Before any company moves to the cloud, an inevitable question is asked: Will our data be secure? A 2014 IBM study found that while 85 percent of chief information security officers (CISOs) believe their company’s move to the cloud is imminent, more than 40 percent also believe a significant security breach will happen at a major cloud provider.
As businesses shift their mission-critical workloads to the cloud, IT departments are tasked with not only managing company data, but also securing it. Choosing a cloud service provider that fits your security strategy is key. IT Business Edge recently spoke with Sean Jennings, co-founder and SVP of solutions architecture at Virtustream, who shared five cloud security and compliance tips for IT leaders as they transition their companies to the cloud.
5 Tips for Cloud Security and Compliance
Click through for five cloud security and compliance tips for IT leaders as they transition their companies to the cloud, as identified by Sean Jennings, co-founder and SVP of solutions architecture at Virtustream.
Look Beyond Security Certifications
Security certifications should certainly be on your checklist, but the truth is that the conditions required to achieve certifications are necessary, but not sufficient to ensure security. While certifications are a quick way to see if a provider has met certain industry standards, a secure environment relies on a continuous monitoring, remediation and improvement process.
Certifications are effectively point-in-time snapshots of a cloud platform and supporting processes. In the time that it takes for a certification to be achieved, audited by a third party and certified, it is entirely possible for results to be outdated before the ink is dry on the certificate. Ask your prospective provider(s) how they ensure continuous compliance, and what their policies are vis-à-vis notifications of any lapses. Favor those with the greatest transparency.
Encrypt Early and Often
While nobody is going to argue its value in this cloudy day and age, true end-to-end encryption is still relatively rare in most real-world cloud implementations. For those who plan to encrypt, it is important to understand the effectiveness of available controls over a provider’s encryption capabilities. IT managers should be able to confirm that sensitive data is encrypted everywhere, including when it’s in transit, in use within the application layer, and at rest – whether within a database or file system, or in an archive or backup.
You should have tight control over your keys: Some keys may be held by your managed services provider for convenience, but ideally you should retain the keys within your organization’s sole custody whenever possible. Furthermore, your data should be encrypted at rest before migration to the cloud begins. CSP’s who are serious about security can provide this as part of their on-boarding services portfolio.
It is tempting to simply rely on a provider’s SLAs and ignore the gory details – and many providers prefer you do just that, but when it comes to security, details matter. How can you be sure that the physical servers hosting your VMs and data are pristine and uncompromised? Intel has had chip-level technologies to address that issue for generations – specifically TXT – but providers often fail to enable these features. This is equally true for your private cloud servers as it is for providers. Do you have data locality requirements? Intel TXT addresses this concern as well with geo-location and geo-fencing. Refer to NIST 7904 for information about trusted geo-location. When combined with encryption, you can ensure that your company’s virtual machines and data cannot be hijacked and copied to another cloud where they could be subjected to a brute force attack at the BIOS level. Ask your providers about their trusted platform and TXT support.
Transparency and Continuous Monitoring
Every cloud service is run by human beings, regardless of the level of automation, and without question, humans will make mistakes. Sometimes these mistakes will violate compliance requirements and open up a vulnerability or attack vector. If your provider only audits annually for compliance, this could present a very big risk. This risk is best addressed by continuous monitoring technologies. Information security continuous monitoring (ISCM) is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. These tools will identify changes to the environment that create threats or violate compliance standards in near real time. Ask your vendor(s) what tools they use for continuous monitoring and what their policies are for notifying customers of noncompliance events and incidents. Also ask about compliance services for monitoring your VMs and data in addition to the infrastructure.
Protect the Keys to the Kingdom
Nearly all cloud platforms are managed from a web-based portal. The most security conscious providers require two-factor authentication to the cloud portal. This limits the eternal risk of shared passwords and brute force attacks on password databases. Even complex passwords can be vulnerable with careless end users. The risk of a compromised portal was amply illustrated by the attack that forced Code Spaces out of business last summer. Ensure that your providers protect your assets with two-factor authentication to the portal.