Get with IT: How to Assess Cloud Providers

Feb. 13, 2013
12 questions you should be asking to ensure your data is safe

The old saying goes: Look out for yourself, because no one else will. When it comes to cloud computing, it would behoove you to take this advice to heart. Many of the professionals in management, legal —even IT — assume that if software or services are outsourced to the cloud, then they can wash their hands of any associated responsibilities. The fact is, it is just not that simple.

What many do not yet understand is that cloud service providers are in the business of uptime — not necessarily web or network security. The focus is on keeping the joint running, and that’s really not a problem. The issue is that by handing over the management of your systems and presumably tons of sensitive information to third parties, you now have even more IT complexity to deal with, and more risks to minimize.

For decades, the principle of “trust but verify” has been drilled into our heads; yet, when it comes to the cloud, we get amnesia and assume the “verify” element can be thrown out without any consequences. As much as the lawyers who write up the contracts would like for us to believe that, it is just not true. Outside of the legal realm, there are a myriad of challenges that must be dealt with when things go awry in the cloud. These are challenges that IT professionals understand, because they are the ones responsible for handling them.

The smart approach to cloud computing is to eliminate the problems before they have a chance to progress. Assessing your cloud providers does not need to be complicated. Here are 12 questions you need to be asking — both internally and externally — when choosing a cloud provider:

1. What are they doing beyond SSAE 16 audits and periodic network scans? Both your organization and the cloud provider must be assured that systems are reasonably free of low-hanging fruit such as weak passwords, SQL injection, and other senseless flaws that are often overlooked. Interestingly, this is something that is often ignored.

2. Can you perform your own security testing? Some cloud providers will allow for this, but others will not. For those without good answers who will not allow you to test their systems, you have to wonder what they are trying to hide.

3. What metrics are used to measure performance both within and beyond the boundaries of your SLA? Looking past business continuity, think about system patching, hardening, audit logging and monitoring, and so on.

4. Will your cloud presence be co-mingled with other customer’s information? Co-mingling of systems and information often means that shared servers, databases and web application codes are being used. This means a security breach of someone else’s system can create the same exposure for your organization.

5. Who truly owns the information that will be processed and stored at your cloud provider’s facilities? You need to know your rights for accessing this information when the time comes.

6. How are information classification, retention and destruction handled? Will information linger indefinitely? It is imperative to know who is managing these processes.

7. What will happen with your information if your cloud service provider is acquired? Another aspect to consider is the chance the provider will go out of business.

8. Does your cloud provider operate in the same legal jurisdiction as your organization? State, provincial or international boundaries can have an impact on how compliance and incident response is handled.

9. What recourse do you have if there is a cloud-related security incident that impacts your business? Think about additional security controls that can be put in place on your end to help reduce the impact of security incidents that may arise.

10. Who is responsible for compliance?
This relates to the sensitive information that your third-party cloud provider is now storing and managing. Is your provider capable of handling industry-specific compliance challenges, such as HIPAA and HITECH for healthcare and PCI DSS for retail? Does the provider employ regulatory experts that can help?

11. Is the cloud reflected in your internal policies and contracts? Privacy policy and other business contracts must truly reflect what’s taking place with your systems, applications and information stored in the cloud.

12. How are you going to handle the burden of proof? When auditors ask to see how your cloud service providers audit controls are working, will you have an answer? The reality is that you will not be able to prove anything if the cloud providers cannot explain where they stand.

Do what you can to get a seat at the table during management and legal discussions that impact how your business uses the cloud. It could very well be that your cloud strategy conflicts with the legal controls that your lawyer and management have devised. Most importantly, do not sit around and assume everything has been taken care of in the cloud — the odds are good that it hasn’t. Ask the tough questions before something happens.

Kevin Beaver is a consultant with Atlanta-based Principle Logic LLC (www.principlelogic.com). He has authored/co-authored 11 books on information security, including Hacking for Dummies, Implementation Strategies for Fulfilling and Maintaining IT Compliance, and the Security on Wheels audio books and blog (www.securityonwheels.com). Follow him on Twitter, @kevinbeaver or connect to him on LinkedIn.

Today’s Homework: Set Proper Expectations

When moving to the cloud, it’s critical to understand the difference between uptime and security. You must ensure all decision makers in your organization are on board with this: Management must understand what can happen; legal must understand their contracts are only part of the equation; internal audit and compliance must know who is responsible for what; and IT and information security staff must review cloud provider audit reports and security assessments or perform their own. Getting the right people on board and properly setting their expectations will not only help prevent risks in the cloud but it will also help minimize the impact to the business when mishaps do occur.