Cloud service providers are taking advantage of buyer ignorance about cloud security, pushing tantalizingly low-cost service contracts that don't meet prospective customers' security needs. The result, according to recent reports from HfS Research: Organizations unknowingly leave themselves exposed to a host of threats, while unable to easily escape their service provider's grasp.
Before being wooed into signing a cloud deal by extraordinarily low subscription fees, promises of unparalleled flexibility, and 99.999 percent uptime, there are some steps you should take internally and at the negotiation table to ensure your foray into the clouds doesn't quickly turn stormy. These tips come from papers titled "Sweating the Insider Threat" and "Top Security Issues for Cloud Buyers," both written by Hfs Research Director James R. Slaby.
Cloud shopping tip No. 1: Make sure your data is defended. Organizations need to examine cloud providers' options for protecting sensitive data, both as it flows across the network and when it resides on an endpoint, a server, or a piece of storage gear.
For starters, ask providers about the strength of their VPNs, key management, and end-to-end encryption. Before signing a contract, examine terms pertaining to data privacy, auditability, service reliability, and contingencies against provider status changes, Slaby writes.
Additionally, organizations representing industries with strict privacy regulations need to be sure that providers have mechanisms in place to prevent data from, say, being stored in unauthorized geographic locations. Also, ask whether those mechanisms extend to the provider's third-party partners.
Rounding out the lifecycle of data, potential cloud customers should inquire whether their provider has mechanisms in place to prove that sensitive data has been securely deleted.
Cloud shopping tip No. 2: Prepare against new insider threats. Organizations should be well aware by now of the risk of insider threats, perpetrated both by malicious as well as simply ignorant employees. When you migrate an application or service from a private data center to a cloud computing environment, the chance of insider threats increases. Per Slaby:
... the cloud provider's IT staff are now the ones with unimpeded access to applications, their sensitive data, and the systems they run on. They may be endowed with far-reaching access and powerful privileges in order to do their jobs. And they are by definition more highly skilled and knowledgeable of system vulnerabilities.
To reduce this threat, prospective cloud subscribers need to ensure their providers vet and monitor their IT staff properly. Ensure that providers limit their staff's access and authorizations only to what's necessary to do their jobs. Request specifics about a provider's incident response plan. Ask about that sort of security countermeasures they have in place, such as change management controls, DLP (data loss prevention) systems, and SIEM (security information and event management) systems. Also be certain your provider "conducts appropriate forensics to pinpoint, diagnose and prosecute insider breaches," Slaby advises.