Security Questions to Ask Before Engaging with Cloud Providers

December 27, 2010 Off By David
Grazed from GigaOM.  Author: Tom Mornini.

Even though large hardware vendors are spreading fear, uncertainty and doubt (FUD) about cloud computing, many companies, such as Amazon, have shown that cloud security already meets enterprise’s requirements. Amazon, 100 on the 2010 Fortune 500 list, has an impressive history of data security, especially since their entire business is driven by web applications directly accessible via the Internet. These applications process sensitive personal information such as credit card numbers, addresses, and individual preference data.

Yet some enterprise vendors suggest that Amazon is incapable of understanding and providing the security required by enterprise customers, going so far as to cast the company as a “bookseller,” as if it’s some dusty Mom and Pop store.

Let’s be honest: Amazon isn’t a bookseller, they’re the bookseller — in addition to being one of the most experienced organizations in the world at securing applications and data in the Internet age. The company is migrating the applications and services that run Amazon.com from a traditional infrastructure to Amazon’s IaaS division on an application-by-application basis. That’s called “eating your own dog food,” and it should give enterprises enormous confidence in the security of Amazon’s IaaS offerings.

The transition to cloud computing won’t realize its potential until more vendors and buyers fully understand security requirements in the cloud. By establishing basic security requirements early and discussing the following five questions, companies can position projects for success and avoid common security-related
issues.

How will my data be physically secured?

If a cloud provider doesn’t have modern and secure facilities, there’s no need to answer any more of the questions below. Move on to the next provider! Physical security is important including on-site security personnel, video surveillance, intrusion detection, restricted entry, and cloud vendors can demonstrate how
they provide it.

When considering requirements for physical security, it’s important to be aware that remote data breaches (i.e., those coming from external sources via the network) are rarer than internal data breaches committed by employees. For example, a disgruntled employee may decide to steal corporate data for revenge or profit,
but breaches can also occur when a diligent employee decides to take data home and the laptop is stolen.
In this regard, you may find that storing data in the cloud reduces your risk.

How is my data encrypted?

Far more important than physical security is data encryption and how your cloud provider leverages it to protect your data. I’m often surprised at how concerned enterprises are that “hackers” will steal their data by acquiring the raw bits. If your data is securely encrypted, you could burn copies to DVD and pass them
out in Times Square, mail them to every hacker in the world, post the files on your website, and still sleep soundly knowing that, unless the decryption keys are not stored securely, your data is safe. Encryption is the way to secure data in the cloud.

Where will my data be stored and will it be replicated in other data centers?

One premise of the cloud is that the location of data is not a huge concern for the user. Many enterprises, however, must comply with regulations that are based upon the data’s geographic location. Companies need to review these requirements with vendors.

Look for clear and concise reporting from your vendor that maps out how data storage is handled and whether their policies affect your compliance of regulatory requirements. Are you required to store data in a specific geographic region? For companies operating in the U.S., Canada, or Europe, there are a number of
regulatory requirements and standards in effect, including ISO 27002, Safe Harbor, ITIL, and COBIT. Understanding your data location requirements will ensure you make the best choice for your cloud provider.

What investments are being made to secure my data?

The level of investment in “security” is subjective, but there are certain questions you can ask to gauge how serious a provider is about security. Is it a constant focus where they will think ahead for you and make it one less thing for you to worry about?

Are the employees of the provider trained and skilled in security and encryption? Does the organization have the technology to detect if your application is under attack; for example, what kind of network intrusion detection technology do they use? What response times do they offer if an attack does take place?

When working with proven vendors who have made investments to ensure that your data is secure, cloud computing dramatically shifts security risk where application deployment and development are concerned. This allows companies to focus on building applications, rather than wrestling with deployment or racking and
stacking hardware. In order to achieve that focus, you’ll need to trust that there are highly specialized teams employed by your cloud vendor who have deep security expertise.

For example, cloud vendors hire the top security professionals from around the world. The security professionals employed by the vendor you choose should enhance the security provided by your employees. Moving to the cloud should, therefore, enhance your security by allowing focused teams with specialized
security skills to support your business.

Is your cloud computing service SAS 70 compliant?

A recent Gartner report (requires subscription) took SaaS and cloud computing vendors to task over their use of SAS 70 as proof of security, continuity or privacy compliance. Gartner explained that SAS 70 auditing is widely mischaracterized by service providers as being a form of security certification. While true, the most common enterprise security concern we hear at Engine Yard involves SAS 70 compliance. Many customers require SAS 70 certification to demonstrate that they have the appropriate safeguards and processes in place to protect their IT assets.

Enterprises should be wary of providers who claim a SAS 70 report is proof that their offering is secure. It is proof that the provider has a methodical and repeatable approach to their operations, which is clearly a step in the right direction. In addition, companies should require thorough reports that show which procedures received SAS 70 certification, so they can accurately evaluate the provider’s security procedures.

Time to jump on the cloud

Security in the cloud is strong, and it’s being strengthened every day by experienced professionals at cloud providers. As cloud vendors innovate and more enterprises give cloud computing a try, security will evolve from a barrier to entry into a competitive differentiator: I believe it won’t be long before it’s obvious that applications deployed to the cloud are more secure than those deployed on premises.