Staying secure is top of mind for everyone moving to cloud computing. When you hand over network processes to an infrastructure-as-a-service (IaaS) provider, you’re transferring responsibility while still remaining accountable. How can you be sure that your network remains secure and compliant?
This article details the seven best practices you need to follow in order to securely navigate the cloud landscape.
SAS 70In June 2011, the SAS 70 standard will be updated for service organizations such as cloud computing providers to the Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization
1. Prepare applications for cloud integration
The first step in readying your organization for the cloud involves making in-house adjustments to applications, as many applications have a one-to-one relationship with the hardware that hosts them. They can normally be installed on a virtual server, but can’t be extended to more servers. Take a look at the applications that you are planning to host in the cloud. Can you leverage application programming interfaces (APIs) so that applications automatically grow or shrink, and call in resources as required?
1.1 Make the move to SaaS
If you haven’t already, begin moving from locally installed software to software-as-a-service (SaaS) wherever possible. Not only will this transfer the burden of upgrading and patching applications to SaaS providers, but you will avoid the effort of moving applications to your infrastructure-as-a-service (IaaS) cloud environment.
2. Coordinate conventional and cloud-based security controls
Conventional security controls operate on the basis of pattern recognition. When intrusion detection devices and other controls identify unusual behaviour, they sound the alarm. But the traffic that comes from the cloud doesn’t carry a predictable signature, and in some cases it can look a lot like an attack. When you move to the cloud, you pass much of the responsibility of keeping your data secure to your provider. You’ll have to change the configuration of internal controls to take the parameters of cloud activity into account and coordinate incident response with your cloud provider.
3. Look for standardization in cloud services
In traditional relationships with technology providers, finding a supplier that can tailor their solution to your business needs is a good thing. Just the opposite is true with cloud computing. Cloud infrastructures are able to offer computing services at affordable rates because they have reached a high level of efficiency in every function, from providing the services you need to reporting and incident management.
The policies and procedures in place for cloud computing are there to make sure that nothing goes wrong. Think of a cloud service as a finely tuned machine—any attempt to alter the way that machine works introduces risk. If a potential cloud computing provider is willing to customize their service to meet your needs, think twice about using them.
4. Choose a cloud provider whose corporate security policies resemble your own
Since cloud providers are not able to change the way they handle security to suit individual requirements, try to map your own requirements to those of potential providers. Make sure that the controls they have in place are rigorous enough to give you the confidence to do business with them; also that they are willing to evolve their security services as the threat environment changes.
5. Understand that security certification only goes so far
With cloud computing, you have to be able to trust a provider with your organization’s security. But this doesn’t mean putting all your faith in certifications. More cloud providers are becoming SAS 70-certified, a global auditing standard for self-review.
While SAS 70 is a certification your provider must have if you want to be SOX and PCI-compliant, remember that it is a self-review that certifies an organization is living up to their own internal security control standards. As such, it can be quite narrow in scope—what it covers is entirely up to the company.
Potential providers should also be able to show you the high level results of a broader review conducted by a trusted third party. The best such reviews draw conclusions, propose remediation, then auditors return to determine if remediation is complete.
6. Determine providers’ depth of reporting and incident investigation
When you outsource to the cloud, your visibility into what’s going on in the network decreases. That’s because gaining access to your cloud provider’s raw data logs would also give you access to other clients’ information. So how do potential providers handle event reporting? Examine their processes and find out if they will also allow you to run your own reports by connecting to event-based logging in some fashion.
In addition to exploring the methodology around event reporting, determine how a forensic investigation would be conducted in the case of an incident. Obtaining raw data log information is problematic, and even if you have a lawful access request, a higher security control could still prevent you from obtaining it. Find out what protocols providers have in place to deal with hypothetical incident investigation scenarios, and choose accordingly.
7. Investigate threat mitigation capabilities
What would happen if your cloud provider got shut down because of a distributed denial of service (DDOS) attack? Would your ability to do business be compromised? Even if two providers have the same security standards in place, some providers are naturally able to deliver a higher level of resilience than others because their Internet footprint is larger, giving them greater visibility into the threat environment. Visibility is especially important when it comes to DDOS attacks because propagation happens in such a way that only massively aggregated traffic pattern analysis can detect and counter DDOS attacks in the early stages.
Find out the specifics of your shortlisted providers’ capabilities when it comes to countering threats. If they are relying on a data centre or two to filter information from the Internet, your information may not be as securely available as you require.
Cloud provider assessment checklist
Ready to create a shortlist of cloud providers? Find out what specific questions to ask in order to find the best fit.
Other resources that you might find useful:
- Demystify cloud computing and harness its power: A practical roadmap – white paper
- Prepare for cloud computing's evolution – How changes in cloud computing can help your business – Expert Q&A with Strahan McCarten
- White paper: Evolving your network into a strategic asset – A roadmap
- Virtualization white paper: Navigating the road to IT optimization
- Virtualization requirements assessment tool
Talk to Bell
Since moving to the cloud entails a shared responsibility for data security and compliance, your choice of cloud computing provider is crucial. Not all providers can guarantee the security of your data, nor do all have reliable contingency plans, should an incident occur. To learn more, contact your Bell representative, or request that a Bell representative contact you.