarm systems. However, physical security can also include systems that combat issues such as fires and uninterruptible power supplies.
- Enforce access controls. It’s one thing to have strong physical controls, but it’s another thing to know who has access to sensitive information. The cloud user, in particular, should know who has access to stored data within the cloud. How are those users screened before hire and then authorized for security purposes? Do these individuals have the minimum necessary privileges to perform their job duties? Are they effectively trained and aware of cloud security best practices? Cloud users must understand all of the policies and procedures pertaining to access controls, including personnel terminations or insider threats.
- Monitor the flow of data and analyze alerts. While access controls help prevent misuse of sensitive data, there should also be authorized personnel that monitor the flow of data, analyze system alerts, and review the system logs. By implementing this measure, this can help identify breaches, track user activity, and enforce accountability for user actions. Although this responsibility primarily belongs to the cloud provider, cloud users must ensure that these procedures are properly being carried out.
- Use encryption to secure your data. Encrypting your data within the cloud is extremely important. If physical security and access controls fail to prevent an intentional threat, then encryption can help as the next line of defense. Knowing that a cloud provider uses encryption is inadequate. Cloud users should be fully aware and understand the encryption techniques that are used to secure their data. They should also know the encryption key holders, the change management process, and if the encryption method meets current compliance standards.
- Design a backup strategy. While many of us like to believe we are able to control situations and outcomes, the truth is the future is unpredictable. Natural disasters can occur, the relationship with the cloud provider can get messy, or an unsuspected breach can severely damage your company. Unforeseen issues arise and if cloud users are not prepared to handle such an event, they are putting themselves at tremendous risk. It is also equally important to ensure that your cloud provider has a backup plan as well.
Although these tips do not reflect every detail within cloud security, they are designed to deliver a comprehensive overview of how cloud users (and providers) can prepare for the transition to a cloud environment. It is important to remember that every cloud user has different needs, and therefore, there is no “one-size-fits-all.”