tackle cloud security issues
TRANSCRIPT
-
8/4/2019 Tackle Cloud Security Issues
1/4
Tackle your clients security issues with
cloud computing in 10 steps
As a security solution provider, you have a particularly tough row to hoe with regard to securingyour clients data in a cloud computing environment.
Cloud capabilities and ubiquity have advanced greatly, but have the security capabilities and
protocols kept up? Unfortunately, in many cases, the answer is no. If you are going to support
a client moving to a public cloud, or are asked to support them after the fact, there are
many cloud computing security issues to consider, and thats what well cover in this tip.
Security issues with cloud computing
Many companies developing and offering cloud computing products and services have not
properly considered the implications of processing, storing and accessing data in a shared andvirtualized environment. In fact, many developers of cloud-based applications struggle to
include security, even as an afterthought. In other cases, developers simply cannot provide real
security with currently affordable technological capabilities.
Having a written plan about what the cloud provider will do in a security event, such as a
breach, is required by many regulatory standards, and with many states and the federal
government.
At the same time, many solution providers helping a client move to a cloud solution fail to
spend enough time and effort to verify the cloud offerings security. This may be because the
clients primary reason for moving to the cloud is to reduce costs. Therefore, there may be littleprofit for the solution provider in the cloud relationship. These factors, and the reality that
cloud providers often lull your clients into believing theres little reason to worry about security,
make your role as a security solution provider even more difficult.
The ubiquitous use of cloud is so new that the National Institute for Standards in Technology
(NIST), which is tasked with writing guidelines for proper use of technology, is only at the draft
release stage with its cloud computing guidance. In the draft Guidelines on Security and Privacy
in Public Cloud Computing (800-144), released May 16, 2011, it is clear that even NIST members
are rightfully concerned and cautious about the rapid and seemingly unfettered move to cloud
computing. As the document points out, Many of the features that make cloud computingattractive, however, can also be at odds with traditional security models and controls.
Even if one could show a modicum of short-term cost savings in public cloud versus client
premise architectures, the risks (with some exceptions) significantly challenge the potential
gains. There are considerable obstacles to securing data housed and controlled by an entity
other than its owner, and this is amplified with a public cloud, where communications,
computing and storage resources are shared and data is often co-mingled.
-
8/4/2019 Tackle Cloud Security Issues
2/4
The difference between protecting data in a public cloud versus data in a client organizations
own systems is like protecting the president in a crowd on the streets versus in the White
House. He still has some protection on the street, but without the ability to fully control the
environment, he is at far greater risk. It should be noted that even with the recommendations
well cover below, there is no such thing as infallible security in a public cloud environment.
10 steps to conquer clients security issues with cloud computing
There are 10 steps that security solution providers should take when moving clients to a public
cloud solution.
1. Contract with the cloud provider yourself, on behalf of your customer .
Aim to sign a contract with the cloud provider yourself, rather than having the cloud provider
deal directly with your client. This may not always be possible, as some cloud providerseven
those who sell through channel partnerswill only sign a contract with the customer. When
they do, your risk may not be worth the reward. If anything goes wrong in that cloud, your
customer could come after you for recommending the cloud provider in the first place. Also,although cloud providers who contract directly with the customer will pay a margin to the
reseller who brought the customer to them, these margins may diminish over time as the cloud
provider takes control of the customer.
2. Have cloud providers security measures written into the contract.
Take the time to investigate thoroughly how the cloud provider secures its systems. This means
getting assurances from the cloud provider written into the contract. You might also require an
independent audit report and/or certification verification. The written assurances must include
applications, infrastructure and configurations. If you cannot get verification because the cloud
provider wont share the information, or they dont have it readily available, run fast to the
nearest exit.
3. Look closely at employee and contractor backgrounds.
Find out if all the cloud providers employees or contractors who could have access to the cloud
providers systems are fully vetted for their criminal background, have been drug tested, and
have the requisite skills needed for the roles they will fill. Have these details added to the
contract.
4. Find out who will monitor your customers data.
Ask the cloud provider to detail who will have access to data, and why and when they are
accessing it. Why is this important? Well, for example, Google had a security engineer, DavidBarksdale, who was found to have been snooping on the activities of teenagers, including
reading emails and listening to Google Voice calls before going to meet them in public places.
When asked if they had been monitoring this activity, Googles response was, We monitor on
an as needed basis. We are increasing the amount of monitoring we do.
5. Have a plan for security events.
Ensure cloud providers contract gives precise details about compliance commitments and
-
8/4/2019 Tackle Cloud Security Issues
3/4
breach remediation and reporting contingency. The contract should predict and describe, to the
best possible degree, what responsibility the cloud provider (and you) are promising, and what
actions the cloud provider (and you) will take during and after security events. In fact, having a
written plan about what the cloud provider will do in a security event, such as a breach, is
required by many regulatory standards, and with many states and the federal government.
6. Verify the access controls being used by the cloud provider.
Just as you would implement access controls for your clients own systems, the cloud provider
must describe and implement the controls it has in place to ensure only authorized users can
access your clients data. Be especially vigilant if your client must comply with regulatory
obligations; housing data somewhere other than the clients premises does not relieve the
client or you of legal responsibility.
7. Stay in control of your clients access devices.
Be sure the clients access devices, such as PCs, virtual terminals and mobile phones, are
secure. The loss of an endpoint access device or access to the device by an unauthorized usercan negate even the best security protocols in the cloud. Be sure the computing client devices
are managed properly, secured from malware and supporting advanced authentication
features. If you have not already done so, work with your client to establish pre-defined
standard operating procedures to remediate a security event involving the loss or theft of a
device that is configured to access cloud resources.
8. Look at the cloud providers financial status.
Obtain written assurance about the financial condition of the cloud organization. Be wary of a
security breach that could be caused by a cloud provider (that you recommended) suddenly
shutting down and disappearing in the night. In fact, a local police department suffered this
exact problem with a cloud service provider when the providers Web hosting company shutdown and literally disappeared without any notice. (Luckily this incident only involved the loss
of a website and blog database, and not private records or critical criminal case data.)
9. Specify how data will be returned.
Get details written into the contract that describe how your clients data can and will be
securely returned to the client in the event of a cancelation of services. For example, I am
currently working with a client who came to me because it was being held hostage by a cloud
provider not reacting properly to the clients request for their data. The client needs to report
its compliance, but the cloud provider will not share diagrams or other information, or provide
audit records. The provider admits the entirety of client data is in a shared common network,with shared drives and applications in a multi-tenant configuration. This client is now in danger
of being hit with significant fines and penalties.
10. Dont forget about data deletion.
Verify the proper deletion of data from shared or reused devices. Many providers do not
provide for the proper degaussing of data from drives each time the drive space is abandoned.
Insist on a secure deletion process and have that process written into the contract.
-
8/4/2019 Tackle Cloud Security Issues
4/4
The results from these 10 steps should be written into the cloud providers contract (if they are
not already in the standard contract). Do not rely on brochures or data sheets from the cloud
provider, or verbal conversations you have with the cloud provider. At the end of the day, it will
be the contract that rules if anything should go amiss and you find yourself in court defending
your decision to use a particular cloud provider. The contract is the best protection for you and
your client.
As the trusted security advisor of a client using a cloud solution, you will likely be held culpable
when there is a breach. You must remember that your client and, by association, you are still
liable when it comes to security and breach. By following these 10 steps to tackle the security
issues of cloud computing, you and your client will have peace of mind knowing that you have
done what is prudent to assure your clients security in the cloud.