What are the risks?
Before we get to the risk part, we need to understand the requirements from the security perspective. Security requirements are not different when we discuss cloud computing, the basic security requirements are applicable to cloud computing as well, which are:
• Access Control
• Compliance
• Protect the assets and the organization against malicious agents
• Ensure business runs smoothly with optimal security
ENISA, the European information security agency, recently published an excellent document listing the clod computing risks, some of the major risks include:
- LOSS OF GOVERNANCE: in using cloud infrastructures, the client necessarily cedes control to the Cloud Provider (CP) on a number of issues which may affect security.
- LOCK-IN: there is currently little on offer in the way of tools, procedures or standard data formats or services interfaces that could guarantee data, application and service portability. This can make it difficult for the customer to migrate from one provider to another or migrate data and services back to an in-house IT environment.
- ISOLATION FAILURE: multi-tenancy and shared resources are defining characteristics of cloud computing. This risk category covers the failure of mechanisms separating storage, memory, routing and even reputation between different tenants (e.g., so-called guest-hopping attacks).
- COMPLIANCE RISKS: investment in achieving certification (e.g., industry standard or regulatory requirements) may be put at risk by migration to the cloud: a) if the CP cannot provide evidence of their own compliance with the relevant requirements b) if the CP does not permit audit by the cloud customer (CC).
- MANAGEMENT INTERFACE COMPROMISE: customer management interfaces of a public cloud provider are accessible through the Internet and mediate access to larger sets of resources (than traditional hosting providers) and therefore pose an increased risk, especially when combined with remote access and web browser vulnerabilities.
- DATA PROTECTION: cloud computing poses several data protection risks for cloud customers and providers.
- INSECURE OR INCOMPLETE DATA DELETION: when a request to delete a cloud resource is made, as with most operating systems, this may not result in true wiping of the data.
- MALICIOUS INSIDER: while usually less likely, the damage which may be caused by malicious insiders is often far greater.
What are the things to check?
Now, let's take a look at some of the things to check before an organization selects a provider, here are some of the quetions that you can ask the provider to assess the security posture. It is not a comprehensive list but this will give you a good idea about the providers's information security capabilities.
Now, let's take a look at some of the things to check before an organization selects a provider, here are some of the quetions that you can ask the provider to assess the security posture. It is not a comprehensive list but this will give you a good idea about the providers's information security capabilities.
- Does the provider have any information security certifications like ISO 27001?
- What are the hiring practices and background checks on the employees and administrators of the provider?
- How is access control enforced and privilege access controlled?
- What are the provider’s business continuity and disaster recovery plans? Does it involve any locations that your organizations may have an issue with?
- Does the provider have any responsibility for complying with any regulations (data breach, privacy, etc)?
- Can the provider’s access control methodologies satisfy the internal requirements?
- Does the provider use data encryption in transit, storage, and tape? More importantly identify how it is used and keys managed.
- Does the provider log all access to data?
- Does the provider have direct control over their servers and infrastructure or is it outsourced again?
- Does the provider ensure data separation with other customers?
- Does the provider have incident response and incident notification policies?
- How does the provider ensure customer data does not get leaked out from the provider’s network?
- What type of intrusion monitoring (IDS/IPS, malware protection, log monitoring, database monitoring, etc) is in place?
- How often the devices and applications are scanned for vulnerabilities and patches applied?
- What is the SDLC process of the provider?
- How often does the provider test the security posture by the use of a penetration test?
- During an e-discovery request, how is the provider going to support the investigative activities?
In the third and final part of this series, I will discuss how the organizations can prepare for eventually moving some of the services to cloud.
No comments:
Post a Comment