Cloud Security Best Practices Checklist

Businesses like yours are embracing the migration of traditional on-prem services and workloads to cloud service providers. While the economics and convenience can be compelling, cloud providers present new and different security risks. Services that were once hosted “inside the fortress” are now becoming Internet visible, and the attack surface is significantly different. Visibility into the activities going on inside cloud services can also be limited.

How a cloud service provider manages your data is critical to understanding and complying with your regulatory and contractual obligations. This checklist is designed to help your team navigate priority security concerns and contractual considerations for all cloud service providers.

www.eSentire.com © 2018 eSentire, Inc. All rights reserved.

Review the certification and security standards of your service providers, and evaluate them against specific security requirements to identify any gaps.

DUE DILIGENCE REQUIREMENTS1

Determine where your data will physically reside, and how backups, mirrors or geographic zone support impacts this.

Ensure the service provides adequate event logging, and a method through which to consume these events in real time.

Evaluate the cloud provider’s Vulnerability Management process and SLA.

Evaluate your contractual access to forensic artifacts post breach.

Ensure there are clear cloud service breach notification commitments that comply with your security policy and compliance requirements.

Evaluate the data you plan to put in the cloud. Consider: How sensitive is that data? Is the data impacted by active regulatory requirements? Do the requirements further define how that data can be handled or disclosed?

Require multi-factor authentication for any cloud services (relying purely on user IDs and passwords is not enough).

Is data encrypted at rest? Where are the encryption keys? How are they stored? Who has access to them?

MANAGE AUTHENTICATION & ADMINISTRATION ACCESS

ENCRYPTION

2

3

Assign and maintain an explicit list of authorized persons/users for all cloud services.

Mandate all access is via TLS/SSL. (It would be extremely concerning if this isn’t already mandated.)

Set access limitations for all authorized users.

Implement an approvals process to monitor and manage access.

Plan to integrate monitoring of the cloud service into your existing MDR/monitoring service.

Clearly define what you consider to be confidential information (i.e.: patents, IP etc.) versus commercial information and private (i.e.: customer information).

Clearly define customer data as it pertains to your business.

Include customer data protection definitions within your contractual provisions, including ownership rights of data stored by the provider.

Define destruction or return of data terms. Most providers include standard terms regarding contract or account termination. Typically, standard terms don’t allow adequate time to retrieve/destroy data; be sure to define reasonable expectation around these terms in your agreement.

Consider satellite risks not defined in standard service agreements: insurance, multi-vendor scenarios, data backup and data selection (which data should be moved to the cloud).

Consider data sovereignty:• How does the provider mirror/backup

data across geographies?• Which countries and/or law enforcement

will have access?• Under what conditions will those officials

have access (i.e.: disclosure, legally restricted disclosure etc.)?

Define breach notification disclosure terms.

CLOUD SECURITY TRANSITION CONSIDERATIONS5

Assign a process lead within your organization to manage the patch process.

AUGMENT VULNERABILITY AND RISK MANAGEMENT4

Consider the risk: Cloud service vulnerabilities are higher risk because they are Internet facing.

Have a clear understanding of your responsibility for vulnerability management of workloads/services you deploy into a cloud infrastructure. Ensure pre-migration and recurring (minimum monthly, ideally weekly) vulnerability assessments of your workloads/services.

Subscribe to vendor press or news releases around patching and vulnerability reporting.

Develop and document a patch management process to address: patch assessment, harvest, testing and deployment.

Based on the risk ratings developed in the vulnerability management program, patch the highest risk vulnerabilities first.

Patch often and proactively; always apply security updates.

Consider client applications/services; those will require a “fast” response to new vulnerabilities in their own code as well as third party open source, etc.

Prioritize based on nature of attack (zero day, active exploits, data exfiltration risk).

About eSentireeSentire is the largest pure-play Managed Detection and Response (MDR) service provider, keeping organizations safe from constantly evolving cyber-attacks that technology alone cannot prevent. Its 24x7 Security Operations Center (SOC), staffed by elite security analysts, hunts, investigates, and responds in real-time to known and unknown threats before they become business-distrupting events. Protecting more than $5 trillion in corporate assets, eSentire absorbs the complexity of cybersecurity, delivering enterprise-grade protection and the ability to comply with growing regulatory requirements. For more information, visit www.eSentire.com and follow @eSentire.

www.eSentire.com © 2018 eSentire, Inc. All rights reserved.