As your organization moves its data into the cloud, you face the challenge of balancing productivity and efficiency gains with tremendous compliance and security concerns. While securing your cloud is not the same as securing your physical infrastructure, it doesrequire that you evaluate several key features including:
- Service Level Agreements
- Business Operations, Data Disposal, and Storage
- Responding to Legal Inquiries
- Cloud Perimeter Protection
- Securing Data in transit and at rest
- Separate Direct And Logical Access To Servers
- Virtual Private Cloud
- Compliance Certifications
While many security professionals do not believe that cloud infrastructures and services can be secured, this document will look at several contractual and physical cloud security practices you can employ to safely leverage the benefits of using cloud services in your organization.
Service level agreements (SLAs)
In your contract make sure it details how the service provider will address Distributed Denial of Service (DDoS) attacks, infrastructure vulnerabilities or security incidents. Failure to outline how these items will be resolved may leave you with no recourse, leaving your organization vulnerable to penalties and fines.
Business Operations, Data Disposal, and Storage
Along with your SLA, your contract should include how your data and information will be treated if/when your cloud service contract ends. You must define who will be responsible for exporting and delivering the data back to you. Along with exporting and delivery your data, you must identify the disposal methods your provider uses as well as backup frequency, backup location, and server storage available to your organization.
Responding to Legal Inquires
As part of your contract, you should discuss and define how your cloud service provider responds to inquiries from the police or government office. While requirements may vary from state to state and country to country, it is necessary to establish a communication process with your provider on how to handle this situation if and when it occurs. We mentioned a few of the legal aspects that should be included in your contract and SLA. Let’s take a look at a few requirements directly related to protection.
Cloud Perimeter Protection
It is not just about firewalls. Make sure your cloud service provider engages in ‘effective perimeter protection’ for your applications including but not limited to:
- Application firewall
- Attack mitigation tools for DDoS incidents
- Intrusion detection tools
Secure data in transit and at rest
To ensure that you comply with Service Level Agreements (SLAs), privacy policies and regulatory requirements regarding all sensitive data, including data at rest, data should be encrypted and transmitted using a Secure Socket Layer (SSL) that terminates inside your cloud service provider’s network. By using SSL to transmit data and secure data at rest, your cloud service provider should also allow you to encrypt your data at the field level. Examples of field level encryption include credit card and social security number.
Separate Direct and Logical Access to Servers
Isolating functions within your cloud service provider environment is important. Separating direct and logical access to your servers reduces the possibility of someone accessing and copying your data or reconfiguring your server for illegal purposes.
Virtual Private Cloud
In a multi-tenant environment, your data becomes vulnerable to the shortcomings of other tenants. To mitigate this weakness, you can request that provider build a Virtual Private Cloud (VPC), where you have complete control.
Compliance Certifications
Two certifications will tell you how well your cloud service provider operates – PCI DSS and SOC2 Type II.
PCI DSS:
Payment Card Industry Data Security Standard (PCI DSS) is a security standard for companies that process branded credit cards from the major card carriers. For cloud service providers to receive this certification, they must pass several audits that prove credit card data is processed, stored, and transmitted securely.
ISOC 2 Type II:
If your cloud service provider has the ISOC 2 Type II certification, it means they it has proven that its system is designed to keep your data secure. It also means your provider takes compliance requirements seriously.
Conclusion
The cloud is no longer a luxury, and as you consider the transition, you must do so cautiously to ensure that your data, application, and access to both are secure. While this article highlights the contractual and physical aspects of cloud security, the best practices for cloud security are those that work best for your organization.