Cloud services are everywhere. Many consumer-oriented cloud offerings such as Gmail, Dropbox, Netflix and YouTube have become household names and are quickly finding their way into the workplace. Behind the scenes, large-scale infrastructure as a service vendors such as Amazon, Rackspace and Google are quickly gobbling up market share. You would be hard-pressed to find an organization that has entirely avoided the use of cloud services. But have you stopped to consider the security implications of moving your business functions into the cloud?
Cloud providers are simply an extension of an organization’s computing environment. Whether they’re relying upon cloud vendors to provide infrastructure, platform or application services, providers are storing, processing and transmitting business data and should be held to the same security standards that a company would impose upon its internal computing operations.
Of course, it’s easy for a business to evaluate its own security controls. Just visit your data center or server room by walking downstairs or travelling across town and verify that appropriate physical security is in place. Similarly, you can interview your system administrators and audit their servers to ensure proper configuration.
It’s not so easy with cloud providers. You might not know where their servers are located, you might not have access to their system administrators — and you might not know the right questions to ask.
When considering a new cloud service provider, ask them to provide documentation of their security controls, including answers to the following questions:
These are just a few starting points for your conversation. You’ll want to perform the same degree of assessment with cloud providers that you would for services you host yourself. Also, consider revisiting your cloud security assessments on a recurring basis to ensure that controls continue to meet your standards.
Many cloud services depend on the web to provide a common user experience, and in many cases, that web interface is the only method available for accessing the application. This makes it exceptionally important to carefully evaluate the security of the web application layer, as it comprises a significant portion of the security perimeter. Simple mistakes by web developers can lead to critical SQL injection or cross-site scripting (XSS) vulnerabilities that may completely undermine the vendor’s other security controls.
Treat web-based cloud services just as you would an internally developed web application and subject it to regular vulnerability scans. In some cases, you might accept the results of scans performed by the cloud service vendor as acceptable evidence of security.
If you’re planning to use the provider for highly sensitive data or have reason to doubt the integrity of their security controls, you may wish to consider either demanding a scan from an independent third party or conducting your own scans using a tool such as HP’s WebInspect or IBM’s Rational AppScan. Both of these tools provide an automated way to probe the security of web applications. One word of warning: Be sure to get the vendor’s permission before conducting a scan, and coordinate the time of the scan with them to avoid disrupting their service.
You don’t have to go it alone when it comes to cloud service security. Many industry associations are developing standardized sets of questions and criteria for cloud service providers and making them available to the industry.
For example, the Cloud Security Alliance (CSA) recently published the third version of their Security Guidance for Critical Areas of Focus in Cloud Computing. This document covers 14 different domains of security, divided into three subject areas: cloud architecture, governing in the cloud and operating in the cloud. Within each domain is an overview of the issues at stake and specific, actionable recommendations for managing the associated risks.
In addition to this guidance, CSA is also developing a publicly accessible Security, Trust and Assurance Registry (STAR) that allows cloud vendors to provide public documentation of their security controls, including the results of their CSA self-assessment questionnaire. Two cloud providers, Microsoft and Solutionary, have already provided results to STAR, while Google, Verizon, Intel and McAfee have publicly announced plans to do so in the near future.
You’re not the only one using the cloud for critical business functions. Many cloud service providers leverage other cloud services to provide both infrastructure and platform services. In fact, I recently evaluated a cloud security service that is built entirely in the cloud: It consists of code that resides on Google’s App Engine. The service provider actually performs no hosting of their own, and their employee base consists entirely of application developers and support staff.
There’s nothing wrong with this approach, as long as you understand what is being outsourced, know who is providing the outsourced services, and are satisfied that the subcontractors providing the services are able to meet the same security standards that you expect of your cloud provider (or that appropriate compensating controls are in place that render some standards unnecessary, such as the use of encryption to protect highly sensitive data).
One other note of caution: Many cloud service providers make use of offshore facilities for both production hosting and backup services. While this geographic diversity provides cost-effective service and provides you with a greater degree of fault tolerance, consult your attorneys regarding the legal and regulatory risks associated with storing your data in other countries.
The cloud promises great benefits to organizations of all sizes. It provides cost-effective access to services that would otherwise be unavailable, and you should feel confident embracing it. Just be sure that you do so with your eyes wide open, understanding the strengths and limitations of the security controls offered by those services.