To some the cloud is a “big-sky” opportunity that will only improve the way they do business. To others it’s more like a fog with a blurry value proposition. I’m a fan of cloud services, but you can't go into the cloud blind. If you’re shopping for a set of cloud services to resell, here are some cloud provider security requirements that you should ask about:
Independently-conducted cloud auditing
Be it with SAS70, CloudTrust, CloudAudit, or some other cloud auditing standard, the provider you choose should have some means of showing you its performance and security data.
While you shouldn’t expect providers to reveal every detail of how they do business -- because that could be a security vulnerability in and of itself-- you should get regular overview reports that provide an executive summary, findings and remediation activities from a business-level standpoint.
If there are any other details that you need to provide for legal and auditing purposes within your organization, your provider should be able to customize the reports. If the service you are looking for requires extra scrutiny, you may want to ask them if there are provisions to do a joint independent
Requires Membership to View
To gain access to this and all member only content, please provide the following information:
By submitting your registration information to SearchNetworkingChannel.com you agree to receive email communications from the TechTarget network of sites, and/or third party content providers that have relationships with TechTarget, based on your topic interests and activity, including updates on new content, event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile, unsubscribing via email or by contacting us here
- Your use of SearchNetworkingChannel.com is governed by our Terms of Use
- We designed our Privacy Policy to provide you with important disclosures about how we collect and use your registration and other information. We encourage you to read the Privacy Policy, and to use it to help make informed decisions.
- If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States.
vulnerability assessment. If you go that route, be prepared to pay a premium for
it.
Intellectual property is a cloud security requirement
At the core of any cloud service you will find multiple blade servers running amazing amounts of virtual machines (VMs). It’s likely that your information assets will be sharing some living space on those machines. It’s good to know if the controls that are in place make sense for the level of security and availability you require. High security VMs should be paired together and extra controls applied above and beyond the standard security configuration.
Lifecycle management and tracking metadata
The concern here is not just your information assets, but the metadata surrounding them. In the event of a breach you may be required to provide a virtual paper trail of some sort to show what happened. Metadata such as access times and login credentials will show that.
There should also be a procedure in place for how VMs are destroyed when they are no longer needed. They’ll likely still contain some of your information assets. Having a plan that includes a “chain of custody” list and an unrecoverable wipe of the VM will help you sleep better at night.
Physical security is a cloud security requirement
Admittedly I’m being a bit paranoid, but does the cloud provider’s physical data center site scream, “I have valuable stuff in here?” Hopefully not. The more nondescript the facilities look, the better. Inside the data center, mission-critical systems should be physically sectioned off and proper physical access controls applied.
What security controls are you responsible for?
Once you offload your business processes into the cloud, that doesn’t necessarily mean that your security responsibilities end there. You’ll want to get a clear delineation as to where responsibilities begin and end between you and the provider.
This of course is not an exhaustive list, but rather some food for thought. Those cloud providers that are serious players in the game will get this and can likely provide most of this information up front. Those that don’t are not offering the clouds you’re looking for.
Chris Squier, CISSP CISM is a senior technology solutions engineer who specializes in IT security, convergence security, business continuity, identity, risk management and preparation mitigation. He works for Ingram Micro Inc., the world’s largest technology distributor. Chris.Squier@IngramMicro.com,www.ingrammicro.com