December 24, 2014 By Alfredo Santos 6 min read

Preparing for cloud security is no longer a luxury, but rather a standard procedure. First, you should consider and understand the three models of cloud computing: infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS) and software-as-a-service (SaaS).

With IaaS, the basic infrastructure is offered by the provider, and the other components and apps are the responsibility of the contractor. In this modality, the operational system is available, but the client is responsible for installing, configuring and keeping the application servers and the application.

With PaaS, the contractor enters the application solution, and the other services are the responsibility of the service provider. In this modality, even the application server is available; however, the application and its occasional vulnerabilities are the responsibility of the client.

With SaaS, each solution is the responsibility of the service provider, which does not undermine the responsibility of the information owner.

Basically, the responsibility for cloud security goes from the contractor to the provider, in which the SaaS model requires an extremely elaborate contract. It is important to remember that regardless of the model, the contractor is always the information owner.

Now that we have mapped the models, the following are recommendations for organizations considering a partnership with a third-party provider:

1. Establish SLAs in the Contract, Including in the Cases of Security Incidents

A solid detailing of the service-level agreement (SLA) in your contract is extremely important because the control comes fully from the internal IT and security teams. If any infrastructure unavailabilities, distributed denial-of-service (DDoS) attacks, vulnerabilities or other security incidents are not established in the contract, you will not be able to properly prevent penalties and fines in the case of a security incident.

2. Provide the Security Architecture Drawing

Your supplier must align with you and detail in the contract the security architecture used in this environment. The supplier may not necessarily have to inform the manufacturer, but it must ensure there are aspects such as firewall segregating environments (Internet, operation, card data, etc.), antivirus solutions and intrusion detection solutions.

learn to respond to cloud-based threats: Request a demo of IBM Cloud Security Enforcer

3. Have Specialized Protections for the Perimeter

Technological security is not restricted to firewalls. Your business partner, who is making the cloud solutions available, must be prepared to protect the perimeter in the most effective way possible.

A cloud email solution should have the following:

  • Antivirus;
  • Anti-spam;
  • Information leakage control;
  • The possibility to create specific rules for blocking, including attachments;
  • Email monitoring.

A cloud application solution should have the following:

  • Intrusion detection tools;
  • Application firewall;
  • New generation firewall;
  • Attack mitigation tools for DDoS attacks;
  • Log correlation;
  • Content delivery network.

4. Hold the Firewall Segregating All Networks, Including Server Environment Operators and Users

It is important to address segregating beyond the perimeter, including application servers and the general database, the database and credit card data and the operational environment and server environment.

5. Segregate Functions Inside the Provider

The provider, who acts inside the data center, may not be the same person who operates the system. This ensures that someone who has direct access to the equipment does not necessarily have logical access to this equipment. This measure reduces several potential problems, such as someone connecting an external HD and copying inside information or directly accessing a server to manipulate its configuration files.

6. Allow Vulnerability Analysis and Ethical Hacking

In the contract, the cloud solution provider should allow for vulnerability analyses and properly scheduled ethical hacking on the environment to be performed. This sort of analysis should be done by a third-party company hired by the supplier you have deemed credible.

7. Allow Access to the Environment Log and Systems

It is important to align with the provider to allow access to the environment log. It is necessary to see the whole traceability management of users and access profiles. This includes the creation, alteration and exclusion of profiles and password changes in addition to registering who is performing certain extreme transactions. For instance, this may be available through a portal.

8. Allow the Use of Correlation Tools and Log Retention

The provider must allow the use of log collectors to send the correlation tools and the log retention that are inside your company (on-premises). After that, it is the responsibility of the correlator to cross this log with other logs in order to identify possible security threats.

9. Have a Security Point Person to Serve the Contractor During the Contract Period

The provider must have a person who is the bridge between security and the final client. This person is responsible for managing the security-related requests and problems that could happen. He or she is also responsible for organizing security reports for the contractor.

10. Manage Vulnerabilities, Threats and Risks by Aligning With the Contractor

Basically, the management cycle of vulnerabilities, threats and risks must be aligned with the information security area of the contractor so that the contracting company has control of the security risks without being blindfolded. This is the most complicated aspect because suppliers do not typically feel comfortable sharing this information. This is why vulnerability analyses and ethical hacking are an essential part of determining security flaws.

11. Share the Business Continuity Policy and Disaster Recovery Plan

In this case, it is recommended that the contract establishes how the supplier manages these points in order to ensure business continuity.

12. Have the SAS 70 Certification or Similar

SAS 70 and new similar certifications are related to data centers, not necessarily cloud solutions. Even though this sort of certification is mandatory for a data center, it is not enough to check the other cloud computing items.

13. Detail the End of Business Operations Process in the Contract

It is important to detail in the contract how information will be treated in case the cloud service contract ends. It must be determined who is responsible for the exportation and delivery of information and the destruction of backups and data tracks.

14. Detail the Data Disposal Process in the Contract

The methods used for data disposal, server storage and backup tapes related to your business must be established in the contract.

15. Detail the Process for Responding to Legal Requirements

A cloud services provider may occasionally be legally required to deliver information, which may vary according to the laws of each country. It is necessary to establish a communication process with the contractor in cases of legal requirements in which the contractor is advised whether the delivery of information is necessary.

16. Detail in the Contract the Backup and Tape Storage Process

The backup frequency must be agreed upon and set in the contract, and the backup storage must be in a safe place.

17. Detail How Much the Environment/Infrastructure Is Shared With Other Clients

This aspect needs to be clearly established between the parties and documented in the contract. There are several segregation possibilities that might occur in a cloud solution environment, such as the following:

  • Shared infrastructure (firewall, network, Web servers) and data in separate servers;
  • Infrastructure and data in shared environments;
  • Segregated data in programming logic (worst-case scenario), in which the program code defines what is going to be shown to each client.

This is one of the major points of cloud security confidentiality because a code or infrastructure vulnerability may inappropriately release data. Data segregation possibilities must be analyzed in the case of information leakage.

18. Notify How Information Leakage Control Is Managed

Your information is in a place that is operated by other people, outside of your control. Because of this, it is necessary to understand and detail in your contract how information leakage will be managed by the contractor. It can be an extremely restrictive environment in which operators do not access the Internet or removable media (USB, CD, DVD, etc.), or in an environment with a data loss prevention solution installed.

19. Detail Procedures in Case of DDoS Attacks

It is vital to detail in the contract how your DDoS prevention works and how the communication procedure works.

20. Identify Where the Solution Data Center(s) Will Be to Meet Local Legal Particularities

Basically, it is important to set in the contract where the data centers containing your cloud solution data will be. This will influence which legal requirements must be met according to the country.

21. Demonstrate the Process of Cryptographic Keys Management

This is one of the most important parts of cloud computing security because it is crucial in relation to data confidentiality. The data should be encrypted, and the cryptographic keys should be in the hands of the contractors. If they are in the hands of the contracted, there is an increased risk of someone stealing and using them.

22. Access Control

Imagine your application is now outside your company. How does the matter of managing users and access profiles work? Options include managing through an interface provided by the contractor or using a resource known as federation.

Federation consists of a base of users trusting external bases. For instance, the cloud application can consult a user inside its own company and network base. This brings a series of advantages, such as having control of the closest users, easily blocking a user and having exclusive passwords.

Another concern related to access control is the use of strong authentication. Considering the service will be more exposed on the Internet, the most proper method is to have the user resort to something extra beyond the traditional username and password pair. In this case, it is recommended to use one or more of the following:

  • Physical token;
  • Password card;
  • Digital certificate;
  • Biometry;
  • SMS password.

23. Permission for External Audits for Cloud Security

After the supplier has promised the several items above, it is time to consider in the contract that you, the contractor, can visit to perform regular audits to assess the course of the security-related commitments outlined in your contract. It is suggested to use a checklist to do this.

Request a demo of IBM Cloud Security Enforcer

More from Cloud Security

New cybersecurity sheets from CISA and NSA: An overview

4 min read - The Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA) have recently released new CSI (Cybersecurity Information) sheets aimed at providing information and guidelines to organizations on how to effectively secure their cloud environments.This new release includes a total of five CSI sheets, covering various aspects of cloud security such as threat mitigation, identity and access management, network security and more. Here's our overview of the new CSI sheets, what they address and the key takeaways from each.Implementing…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

Cloud security uncertainty: Do you know where your data is?

3 min read - How well are security leaders sleeping at night? According to a recent Gigamon report, it appears that many cyber professionals are restless and worried.In the report, 50% of IT and security leaders surveyed lack confidence in knowing where their most sensitive data is stored and how it’s secured. Meanwhile, another 56% of respondents say undiscovered blind spots being exploited is the leading concern making them restless.The report reveals the ongoing need for improved cloud and hybrid cloud security. Solutions to…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today