Upload File

tackle cloud security issues

prev
next
out of 4
Download Tackle Cloud Security Issues

Upload: rshankarv

Post on 07-Apr-2018

221 views

Category:

Documents


0 download

Report

TRANSCRIPT

  • 8/4/2019 Tackle Cloud Security Issues

    1/4

    Tackle your clients security issues with

    cloud computing in 10 steps

    As a security solution provider, you have a particularly tough row to hoe with regard to securingyour clients data in a cloud computing environment.

    Cloud capabilities and ubiquity have advanced greatly, but have the security capabilities and

    protocols kept up? Unfortunately, in many cases, the answer is no. If you are going to support

    a client moving to a public cloud, or are asked to support them after the fact, there are

    many cloud computing security issues to consider, and thats what well cover in this tip.

    Security issues with cloud computing

    Many companies developing and offering cloud computing products and services have not

    properly considered the implications of processing, storing and accessing data in a shared andvirtualized environment. In fact, many developers of cloud-based applications struggle to

    include security, even as an afterthought. In other cases, developers simply cannot provide real

    security with currently affordable technological capabilities.

    Having a written plan about what the cloud provider will do in a security event, such as a

    breach, is required by many regulatory standards, and with many states and the federal

    government.

    At the same time, many solution providers helping a client move to a cloud solution fail to

    spend enough time and effort to verify the cloud offerings security. This may be because the

    clients primary reason for moving to the cloud is to reduce costs. Therefore, there may be littleprofit for the solution provider in the cloud relationship. These factors, and the reality that

    cloud providers often lull your clients into believing theres little reason to worry about security,

    make your role as a security solution provider even more difficult.

    The ubiquitous use of cloud is so new that the National Institute for Standards in Technology

    (NIST), which is tasked with writing guidelines for proper use of technology, is only at the draft

    release stage with its cloud computing guidance. In the draft Guidelines on Security and Privacy

    in Public Cloud Computing (800-144), released May 16, 2011, it is clear that even NIST members

    are rightfully concerned and cautious about the rapid and seemingly unfettered move to cloud

    computing. As the document points out, Many of the features that make cloud computingattractive, however, can also be at odds with traditional security models and controls.

    Even if one could show a modicum of short-term cost savings in public cloud versus client

    premise architectures, the risks (with some exceptions) significantly challenge the potential

    gains. There are considerable obstacles to securing data housed and controlled by an entity

    other than its owner, and this is amplified with a public cloud, where communications,

    computing and storage resources are shared and data is often co-mingled.

  • 8/4/2019 Tackle Cloud Security Issues

    2/4

    The difference between protecting data in a public cloud versus data in a client organizations

    own systems is like protecting the president in a crowd on the streets versus in the White

    House. He still has some protection on the street, but without the ability to fully control the

    environment, he is at far greater risk. It should be noted that even with the recommendations

    well cover below, there is no such thing as infallible security in a public cloud environment.

    10 steps to conquer clients security issues with cloud computing

    There are 10 steps that security solution providers should take when moving clients to a public

    cloud solution.

    1. Contract with the cloud provider yourself, on behalf of your customer .

    Aim to sign a contract with the cloud provider yourself, rather than having the cloud provider

    deal directly with your client. This may not always be possible, as some cloud providerseven

    those who sell through channel partnerswill only sign a contract with the customer. When

    they do, your risk may not be worth the reward. If anything goes wrong in that cloud, your

    customer could come after you for recommending the cloud provider in the first place. Also,although cloud providers who contract directly with the customer will pay a margin to the

    reseller who brought the customer to them, these margins may diminish over time as the cloud

    provider takes control of the customer.

    2. Have cloud providers security measures written into the contract.

    Take the time to investigate thoroughly how the cloud provider secures its systems. This means

    getting assurances from the cloud provider written into the contract. You might also require an

    independent audit report and/or certification verification. The written assurances must include

    applications, infrastructure and configurations. If you cannot get verification because the cloud

    provider wont share the information, or they dont have it readily available, run fast to the

    nearest exit.

    3. Look closely at employee and contractor backgrounds.

    Find out if all the cloud providers employees or contractors who could have access to the cloud

    providers systems are fully vetted for their criminal background, have been drug tested, and

    have the requisite skills needed for the roles they will fill. Have these details added to the

    contract.

    4. Find out who will monitor your customers data.

    Ask the cloud provider to detail who will have access to data, and why and when they are

    accessing it. Why is this important? Well, for example, Google had a security engineer, DavidBarksdale, who was found to have been snooping on the activities of teenagers, including

    reading emails and listening to Google Voice calls before going to meet them in public places.

    When asked if they had been monitoring this activity, Googles response was, We monitor on

    an as needed basis. We are increasing the amount of monitoring we do.

    5. Have a plan for security events.

    Ensure cloud providers contract gives precise details about compliance commitments and

  • 8/4/2019 Tackle Cloud Security Issues

    3/4

    breach remediation and reporting contingency. The contract should predict and describe, to the

    best possible degree, what responsibility the cloud provider (and you) are promising, and what

    actions the cloud provider (and you) will take during and after security events. In fact, having a

    written plan about what the cloud provider will do in a security event, such as a breach, is

    required by many regulatory standards, and with many states and the federal government.

    6. Verify the access controls being used by the cloud provider.

    Just as you would implement access controls for your clients own systems, the cloud provider

    must describe and implement the controls it has in place to ensure only authorized users can

    access your clients data. Be especially vigilant if your client must comply with regulatory

    obligations; housing data somewhere other than the clients premises does not relieve the

    client or you of legal responsibility.

    7. Stay in control of your clients access devices.

    Be sure the clients access devices, such as PCs, virtual terminals and mobile phones, are

    secure. The loss of an endpoint access device or access to the device by an unauthorized usercan negate even the best security protocols in the cloud. Be sure the computing client devices

    are managed properly, secured from malware and supporting advanced authentication

    features. If you have not already done so, work with your client to establish pre-defined

    standard operating procedures to remediate a security event involving the loss or theft of a

    device that is configured to access cloud resources.

    8. Look at the cloud providers financial status.

    Obtain written assurance about the financial condition of the cloud organization. Be wary of a

    security breach that could be caused by a cloud provider (that you recommended) suddenly

    shutting down and disappearing in the night. In fact, a local police department suffered this

    exact problem with a cloud service provider when the providers Web hosting company shutdown and literally disappeared without any notice. (Luckily this incident only involved the loss

    of a website and blog database, and not private records or critical criminal case data.)

    9. Specify how data will be returned.

    Get details written into the contract that describe how your clients data can and will be

    securely returned to the client in the event of a cancelation of services. For example, I am

    currently working with a client who came to me because it was being held hostage by a cloud

    provider not reacting properly to the clients request for their data. The client needs to report

    its compliance, but the cloud provider will not share diagrams or other information, or provide

    audit records. The provider admits the entirety of client data is in a shared common network,with shared drives and applications in a multi-tenant configuration. This client is now in danger

    of being hit with significant fines and penalties.

    10. Dont forget about data deletion.

    Verify the proper deletion of data from shared or reused devices. Many providers do not

    provide for the proper degaussing of data from drives each time the drive space is abandoned.

    Insist on a secure deletion process and have that process written into the contract.

  • 8/4/2019 Tackle Cloud Security Issues

    4/4

    The results from these 10 steps should be written into the cloud providers contract (if they are

    not already in the standard contract). Do not rely on brochures or data sheets from the cloud

    provider, or verbal conversations you have with the cloud provider. At the end of the day, it will

    be the contract that rules if anything should go amiss and you find yourself in court defending

    your decision to use a particular cloud provider. The contract is the best protection for you and

    your client.

    As the trusted security advisor of a client using a cloud solution, you will likely be held culpable

    when there is a breach. You must remember that your client and, by association, you are still

    liable when it comes to security and breach. By following these 10 steps to tackle the security

    issues of cloud computing, you and your client will have peace of mind knowing that you have

    done what is prudent to assure your clients security in the cloud.


Cloud computing security issues and challenges

Monthly Installment Payday Loans- Sufficient Finance To Tackle All Temporary Financial Issues

Cloud computing and its security issues

Analysis of Techniques to Tackle the Issues of Root ...ijsrcseit.com/paper/CSEIT1831412.pdf · Analysis of Techniques to Tackle the Issues of Root Disease Detection- A Review Hardeep

Issues in cloud computing

Cloud Expo 2013 to Tackle Big Data and Cloud Computing (Slides)

Issues and Opportunities of Cloud Federations

Cloud Computing (A survey on cloud computing security issues and

Cloud Computing - Trends and Performance Issues

Cloud Computing: legal issues

Security Issues in Cloud Computing

Cloud Computing Cloud Computing Cloud Issues and Challenges Standard and Law

Using Workforce Intelligence to Tackle Healthcare’s …...Using Workforce Intelligence to Tackle Healthcare’s Biggest HR Issues: Caregiver Turnover, Retirement and Engagement E-BOOK

A survey on cloud computing issues

Privacy issues in the cloud

Visualisation as a mean to tackle some ethical issues ... · Visualisation as a mean to tackle some ethical issues raised by Machine Learning Dr Ir Benoît Otjacques ... (SciVis)

Mobile Cloud Computing Security Issues

Stephen Mathias, Cloud Computing - Legal Issues

Cloud Computing Other Mapreduce issues

Tessellation Planning to tackle issues in Slum Housing Programmes

Unventured Territory—Venture Capitalists Tackle Healthcare Issues

Cloud Computing Security Issues

Security Issues of Cloud Computing

Cloud taxation issues and impacts - EY - United StatesFILE/EY-cloud-taxation-issues-and-impacts.pdf · Contents 4 Cloud taxation issues and impacts 5 Section I: Perspective on taxpayers

Cloud Computing Issues

Cloud security issues and concerns

Multi Cloud Issues

Create a Dynamic Plan to Tackle HR Issues

not rush important decisions: we need to tackle the issues infc95d419f4478b3b6e5f-3f71d0fe2b653c4f00f32175760e96e7.r87.cf… · not rush important decisions: we need to tackle the

Why design can help the NHS tackle big issues

Using Market Studies to Tackle Emerging Competition Issues · When might market studies be a more effective tool to tackle emerging competition issues? 17 Market studies: strengths

4 Hacks to tackle franchise performance issues using a franchise management solution

Cloud Validation: The issues

Cloud computing legal issues

Our new generation academics tackle the big issues