Securely outsourcing to the cloud

Grazed from: ITWeb. Author: Ugan Naidoo.

Cloud providers should have a documented process for handling access rights, including employees entering or leaving the company, or changing roles. Regular audits should be performed to confirm that all privileges match current roles and needs.

Once access security is understood, it is important to determine how the systems housing your most sensitive information will be secured and the data itself controlled. This will mean considering how to secure virtual and multi-tenant environments.

Access control tools can be configured to restrict access to individual virtual machines based on the privileges of each hypervisor administrator identity. This helps ensure that even in a shared environment, only the appropriate administrators have access to an organisation’s virtual machines. Because virtual environments are so dynamic, security controls must be automated, and individual virtual machines must be managed in a way that conforms to their required security…

When it comes to multi-tenant environments, organisations should take steps to keep its data secure from third parties that may share the same services: Securing the data
Click here

While controlling identities and access to sensitive information is critical, it’s not enough. Data sensitivity lives within the data itself regardless of location. Your cloud provider thus needs to demonstrate a data-centric approach to security, reducing the risks of allowing the data to be mobile within the organisation.

The components of a comprehensive data-centric security solution includes classification, data loss prevention, encryption and information rights management.

The fourth question to ask your cloud provider is: What activity data is captured and logged?

As with much of security, determining the right level of activity information to demand from your hosting company requires carefully balancing trade-offs. In this regard, the level of granularity tracked with relation to identity management has to be balanced against the cost.

The level of transparency should be chosen to address the needs of both the cloud service provider and consumer. The more information provided by the cloud service provider, the greater the transparency and auditability — but, correspondingly, the effort and cost also rises. When clients choose to accept transparency at the group level, they should ensure that the cloud provider tracks individual users internally, so there is accountability in the event of a breach.

The fifth and final question to ask your cloud provider is: How will you enable compliance?

Depending on the business and industry, the question of compliance may be the most important of them all.

The cloud provider must allow you to meet your regulatory requirements, and therefore must provide equivalent capabilities that you have implemented in your own compliance controls. If your controls are mature and operating effectively, it becomes easier to specify the requirements to your cloud provider. If your controls are not mature and create issues during your own compliance audits, then the cloud provider may have less guidance into the requirements that it must meet.

Even though activity data is logged and data is effectively controlled, reporting needs to be made available in a form that allows you to meet your goals. These reports need to cover highly-summarised information to executive audiences, as well as detailed information to satisfy a technical auditor.

Conclusions

The demand for transparency into hosted cloud environments is quickly becoming a market requirement. Organisations looking to outsource to a cloud environment should now demand an unprecedented level of transparency into their cloud services. They no longer need to rely solely on contracts and certifications from their service provider for security.

In essence, “trust but verify” should be the watchword.

Even when visibility into a cloud provider’s environment is limited, it need not follow that your understanding of its identity access management needs to be similarly constrained. When choosing a cloud service provider, organisations should no longer accept assurances of security practices and should instead insist on a full understanding of the hosting company’s use of identities to enable proper segregation of duties and access restrictions at each layer of their infrastructure.

One obvious approach for risk-averse companies is to insist that the cloud provider uses one of the sophisticated identity and access management toolsets that are available in order to help ensure that their systems and data are handled in a way that is consistent with their security policies.