I had the opportunity to speak with Phil Lieberman, president and CEO of Leiberman Software, who presented a list of security-related questions a company should ask before doing business with a cloud service provider and his advice on what should be looked for in the answers.
1. What kind of security do you have in place to protect my privileged accounts and most sensitive data?
Leiberman's response: The first issue to consider is how frequently passwords are being changed and does that meet regulatory requirement for my data being secured on that environment. The second issue is whether or not the passwords being used in that environment are unique. Also, is there isolation, meaning if there is a breach of one system, will it mean a breach in all systems? The provider should implement segregation or compartmentalization of identities to provide granular control and release. Finally, there should be transparency of who has access to my system and how is it controlled.
2. Do you have a Privileged Identity Management (PIM) technology in place?
Leiberman's response: There are two aspects to this question that need to be addressed. First is whether or not the provider has an organizational framework for handling privileged identinties. There needs to be segregation of duty and making sure that only the right people have access and for the right reasons. Second is the technology itself being used. What we've seen is most organizations are using homegrown systems that have no auditing, no encryption, and no controls to manage privileged identities.
3. How do you control privileged accounts used in cloud infrastructure to manage sensitive systems and data?
Leiberman's response: If the infrastructure is being outsourced to a third-party provider, that provider is really only responsible for keeping the power on and potentially replacing defective hardware. Ownership of PIM is solely the responsibility of the client. A contract has to be drawn up between the cloud provider and the user to determine who exactly has access to credentials and what is the appropriate workflow and sign off, and what is the audit process. When you go into a pure cloud play where you deal with software as a service, clients need this information. A regulated organization may need to see access records to make sure there isn't any compromise of data. Customers have a right to know where their data is located and who has access to that information. Also, if the data is encrypted, it is vital to know who has the encrypted data key.
4. How do you manage cloud stacks at the physical layer and application stack layers?
Leiberman's response: This is one of the fundamental weaknesses of the current cloud and architecure. When machines are being distributed out on the cloud, you have to look at all the credentials from the physical layer to the application layers. It is up to the cloud vendor to provide the process and technology to control all of this.
5. What is your access to audit records?
Leiberman's response: You should be able to see any data at any time you want. There also should be a security service level agreement that says there's a guarantee that, no matter what the security process is, it can be checked and, when needed, addressed.