Moving to the cloud? Make sure you ask these security questions

By Stephen Coty, Chief security evangelist at Alert Logic.

  • 10 years ago Posted in

The cloud is the ideal platform to support businesses due to its on-demand capacity, scalability and, importantly, flexibility. Benefits are many; not least of which is not having to be preoccupied with the issues of installing and maintaining hardware in data centres that don’t have the sufficient capacity, power or cooling. Delegating these operations to a cloud provider that promises it will take care of everything from performance and storage to email is definitely an offer that is hard to refuse.
However, these factors aren’t the only ones you should be considering when undergoing a cloud project. Whether a business is about to make the move to the cloud, or even after they have, it is necessary for it to give importance to the security of the data that they are placing in the cloud.


There are a few reasons for this(1):
The same type of attacks that target on-premise data centre environments are migrating to the cloud – Attacks which used to be typical of on-premise data centres, like malware, botnet, and brute force attacks, for example, are now also honing in on cloud environments. As the amount of user applications moving to the cloud increases, so do malware and botnet attacks.


The breadth and depth of attacks shows threat diversity in the cloud is on the rise – The variety of attacks which are in existence and are a threat to companies in the cloud has increased this year to rival that of on-premise data centres. Companies should be just as attentive with the sophistication of their security in the cloud, as they would normally to protect their data.


The solutions classically relied upon to combat these threats aren’t sufficient – In order to determine the efficacy of security solutions, like anti-virus programmes, in major public clouds globally, new patterns of attacks and emerging threats were noted through a honeypot project. An observation that was particularly interesting yet disturbing was that 14% of the malware collected was considered undetectable by 51% of the world’s top anti-virus vendors.


The good news is that there is so much that companies can do in order to protect themselves; firstly they need to be educated on what their business and applications require from a security and compliance stand point.


In order to be confident that the provider takes the security of your data seriously, make sure that the cloud service provider can answer the following questions with confidence:


1. What is their data encryption strategy and how is it implemented?
The ideal method for protecting significant data is encryption; rendering data unreadable to those who are unauthorised. Preferably, the cloud service provider is knowledgeable in who controls the keys and what standard of encryption is used.


2. What is the hypervisor and provider infrastructure patching schedule?
As mentioned before, exploits like malware keep rising, so it’s critical that the provider updates and patches the infrastructure frequently. This aims to minimise the threats to their customer’s data.


3. How do you isolate and safeguard my data from other customers?
As a consequence of the huge capacities, providers (unless privacy is specified) will house data for multiple companies. You should inquire how they segment the data, what controls they have in place to prevent accidental sharing and how the controls are executed.


4. How is user access monitored, modified, and documented?
It’s necessary to know who is accessing the data to prevent it being compromised. Separation of duties need to be in place so the provider’s administrator doesn’t have complete authority and control over your data. It’s important the provider can give a concise and clear documentation and reporting.


5. What regulatory requirements does the provider subscribe to?
There are several regulatory controls a provider can stick to, to show best practice and compliance. If it sticks to industry standards, it’s a good sign that they take the integrity and security of your data with seriousness.


6. What is the provider’s back-up and disaster recovery strategy?
Find out what the track record is in availability and ensure there is transparency into its infrastructure. Make sure the boundaries have been defined and everyone knows their responsibility; it could be that you are responsible for the backup of your own data.


7. What visibility will the provider offer your organisation into security processes and events affecting your data from both front and back-end of your instance?
This is a key part to security strategy, particularly from a forensic and audit point of view. In the case of an incident occurring and needing to be investigated, you must know every piece of information available to figure out how and why it happened, more importantly – how the action was immediately solved. So, you provider should be able to inform you how it follows this process and how you are kept alerted in these situations.


These are just a snapshot of questions you may want to ask the provider relating to the security of your sensitive data within the cloud, whether you’re commencing a new project or have been with a cloud service provider for many years. Depending on the answers given, you can select the cloud platform that makes the most sense and is the most transparent on their security offerings. The degree of competence of the answers given will help you judge just how secure your data is with that cloud provider and how seriously they take the security of data that is imperative to your business.

1 Research according to Alert Logic’s State of Cloud Security Report, April 2014

Ransom attacks in the cloud are a perennially popular topic of discussion in the cloud security...
Talent and training partner, mthree, which supports major global tech, banking, and business...
Cloud-native organisations to gain full understanding over every identity in the cloud, secured...
MSSPs identify regulatory compliance as additional factor as organisations seek to shift...
Orange Business (Norway), a global leader in digital services, has selected ARMO’s advanced...
Gigamon and Exclusive Networks have expanded their existing distribution partnership, broadening...
Trustwave and Cybereason have announced a definitive merger agreement offering a comprehensive and...
FortiDLP’s unified approach to data protection enables enterprise organizations to anticipate and...