I recently found myself at the opening of the new Alert Logic European HQ and Security Operations Centre in Cardiff. Just down the road in Newport, you can find its UK datacentre. I mention this as security and datacentres are inextricably linked, and never has this been more true than since the emergence of the cloud as a primary business driver.
Think about it, the cloud is increasingly sitting at the heart of your strategic business execution which in turn means that the datacentre is right there more than ever as well. It's also firmly in the cross hairs of the bad guys, be that for launching DDoS attacks or stealing data directly. Which means, bottom line, that the datacentre and the cloud has to be part of your overall security posture; and in turn that means you need to be able to ensure your CSP takes security as seriously as you do. But how?
First of all let's get one thing clear, a good security should encompass the cloud provider but not obsess on it. Don't develop tunnel vision here, and remember that ultimately it is you who are responsible for whether your posture is a strong or weak one. Equally, don't think just because you have adopted a forward-thinking approach and gone for the de-perimeterisation approach whereby the 'borders and boundaries' of a traditional perimeter protection network security model is replaced by the use of encryption and authentication to secure all network points from front to back that you can ignore the CSP factor.
Good security is all about balance in implementation (between usability and functionality, risk and reward) and that includes performing due diligence in your choice of CSP.
Doing your homework is, of course, easier said than done out in the real world. If every CSP allowed every prospective customer to throw a security audit team at it the cost of service provision would increase dramatically if the CSP could actually stay in business at all under the additional workload being applied. Equally, with cloud continuing to be largely a value-driven technology, potential customers would be far fewer when the cost of independent auditing was added to the overall bottom line. Which begs the question of how do you put the undoubtedly important matter of risk assessment and security auditing theory into real world practise?
The answer is two-fold: ask the right questions, or ensure that the right answers are available for you to see. CSPs are not stupid, and they are fully aware that more than ever post-Snowden business understands the importance of the security question.
Yes, they will focus on cost because that is the bottom line, but not at the expense of security and if you ask the right questions then answers should be happily given. Knowing what the right questions are, however, is a different kettle of cloudy fish. I have heard far too many tales of real world woe from the enterprise IT security chap who has been instructed to write it up and run it past the lawyers in response to the CSP security problem. That kind of attitude only works if what is being 'written up' is comprehensive and pertinent, and given the time and other workload restraints placed on most IT security chaps these days the chances are that it won't be.
A one-man band approach to accurate on-the-fly auditing of multiple CSPs and even more accurate comparisons and conclusions based upon this analysis is doomed to fail. More often than not, then, the SME without the luxury of a dedicated IT security team to handle such tasks will fall back on the 'just evaluate the most likely candidate' option; an option that is far from optimal if you have no baseline to compare the results to.
So what sort of questions should you be asking of a potential CSP in order to determine how secure it is? Good question, and within the context of an article such as this I can only offer the broadest of generic answers; three of perhaps the most important of which are presented below.
1. Have you been audited, by whom and when, and can I see the full report please?
This is always a good starting point when it comes to how seriously a CSP takes security. While it may not allow security auditing willy-nilly, it should have had an independent audit performed and be happy for you to see this. Even if this was done as part of a certification process, and they are duly certified, in the name of transparency it should not be problematical to let you see the report.
Don't forget to look beyond the box ticking of any security certification process, and roll your sleeves up to ask your CSP about how they deal with the security auditing of their partners. Yes, I know, it's a contentious issue but with third-party supply chain and partner insecurity increasingly responsible for data breaches it's one that is worth pursuing nonetheless. Think of it as letting them know that you know about the supply chain risk, and the way they handle your question in itself can provide some insight into the security relationship you can expect from them if you become a customer.
2. Where will my data be located?
This is becoming an increasingly important question in light of proposed changes to EU privacy directives. Ask where your secondary data copy will be stored as some will fall back to a US store, and ask where backups and archives are kept.
Ask what legal jurisdiction your cloud contract comes under, and where the CSP business itself is registered for the same purposes. If your CSP cannot or will not answer all of these with precision, or cannot geographically ring fence your data, it suggests that real data privacy (and by implication security) is not a priority for them.
3. What vetting is performed on staff prior to employment?
What controls are in place to limit physical and logical access to buildings and systems? What controls are in place to monitor the actions of staff and their access to systems and data? All of these might make you sound a tad paranoid, but you have good reason to be as many data breaches can be traced back to an inside job. The CSP that treats the insider risk as serious and deal with mitigating it as efficiently as possible is the CSP that understands that risk is as deep as it is long.
