Security Assessment: Over time, most organizations tend to relax their security posture. To combat this, the cloud provider should perform regular security assessments done by someone who is experienced and able to identify issues and fix them. The report should be provided to each client immediately after it is performed so they know the current state of the overall cloud's security.
Shared Risk: In many instances, the cloud service provider will not be the cloud operator. But, it may be providing a value -added service on top of another cloud provider's service. For example, if a Software-as-a -Service (SaaS) provider needs infrastructure, it may make more sense to acquire that infrastructure from an Infrastructure-as-a-Service (IaaS) provider rather than building it. In this type of multi-tier service provider arrangement, each party shares the risk of security issues because the risk potentially impacts all parties at all layers. This issue must be addressed by taking into consideration the architecture used by the main cloud provider and working that information into the client's total risk mitigation plan.
Staff Security Screening: Most organizations employ contractors as part of their workforce. Cloud providers are no exception. As with regular employees, the contractors should go through a full background investigation comparable to full-time employees. The cloud provider must be able to provide its clients with its policy and document that all of its employees have had a background check performed, according to the policy. Further, clients should contractually bind the cloud provider to require the same level of due diligence with its contractors.
Distributed Data Centers: Disasters are a fact of life. They include hurricanes, tornadoes, landslides, earthquakes and even fiber cuts. In theory, a cloud computing environment should be less prone to disasters because providers can provide an environment that is geographically distributed. But many organizations sign up for cloud computing services that are not geographically distributed. So, they should require their provider to have a working and regularly tested disaster recovery plan, which includes SLAs.
Physical Security: Physical external threats should be analyzed carefully when choosing a cloud security provider. Do all of the cloud provider's facilities have the same levels of security? Are you being sold on the most secure facility with no guarantee that your data will actually reside there? Do the facilities have, at a minimum, a man trap, card or biometric access, surveillance, an onsite guard, a requirement that all guests be escorted and all non-guarded egress points be equipped with automatic alarms?
Policies: Any organization that says it has never had a security incident or data leak is being deceptive or is unaware of the incidents that it has had. It is unrealistic to assume a cloud provider will never have an incident. Cloud providers should have incident response policies. And they should have procedures for every client that feed into their overall incident response plan. Additionally, data that falls under legislative mandates, or contractual obligation, should be encrypted while in flight and at rest. Further, a yearly risk assessment just on the data in question should be done to make sure the mitigations meet the need.
Coding: All cloud providers still use in-house software, which may contain application bugs. So every client should make sure that the cloud provider follows secure coding practices. Also, all code should be written using a standard methodology that is documented and can be demonstrated to the customer.
Data Leakage: Data leakage has become one of the greatest organizational risks from a security standpoint. Virtually every government worldwide has regulations that mandate protections for certain data types. The cloud provider should have the ability to map its policy to the security mandate you must comply with and discuss the issues.
While security emerges as a major concern, the key to understanding security in cloud computing is to realize that the technology is not new, or untested. It represents the logical progression to outsourcing of commodity services to many of the same trusted IT providers that we have already been using for years. Examples of previous 'cloud computing' capabilities include hosted mainframes (more than 40 years), hosted file and mail servers (AT&T, IBM in the early 90's), and software services like SalesForce.com. Moving IT elements into the cloud is just a natural part of the evolution of IT.