Use of cloud applications is increasing by the day. Salesforce, Dropbox, Office 365, AWS, Azure. Migration of on-premises applications and equipment to a data centre near you as your “private cloud” is also a solution that many enterprises have implemented, or are considering implementing.
What about the security of that data? What do you know about your cloud provider and what their processes and ethics are? Where are they, what legal jurisdiction do they come under?
Here are a number of important questions to ask your Cloud provider:
Data In Transit Protection
User data transiting networks should be adequately protected against tampering and eavesdropping. This should be achieved through a combination of, network protection – denying your cyber attacker the ability to intercept data and encryption – denying your attacker the ability to read data.To compromise data in transit, an attacker would need access to infrastructure over which the data transits. This could take the form of physical access, or logical access if the attacker has compromised software components within the service.It’s more likely that attackers would access infrastructure between the user and the service, as opposed to infrastructure within the service. However, the impact of an attacker accessing communications internal to the service would likely be significantly greater.
Action: Ask your Cloud provider how they deal with this, does your data transit the “internet” or is it on a private circuit?
Data Protection and Resilience
To understand the legal circumstances under which your data could be accessed without your consent you need to identify the locations at which it is stored, processed and managed. You will also need to understand how data-handling controls within the service are enforced, relative to UK legislation. Inappropriate protection of user data could result in legal and regulatory sanctions or reputational damage. You need to know in which countries and legal jurisdictions your data will be stored, processed and managed. You should also consider how this affects your compliance with relevant legislation e.g. Data Protection Act (DPA)
Action: The Data Centre where the data is stored ideally needs to be in the UK BUT if the provider is a Multinational like Amazon or Rackspace they could backup to another Country.
A malicious or compromised user of the service should not be able to affect the service or data of another. In a Virtualised environment you need to understand the types of user you share the service or platform with, know that the service provides sufficient separation of your data and service from other users of the service and also know that management of your service is kept separate from other users. The use of the hypervisor in this area is key. VMware is the “gold” standard and is particularly good at user separation. The same cannot be said for some of the “open source” products such as XEN, VirtualBox.
Action: Ask your Cloud service provider which Hypervisor they use and how do they assure compliance with User Separation.
The service provider should have a security governance framework which coordinates and directs its management of the service and information within it. Any technical controls deployed outside of this framework will be fundamentally undermined. Usually, the best measure for you to check is the accreditations of the service provider. If they are approved under ISO9001, ISO27001 have ITIL accreditation then you have some level of confidence that they have a good governance framework.
Action: Check that the service provider has as a minimum current ISO27001, asks for a copy of the certificate.
This is probably the most insecure area of any operation. All systems are vulnerable to rogue personnel. Thorough screening, supported by adequate training, reduces the likelihood of accidental or malicious compromise by service provider staff. Some organisations may be unwilling to screen their employees to the necessary levels and you need to seek reassurances that the service providers have implemented other methods to secure your data. This includes logging all accesses, two-factor authentication, monitoring remote access, monitoring backup methods to preclude un-authorised methods or devices.
Action: Ask the question of your service provider as to how they implement Personnel Security
Supply Chain Security
Cloud services often rely on third party products and services. Consequently, unless the Service Provider ensures proper quality controls, supply chain compromise can undermine the security of your service and affect the implementation of other security principles. Ask your provider to list all the outsourcing of services that make up the service you receive. Many providers claim they “own” the service but do they? Do they own their own data centre or take space in someone else’s. Do they have their own network, ask if they have an AS number, run their own DNS servers, have their own core network.
Action: Make sure you know whether your Cloud Provider is a virtual provider (resells for someone else) or is the originator of the services.
Systems used for administration of a cloud service will have root access to that service. If Sysadmin is compromised that would have a significant impact, including the means to bypass security controls and steal or manipulate all data. This leads on to a whole list of questions about access. How does your service provider identify and authenticate users? How do they identify and protect external access? (VPN etc..)What type of audit information is available to identify and protect access to data?
Action: Understand all aspects around access to data and how your service provider defends you and your data.