Cloud computing is gaining momentum in the business world. More and more business wants to increase their IT usage on the cloud utilizing the cloud computing benefits such as faster provisioning, scalability and lower of capital expenditure
Many of the Security professionals are not very comfortable with Cloud Computing as an option for the technology needs of the organization. Often they act as the .Dr.No. towards cloud computing options available or presented.
No the big question is that .How long can CISO’s avoid Cloud Computing?.
Let us look at the history
Banks introduced ATM machines and we were doubtful about the ATMs and often counted the money. Now it is a normal thing to take money and many a times no one counts how much the machine delivered
The next thing was the Internet. Critical systems were never connected to internet in the earlier days. Now most of the systems are connected to the internet directly or indirectly.
Internet Banking was the next thing. A UAE based bank opened the internet banking channel only two years bank. Though there are people still using the conventional channels for banking, Online Banking is a key channel today where the customers do financial transactions over the internet. In the earlier days, it was not the case.
In all these cases, there used to be resistance to adapt the change. Cloud computing is no different. It is only a matter of time to get this adapted by companies and CISO.s.
Many of the CEO.s are not very sure about the cloud computing and if they are already using cloud computing in their business. Think about services like GMail powered emails, SalesForce CRM and many of those sort, it is all cloud services
Now the question is .How to get the Cloud Computing adapted in your business when required?.
There are some key questions a CISO should ask the cloud computing vendor to assess whether they can protect your data as you are protecting them internally in your organization.
Network & Systems delivering the cloud service
How does the authentication to access the network devices and operating system implemented? Does it use any two factor authentication?
About the availability of the network and security infrastructure? does it implement load balancing or high availability solutions for the critical infrastructure components like firewalls, IPS, reverse proxies etc.
Is the underlying cloud systems are secured? Do they have a baseline configuration implemented? How does the configuration managed? Does the cloud computing provider got a plan and/or policy to perform configuration management, patch management, anti-malware etc.
Does the network undergoes periodic penetration testing? Does it undergo internal vulnerability assessment periodically? How is it ensuring that a compromised client with privileged access to the operating system is separated internally?
Does it undergo periodic audits against standards like ISO27001, SAS70 etc?
How is the customer data separated from one another? What are the security controls implemented to ensure this separation?
What are the protection and response controls against the Denial of Service attacks?
Cloud Applications & Data Protection
- What are the security controls in the application development process? Does it include security code reviews of the code being developed or used?
- Is there a documented change and configuration management process? How does the application servers patched and what frequency?
- What are the mechanisms for managing the access control? How is the database protected from unauthorized access? How are they identifying the access reset requests are from the actual user. How do they create and delete/disable user accounts? what are the procedures for these activities.
- IS the data encrypted? If encrypted, how is the encryption keys are protected? What is key management process being followed?
- How is the data loss prevention ensured? Details of the DLP controls implemented?
- Is there a backup mechanism established? How is the data protected in the backups?
- Does the cloud service provider meets the regulatory requirements? For example, if the service is a ecommerce service then the cloud service could become part of the card holder environment and thus the PCI DSS regulation as there are potential card data being processed. Similarly, if the health information is processed, it can be HIPAA and similar other regulations. Is the cloud computing service provider meets the compliance requirements?
- Where is your data being hosted? Is it within your country or its jurisdiction? Is your organization comfortable with the legal system in the country where your data resides? How about cloud computing service provider who has a network of data centres across the globe and your data is scattered across these data centres? Can it limit the countries where the data is stored?
- What are the conditions / scenarios where the data is revealed without the consent / approval of the organization?
- Does the application provide enough audit trials to review the incidents? Does it corporate with local legal system? Often the local law authorities require access to the processing computers, how is it support those requests?
- What are the information security management policies and procedures implemented and documented? Are all employees required to undergo the security awareness training and acknowledge their acceptance to the policies and procedures at least annually?
- Is the cloud computing service provider has a dedicated information security professional? What are the network security capabilities established by the service provider? Are these personal technical qualified and certified?
- How is the insider threats within the cloud service provider being addressed? What is the background verification process being followed by the cloud service provider?
- Is there a privileged activity monitoring of systems and databases? How is the security incidents and violations are handled? Does it have a documented policy?
- How is the log integrity ensured? What are the mechanisms implemented to ensure that the logs cannot be altered and / or stopped. How long the logs are kept online and on the backup?
- What are the business continuity and disaster recovery capabilities of the cloud service provider? Many organization look at cloud as a BCM solution. Does the underlying cloud service provider is capable of delivering a BCM aware cloud service?
Not all questions above are not necessarily in the scope of all cloud computing vendor selection process. Depending on the criticality of the data being hosted at the cloud computing infrastructure you would need to choose the questions.
These questions are complied to assess a cloud computing offering from a financial service provider and may not be suitable to all organizations. If you think I should add more into the list, do let me know. I might release an excel sheet covering all these questions as a decision tree tool.
You may also want to read: