To some the cloud is a “big-sky” opportunity that will only improve the way they do business. To others it’s more like a fog with a blurry value proposition. I’m a fan of cloud services, but you can't go into the cloud blind. If you’re shopping for a set of cloud services to resell, here are some cloud provider security requirements that you should ask about:
Independently-conducted cloud auditing
While you shouldn’t expect providers to reveal every detail of how they do business -- because that could be a security vulnerability in and of itself-- you should get regular overview reports that provide an executive summary, findings and remediation activities from a business-level standpoint.
If there are any other details that you need to provide for legal and auditing purposes within your organization, your provider should be able to customize the reports. If the service you are looking for requires extra scrutiny, you may want to ask them if there are provisions to do a joint independent vulnerability assessment. If you go that route, be prepared to pay a premium for it.
Intellectual property is a cloud security requirement
At the core of any cloud service you will find multiple blade servers running amazing amounts of virtual machines (VMs). It’s likely that your information assets will be sharing some living space on those machines. It’s good to know if the controls that are in place make sense for the level of security and availability you require. High security VMs should be paired together and extra controls applied above and beyond the standard security configuration.
Lifecycle management and tracking metadata
The concern here is not just your information assets, but the metadata surrounding them. In the event of a breach you may be required to provide a virtual paper trail of some sort to show what happened. Metadata such as access times and login credentials will show that.
There should also be a procedure in place for how VMs are destroyed when they are no longer needed. They’ll likely still contain some of your information assets. Having a plan that includes a “chain of custody” list and an unrecoverable wipe of the VM will help you sleep better at night.
Physical security is a cloud security requirement
Admittedly I’m being a bit paranoid, but does the cloud provider’s physical data center site scream, “I have valuable stuff in here?” Hopefully not. The more nondescript the facilities look, the better. Inside the data center, mission-critical systems should be physically sectioned off and proper physical access controls applied.
What security controls are you responsible for?
Once you offload your business processes into the cloud, that doesn’t necessarily mean that your security responsibilities end there. You’ll want to get a clear delineation as to where responsibilities begin and end between you and the provider.
This of course is not an exhaustive list, but rather some food for thought. Those cloud providers that are serious players in the game will get this and can likely provide most of this information up front. Those that don’t are not offering the clouds you’re looking for.
Chris Squier, CISSP CISM is a senior technology solutions engineer who specializes in IT security, convergence security, business continuity, identity, risk management and preparation mitigation. He works for Ingram Micro Inc., the world’s largest technology distributor. Chris.Squier@IngramMicro.com,www.ingrammicro.com