Most companies ask about security before outsourcing to a cloud service. The problem when asking this question is that, many of us don’t really question or test the claims of what the vendor tells us. Why should we, vendors are honest …..right?
Actually, I think many of them are honest. The real problem that we see is that the malware trying to steal confidential information is written in a way that can be incredibly clever. The SAAS is behind a firewall right? And all connections involve SSL and require passwords that are at least 10 characters with special characters and they are regularly rotated right? Perhaps the cloud service even monitors behaviors and claims to trigger events for abnormal patterns. These are all good proactive efforts but, we all know the malware still gets in. This is why we need to build a good cloud service security checklist but, how do we go about it?
Ask your cloud service vendor what you should be doing to avoid compromising the data they are hosting for you. They should be able to provide a list of suggestions that you can compare to your existing practices. Some believe that the cloud security checklist is a joint effort between the vendor and the customer. And guess what, the items on the checklist depend on the type of cloud service. For example, an Infrastructure As A Services (IAAS) vendor allows customers to spin up multiple virtual machines. Well, even with a virtualization hypervisor to mediate access between guest operating systems and physical resources, there is concern that attackers can gain unauthorized access and control of the underlying platform with software-only isolation mechanisms. This could lead to a compromise of all shared physical resources including memory and other VMs on that same shared server! A question for an IAAS might be “what have you done to minimize this type of risk?” or “how are you checking for this type of infection?”
What we have to realize is that the contents of our cloud service security checklist really depends on your company’s industry and what you are looking to host in the cloud. Here are a few items to consider:
- In the SANs Institute survey study titled “Incident Response: How to Fight Back”, we learned that the top 2 items targeted for theft “were employee information and individual customer information.” This begs the question: What about your company’s data being kept in the cloud would be particularly valuable to hackers? Start thinking about how you could monitor it to see if it is being stolen and which party (i.e. customer or vendor) will monitor what is accessing it?
- What industry compliance issues are you obligated to comply with? Does the cloud vendor provide resources to support those compliance regulations?
- What reports will you receive regarding who is accessing the data? What about failed login reports, do they provide them? Ask for a sample.
- How are users authenticating? Two factor authentication is ideal.
- How many days are security logs kept and how soon can you gain access to them? Ask for a sample of the log.
- Do they offer replication to redundant off site backup sites. How often do they perform fire drills? Make sure you do as these practices often introduce hidden problems.
- Ask that the vendor explicitly list all of the downstream third-party vendors involved with their service. “Ask them for a copy of their security policies and standards,” said Jason Lau, director of IT security at Service Now “If they cannot provide one, they probably don’t have a security program.”
The above should help you build out the ideal cloud security checklist for your company.
Lastly, be ready for a compromise or a malware infiltration. It is going to happen and when it does, you’ll most certainly want to perform research to ascertain how badly it spread, the other machines involved and the information (i.e. documents) that may have been compromised. For these reasons, it’s time to beef up your cyber threat intelligence by making sure you have an Incident Response System in place for investigating suspicious activities.