Logs, Audits, Encryption
Considering a move to the cloud for one or several of your key services? If so, you are not alone. Cloud computing is growing exponentially as more and more vendors are starting to offer services, and as more businesses are beginning to see the potential for cost savings as well as the ability to offer new services that were beyond their capacity. When moving services to the cloud, you are moving critical parts of your IT infrastructure and corporate information assets to systems that you will not have direct administrative access to. You will be relying on your vendor to provide security, auditing, and change management for these components, and will be relying upon them to secure your data.
Security in the cloud is very good, and in many cases the economies of scale vendors have at their disposal along with the specialized staffing means it will be better than what you could reasonably accomplish on your own, but you do want to make sure you understand all aspects of security in the cloud.
Let’s get the biggest one out of the way first; audits. Find out what security audits and accreditations your vendor goes through, and make sure they are compatible with any requirements (contractual or legislative) you may be under. ISO 20000, 27001, SAS70 Types 1 and 2, and others are all relevant, but your vendor will obtain one or more of these on their own, and share those results with their customers, but they will almost never let you perform your own audit unless you they are hosting a private cloud for you, and then your access scope will be limited to that which is dedicated to you.
Logs will usually be accessible or provided to you by request, but the retention period may not be as long as you would like to have on premise. Make sure you discuss logging, retention periods, access requests, and the level of detail with your provider so that you are comfortable with it.
Cloud service providers will frequently have extremely good physical security, and that may mean that customers are not permitted to visit datacenters. Remember, we are discussing cloud services, not hosted datacenters, so your data might move from one datacenter to another dynamically anyway, so scheduling a site visit might prove fruitless anyway, unless you merely want to see an example site for your own satisfaction.
Encryption of data at rest
If you require encryption of data at rest, make sure you discuss this with your vendor early on in the sales discussions. Many cloud service providers won’t use encryption for data at rest. Key management between cloud datacenters can be a challenge, and the physical security already in place may make this an unnecessary (to them) extra bit of overhead.
Encryption of data in motion
Discuss how certificate management will be handled to make sure you understand all PKI requirements. Your provider may handle certificate management for you but don’t assume that means you won’t have any responsibilities for validation or authorization. At the same time, even if you are willing to accept the risk of clear text transmissions, you may find that unsupported by your vendor.
Physical location of data
Some countries have laws requiring that data reside within the borders of that country. Your customers may also want to make certain all their data remains in-country. Check with your legal team to make sure you understand those requirements and work with your vendor to understand their datacenter geographic boundaries.
Discuss the interviewing, background checks, vetting, bonding, drug testing, etc. that your vendor goes through for all employees to make sure you are comfortable with that. You may have to create or accept generic admin accounts, rather than working with a named account for every individual, and if you have requirements regarding the citizenship of administrative users, make sure you go over that with your vendor too.
There are a few things you want to make sure you understand about your relationship with your vendor of choice, and what you will and will not be able to do as it relates to security settings and audits, and you will need to work with your legal team to ensure that any existing contracts or legislation are compatible.
So work with your vendor to make sure you understand these things completely, and to your satisfaction. Ask questions, request audit reports and customer references, and do your homework. Security in the cloud is not something to take on faith; responsible vendors should have all the information you require and be willing to provide it within reasonable time frames. Just don’t be surprised they request an NDA before sharing specific audit findings, and if they don’t permit site visits.
By Casper Manes
This article was written by Casper Manes on behalf of IT Channel Insight, a site for MSPs and Channel partners where you can find other related articles to cloud services