Tactical Advice

Cloud Security: 9 Questions to Ask Before Choosing a Vendor

Consider these factors when evaluating whether cloud services are right for your business.
Use an Eyes-Wide-Open Approach to Cloud Security

Cloud services are everywhere. Many consumer-oriented cloud offerings such as Gmail, Dropbox, Netflix and YouTube have become household names and are quickly finding their way into the workplace. Behind the scenes, large-scale infrastructure as a service vendors such as Amazon, Rackspace and Google are quickly gobbling up market share. You would be hard-pressed to find an organization that has entirely avoided the use of cloud services. But have you stopped to consider the security implications of moving your business functions into the cloud?

Cloud providers are simply an extension of an organization’s computing environment. Whether they’re relying upon cloud vendors to provide infrastructure, platform or application services, providers are storing, processing and transmitting business data and should be held to the same security standards that a company would impose upon its internal computing operations.

Evaluating Cloud Security Controls

Of course, it’s easy for a business to evaluate its own security controls. Just visit your data center or server room by walking downstairs or travelling across town and verify that appropriate physical security is in place. Similarly, you can interview your system administrators and audit their servers to ensure proper configuration.

It’s not so easy with cloud providers. You might not know where their servers are located, you might not have access to their system administrators — and you might not know the right questions to ask.

When considering a new cloud service provider, ask them to provide documentation of their security controls, including answers to the following questions:

  • Where are your servers located, and what physical security protects your data center(s)?
  • How do you use encryption to protect client data? How are the encryption keys managed?
  • What network security controls are in place to prevent network intrusions?
  • What security controls are in place surrounding application development and modification?
  • Do you have firewalls, intrusion detection/prevention systems and data loss prevention systems in place?
  • Who monitors your security systems, and what procedures are in place to react to security incidents?
  • What is your policy on customer notification of security incidents?
  • Have you had your security controls assessed by an auditor or other third party?
  • What disaster recovery and business continuity controls are in place? What is the service level agreement for your service?

These are just a few starting points for your conversation. You’ll want to perform the same degree of assessment with cloud providers that you would for services you host yourself. Also, consider revisiting your cloud security assessments on a recurring basis to ensure that controls continue to meet your standards.

Web Application Security Is Paramount

Many cloud services depend on the web to provide a common user experience, and in many cases, that web interface is the only method available for accessing the application. This makes it exceptionally important to carefully evaluate the security of the web application layer, as it comprises a significant portion of the security perimeter. Simple mistakes by web developers can lead to critical SQL injection or cross-site scripting (XSS) vulnerabilities that may completely undermine the vendor’s other security controls.

Treat web-based cloud services just as you would an internally developed web application and subject it to regular vulnerability scans. In some cases, you might accept the results of scans performed by the cloud service vendor as acceptable evidence of security.

If you’re planning to use the provider for highly sensitive data or have reason to doubt the integrity of their security controls, you may wish to consider either demanding a scan from an independent third party or conducting your own scans using a tool such as HP’s WebInspect or IBM’s Rational AppScan. Both of these tools provide an automated way to probe the security of web applications. One word of warning: Be sure to get the vendor’s permission before conducting a scan, and coordinate the time of the scan with them to avoid disrupting their service.

Jump on the Bandwagon

You don’t have to go it alone when it comes to cloud service security. Many industry associations are developing standardized sets of questions and criteria for cloud service providers and making them available to the industry.

For example, the Cloud Security Alliance (CSA) recently published the third version of their Security Guidance for Critical Areas of Focus in Cloud Computing. This document covers 14 different domains of security, divided into three subject areas: cloud architecture, governing in the cloud and operating in the cloud. Within each domain is an overview of the issues at stake and specific, actionable recommendations for managing the associated risks.

In addition to this guidance, CSA is also developing a publicly accessible Security, Trust and Assurance Registry (STAR) that allows cloud vendors to provide public documentation of their security controls, including the results of their CSA self-assessment questionnaire. Two cloud providers, Microsoft and Solutionary, have already provided results to STAR, while Google, Verizon, Intel and McAfee have publicly announced plans to do so in the near future.

Is Your Outsourcer Outsourcing?

You’re not the only one using the cloud for critical business functions. Many cloud service providers leverage other cloud services to provide both infrastructure and platform services. In fact, I recently evaluated a cloud security service that is built entirely in the cloud: It consists of code that resides on Google’s App Engine. The service provider actually performs no hosting of their own, and their employee base consists entirely of application developers and support staff.

There’s nothing wrong with this approach, as long as you understand what is being outsourced, know who is providing the outsourced services, and are satisfied that the subcontractors providing the services are able to meet the same security standards that you expect of your cloud provider (or that appropriate compensating controls are in place that render some standards unnecessary, such as the use of encryption to protect highly sensitive data).

One other note of caution: Many cloud service providers make use of offshore facilities for both production hosting and backup services. While this geographic diversity provides cost-effective service and provides you with a greater degree of fault tolerance, consult your attorneys regarding the legal and regulatory risks associated with storing your data in other countries.

The cloud promises great benefits to organizations of all sizes. It provides cost-effective access to services that would otherwise be unavailable, and you should feel confident embracing it. Just be sure that you do so with your eyes wide open, understanding the strengths and limitations of the security controls offered by those services.

Sign up for our e-newsletter

About the Author

Mike Chapple

Mike Chapple is an IT professional and assistant professor of computer applications at the University of Notre Dame. He is a frequent contributor to BizTech magazine, SearchSecurity and About.com as well as the author of over a dozen books including the CISSP Study Guide, Information Security Illuminated and SQL Server 2008 for Dummies.

Security

Heartbleed: What Should Your... |
One of the biggest security vulnerabilities has almost every user and every industry...
Why Businesses Need a Next-G... |
Devices investigate patterns that could indicate malicious activity.
Review: HP TippingPoint S105... |
Next-generation firewall can easily replace a stand-alone intrusion prevention system....

Storage

The New Backup Utility Proce... |
Just getting used to the Windows 8 workflow? Prepare for a change.
How to Perform Traditional W... |
With previous versions going unused, Microsoft radically reimagined the backup utility in...
5 Easy Ways to Build a Bette... |
While large enterprises have the resources of an entire IT department behind them, these...

Infrastructure Optimization

Businesses Must Step Careful... |
Slow and steady wins the race as businesses migrate IT operations to service providers,...
Why Cloud Security Is More E... |
Cloud protection services enable companies to keep up with security threats while...
Ensure Uptime Is in Your Dat... |
Power and cooling solutions support disaster recovery and create cost savings and...

Networking

Securing the Internet of Thi... |
As excitement around the connected-device future grows, technology vendors seek ways to...
How to Maximize WAN Bandwidt... |
Understand six common problems that plague wide area networks — and how to address them.
Linksys Makes a Comeback in... |
The networking vendor introduced several new Smart Switch products at Interop this week.

Mobile & Wireless

Mobility: A Foundational Pie... |
Other technologies rely on mobile computing, which has the power to change lives, Lextech...
Now that Office for iPad Is... |
After waiting awhile for Microsoft’s productivity suite to arrive, professionals who use...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.

Hardware & Software

Review: HP TippingPoint S105... |
Next-generation firewall can easily replace a stand-alone intrusion prevention system....
New Challenges in Software M... |
IT trends such as cloud, virtualization and BYOD pose serious hurdles for software...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.