Best Practices: Vendor Management in the Clouds

by Mike McGee, Director, Coalfire

The storm is upon us! Or, at a minimum, there’s been a cloud invasion and business leaders are embracing it. Drawn by promises of operational efficiency and increased access, organizations are feeling the pressure to move to the cloud. It’s no longer if companies should move to the cloud, but when they should move to the cloud. One cause for apprehension, however, centers on vendor management issues. Organizations need to gain a comfort level with what exactly cloud computing is and what questions should be asked prior to moving to the cloud.

What are the risks? Am I responsible for meeting specific security controls? Who has access to my data? Who owns my data? These are all relevant questions, but ultimately the biggest question that business leaders are looking to answer is how to gain the efficiencies of cloud computing while limiting their organization’s risk.  One key area to look closely at is the cloud providers you choose to work with.

Here is a list of 8 security and privacy issues to consider when evaluating cloud providers:

  1. Governance
    Does the cloud provider meet your organization’s standards for policies and procedures? It’s important to remember that one of the goals of moving operations to the cloud is to provide the same (or greater) level of operational security and effectiveness while improving cost efficiency. If organizations compromise their standards, they might gain some efficiency but lose much more by way of a breach in security. 

  2. Compliance
    Compliance is one of the primary barriers against the adoption of cloud computing.  It’s the responsibility of cloud providers AND their customers to ensure that both organizations understand which aspects of compliance they both agree to fulfill. Whether the compliance standard is FedRAMP/FISMA, PCI, HIPAA, or another standard, all controls must be addressed, ideally seamlessly, among the two entities.

    There are many service providers listed as compliant with the PCI standards, and they are compliant, but only with designated sections of the Report on Compliance. It’s critical that organizations understand this and understand the scope of compliance prior to entering into an agreement with a cloud provider. 

  3. Trust
    Just like other service providers, cloud providers must earn the trust of their customers. I have three young daughters, who along with my son I value more than anything. I know that at some point I will have to let them go. But before that happens, I guarantee I will conduct my due diligence. For organizations, often times their most precious possession is their data, and this data would be hosted by a cloud provider. It is imperative that they conduct their due diligence as well.

  4. Architecture/Software Isolation
    Cloud infrastructures technically do not have to be virtualized, but this type of environment loses its ability to scale, and it loses the advantage of efficiencies without virtualization technology as its foundation. It’s important for the customer to understand the strengths and weaknesses associated with the specific solution.

    Will my information be in a multi-tenant environment? What controls are in place to ensure that my information is segmented from another customer? What type of continuous monitoring and logging is in place? These are all important questions to consider.

  5. Identity and Access Management
    Remote access is a concern for all forms of regulation and it’s becoming more so as technology continues to adapt and provide users with more mobility. One of the essential characteristics of cloud computing is the ability to access it from anywhere. This makes the positive identification of those who access the information even more critical.

  6. Data Protection
    What security controls are in place to protect your data? The measures should be clear, concise and well understood by all parties. How is your data being managed? Does the cloud provider meet your organization’s standard for data protection?

    Also, it’s important to consider what measures an organization should put into place prior to moving data. If data is encrypted prior to being stored in the cloud, obviously the risk is reduced significantly. That may increase operational costs, but it could save money in the long run.

  7. Availability
    As we’ve seen, it’s important that companies ensure they mitigate their risk and either have a sufficient back-up site or Service Level Agreement (SLA) with their cloud provider (see the story about Amazon from May 2010). Regulatory guidance and customer satisfaction will likely drive the need to ensure systems are operational 24/7 and it’s important for companies to consider this from the beginning. 

  8. Incident Response
    What responsibilities does the cloud provider have to notify you of incidents in its environment? If a customer is breached in a multi-tenant environment, then your organization is also at risk. Not all cloud providers feel the same, so make sure they are obligated to do so.

    Vendor management processes are becoming even more of a focal point within compliance frameworks. As companies continually look to reduce near-term operational costs, this process becomes even more critical to the success of an organization. Keep these issues we’ve discussed in mind and make sure to do your due diligence!