Preparing for cloud security is no longer a luxury, but rather a standard procedure. First, you should consider and understand the three models of cloud computing: infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS) and software-as-a-service (SaaS).
With IaaS, the basic infrastructure is offered by the provider, and the other components and apps are the responsibility of the contractor. In this modality, the operational system is available, but the client is responsible for installing, configuring and keeping the application servers and the application.
With PaaS, the contractor enters the application solution, and the other services are the responsibility of the service provider. In this modality, even the application server is available; however, the application and its occasional vulnerabilities are the responsibility of the client.
With SaaS, each solution is the responsibility of the service provider, which does not undermine the responsibility of the information owner.
Basically, the responsibility for cloud security goes from the contractor to the provider, in which the SaaS model requires an extremely elaborate contract. It is important to remember that regardless of the model, the contractor is always the information owner.
Now that we have mapped the models, the following are recommendations for organizations considering a partnership with a third-party provider:
1. Establish SLAs in the Contract, Including in the Cases of Security Incidents
A solid detailing of the service-level agreement (SLA) in your contract is extremely important because the control comes fully from the internal IT and security teams. If any infrastructure unavailabilities, distributed denial-of-service (DDoS) attacks, vulnerabilities or other security incidents are not established in the contract, you will not be able to properly prevent penalties and fines in the case of a security incident.
2. Provide the Security Architecture Drawing
Your supplier must align with you and detail in the contract the security architecture used in this environment. The supplier may not necessarily have to inform the manufacturer, but it must ensure there are aspects such as firewall segregating environments (Internet, operation, card data, etc.), antivirus solutions and intrusion detection solutions.
3. Have Specialized Protections for the Perimeter
Technological security is not restricted to firewalls. Your business partner, who is making the cloud solutions available, must be prepared to protect the perimeter in the most effective way possible.
A cloud email solution should have the following:
- Information leakage control;
- The possibility to create specific rules for blocking, including attachments;
- Email monitoring.
A cloud application solution should have the following:
- Intrusion detection tools;
- Application firewall;
- New generation firewall;
- Attack mitigation tools for DDoS attacks;
- Log correlation;
- Content delivery network.
4. Hold the Firewall Segregating All Networks, Including Server Environment Operators and Users
It is important to address segregating beyond the perimeter, including application servers and the general database, the database and credit card data and the operational environment and server environment.
5. Segregate Functions Inside the Provider
The provider, who acts inside the data center, may not be the same person who operates the system. This ensures that someone who has direct access to the equipment does not necessarily have logical access to this equipment. This measure reduces several potential problems, such as someone connecting an external HD and copying inside information or directly accessing a server to manipulate its configuration files.
6. Allow Vulnerability Analysis and Ethical Hacking
In the contract, the cloud solution provider should allow for vulnerability analyses and properly scheduled ethical hacking on the environment to be performed. This sort of analysis should be done by a third-party company hired by the supplier you have deemed credible.
7. Allow Access to the Environment Log and Systems
It is important to align with the provider to allow access to the environment log. It is necessary to see the whole traceability management of users and access profiles. This includes the creation, alteration and exclusion of profiles and password changes in addition to registering who is performing certain extreme transactions. For instance, this may be available through a portal.
8. Allow the Use of Correlation Tools and Log Retention
The provider must allow the use of log collectors to send the correlation tools and the log retention that are inside your company (on-premises). After that, it is the responsibility of the correlator to cross this log with other logs in order to identify possible security threats.
9. Have a Security Point Person to Serve the Contractor During the Contract Period
The provider must have a person who is the bridge between security and the final client. This person is responsible for managing the security-related requests and problems that could happen. He or she is also responsible for organizing security reports for the contractor.
10. Manage Vulnerabilities, Threats and Risks by Aligning With the Contractor
Basically, the management cycle of vulnerabilities, threats and risks must be aligned with the information security area of the contractor so that the contracting company has control of the security risks without being blindfolded. This is the most complicated aspect because suppliers do not typically feel comfortable sharing this information. This is why vulnerability analyses and ethical hacking are an essential part of determining security flaws.
11. Share the Business Continuity Policy and Disaster Recovery Plan
In this case, it is recommended that the contract establishes how the supplier manages these points in order to ensure business continuity.
12. Have the SAS 70 Certification or Similar
SAS 70 and new similar certifications are related to data centers, not necessarily cloud solutions. Even though this sort of certification is mandatory for a data center, it is not enough to check the other cloud computing items.
13. Detail the End of Business Operations Process in the Contract
It is important to detail in the contract how information will be treated in case the cloud service contract ends. It must be determined who is responsible for the exportation and delivery of information and the destruction of backups and data tracks.
14. Detail the Data Disposal Process in the Contract
The methods used for data disposal, server storage and backup tapes related to your business must be established in the contract.
15. Detail the Process for Responding to Legal Requirements
A cloud services provider may occasionally be legally required to deliver information, which may vary according to the laws of each country. It is necessary to establish a communication process with the contractor in cases of legal requirements in which the contractor is advised whether the delivery of information is necessary.
16. Detail in the Contract the Backup and Tape Storage Process
The backup frequency must be agreed upon and set in the contract, and the backup storage must be in a safe place.
17. Detail How Much the Environment/Infrastructure Is Shared With Other Clients
This aspect needs to be clearly established between the parties and documented in the contract. There are several segregation possibilities that might occur in a cloud solution environment, such as the following:
- Shared infrastructure (firewall, network, Web servers) and data in separate servers;
- Infrastructure and data in shared environments;
- Segregated data in programming logic (worst-case scenario), in which the program code defines what is going to be shown to each client.
This is one of the major points of cloud security confidentiality because a code or infrastructure vulnerability may inappropriately release data. Data segregation possibilities must be analyzed in the case of information leakage.
18. Notify How Information Leakage Control Is Managed
Your information is in a place that is operated by other people, outside of your control. Because of this, it is necessary to understand and detail in your contract how information leakage will be managed by the contractor. It can be an extremely restrictive environment in which operators do not access the Internet or removable media (USB, CD, DVD, etc.), or in an environment with a data loss prevention solution installed.
19. Detail Procedures in Case of DDoS Attacks
It is vital to detail in the contract how your DDoS prevention works and how the communication procedure works.
20. Identify Where the Solution Data Center(s) Will Be to Meet Local Legal Particularities
Basically, it is important to set in the contract where the data centers containing your cloud solution data will be. This will influence which legal requirements must be met according to the country.
21. Demonstrate the Process of Cryptographic Keys Management
This is one of the most important parts of cloud computing security because it is crucial in relation to data confidentiality. The data should be encrypted, and the cryptographic keys should be in the hands of the contractors. If they are in the hands of the contracted, there is an increased risk of someone stealing and using them.
22. Access Control
Imagine your application is now outside your company. How does the matter of managing users and access profiles work? Options include managing through an interface provided by the contractor or using a resource known as federation.
Federation consists of a base of users trusting external bases. For instance, the cloud application can consult a user inside its own company and network base. This brings a series of advantages, such as having control of the closest users, easily blocking a user and having exclusive passwords.
Another concern related to access control is the use of strong authentication. Considering the service will be more exposed on the Internet, the most proper method is to have the user resort to something extra beyond the traditional username and password pair. In this case, it is recommended to use one or more of the following:
- Physical token;
- Password card;
- Digital certificate;
- SMS password.
23. Permission for External Audits for Cloud Security
After the supplier has promised the several items above, it is time to consider in the contract that you, the contractor, can visit to perform regular audits to assess the course of the security-related commitments outlined in your contract. It is suggested to use a checklist to do this.