5 key things to look for when evaluating your cloud solution
Cloud-based business solutions are becoming mainstream and are radically transforming how businesses operate. This presents new challenges around how sensitive corporate data is managed and accessed, writes Daniel Iverson (Head of Solutions Architecture at Dropbox Asia Pacific).
For security professionals, it’s important to find the right balance between caution and enabling new possibilities to collaborate, innovate and ultimately compete in today’s dynamic digital business environment. This challenge has given rise to the terms ‘shadow’ and ‘bimodal’ IT, which highlight the need to bridge the gap between traditional legacy systems and processes; with the evolving world of user-preferred cloud-based solutions.
The best way to have your cloud provider understand your needs and concerns around data privacy is to tell them. But first, develop a clear and unambiguous set of privacy requirements and policies which set out how your data is and isn’t to be used. In addition, seek out expert advice on the regulatory requirements that apply to your country or industry.
Once you have a clear set of key certifications and requirements, match them against what the cloud provider is offering. More on certification later.
If you’re looking at one of the larger cloud providers, refer to independent third-party evaluations that assess how cloud providers deal with privacy - such as those offered by The Electronic Frontiers Foundation (EFF), “Who’s Got Your Back” report.
It’s important to put in place firm policies and controls at the point of onboarding a new cloud service to minimise the risk of sensitive information falling into the wrong hands. Anticipate scenarios such as: what about when an employees leaves? Does the cloud provider have processes for ‘off-boarding’ data from your (and theirs!) departing staff?
If the cloud provider is a large multinational, ask to read their ISO 27001 and SOC reports. In the case of smaller providers, enquire about their provisions for ITSM (IT service management), including whether they are using ITIL or some other accepted framework.
The two most important considerations here are:
1. What are the functional architectural characteristics of the platform?
Your cloud service provider should encrypt all your data in transit (i.e., when staff are using the provider’s app or website), and encrypt your document content and other sensitive data at rest (i.e., when your data resides on their servers). But what do they do beyond that? Ask for example how their environment is secured, monitored and patched; and ask who has access to your information and how that access is logged and audited.
Also ask how your provider stores passwords. Do they use at least one-way encryption? Even if they do, what’s to say attackers can’t brute-force the hash offline? For a more advanced example of how to securely store passwords you can see how we do it at Dropbox.
2. What is done to security-test the environment, and how often?
Ask what the cloud provider does to test security, and how often they do it. Of course, there are myriad types of security testing according different objectives as well as the level of effort and investment required. For instance, some security methods can be automated, while others demand manual effort.
A good source of the latest thinking and practices around cloud security testing is the Open Source Security Testing Methodology Manual (OSSTMM), published by The Institute For Security and Open Methodologies (ISECOM).
Systems that experience frequent bouts of downtime will deny you the productivity and cost gains that led you to adopting the solution in the first place, while also exposing you to security breaches.
Study the cloud provider’s service level agreements (SLAs) as they relate to uptime and resiliency. Also enquire about their disaster recovery (DR) plans. How often do they back up your data and how quickly can they restore? When did they last test the restoration plan and how long did it take?
Robust Business Continuity Planning
Cloud services need to be managed within the broader purview of true Business Continuity Planning (BCP). BCP is an established discipline for organising systems to prevent and react to, unexpected, high-impact events that might disrupt a company’s operations.
Natural disasters, cyber-attacks, energy failures and other events can compromise critical infrastructure, prevent key staff from performing their duties, or even interrupt a company’s supply chain. Smaller cloud companies may not have the necessary processes in place to protect you and your critical data, so ask about what Business Continuity Management Systems (BCMS) they have in place.
There are already a number of important security certifications against which various cloud providers can be measured. Unsurprisingly, there is a lack of consistency across the cloud industry, in part due to the fact that certifications can be time-consuming and costly to achieve. It’s important, therefore, that organisations have a conversation with their cloud providers to get the best idea of what levels of security protection they can expect.
ISO 27001 and ISO 27017 are among the most important. ISO 27001 is an information security management system (ISMS) certification that ensures controls are in place to protect the customer’s data and manage security risks. ISO 27017 is a new international standard for cloud security that provides guidelines for security controls applicable to the provision and use of cloud services.
The cloud is arguably the most important technology to have entered the business world, enabling exciting levels of communication, collaboration and innovation that is completely transforming how companies – and their staff – operate.
But with great power comes great responsibility, the lions’ share of which rests not only with the cloud vendors but with companies’ security leaders who need to find the right balance between charting a secure course for the enterprise, while enabling it to explore opportunities to reap the benefits of true digital transformation.
Daniel Iversen is the Head of Solutions Architecture at Dropbox Asia Pacific.