Editor's note: Customers are jumpy about potential cloud computing security risks, and cloud providers must be ready with bulletproof answers for their barrage of questions. In the second part of this two-part series on cloud security, expert Neils Johnson offers a cheat sheet of customer questions every cloud provider should be prepared to answer. Don't forget to check out the first part of this series, Building a secure cloud: What customers want from providers.
Customers will not skirt the issue of cloud computing security risks, and cloud providers must be ready with thorough, auditable and bulletproof answers to those questions.
Let's pretend I am the CIO of the Sunny Daze Childcare and Nuclear Submarine Company. I have a huge number of mission-critical applications and the data growth is average -- 62% annually. The corporate data center is flooding with requests for storage, and my compliance requirements are mind-boggling. Fully managed cloud storage, Infrastructure as a Service (IaaS) and Software as a Service (SaaS) are becoming very attractive, but security is the top priority. And the ugly truth is there are cloud computing security risks: Bad people want to steal my own clients' personal data and information about nuclear submarines.
In this hypothetical customer scenario, I intend to move most -- if not all -- of my data and applications to the cloud. I will start small and gradually adopt more cloud services as I become more confident in my cloud provider's ability to prevent and mitigate potential threats. The cloud provider that wins my business is the one that provides the best answers to questions regarding my most critical concern -- cloud computing security risks.
Cheat sheet: Be ready to answer these customer questions on cloud security
Although the above "customer" is fictitious, the concerns and expectations are quite real. Customers will not skirt the issue of cloud computing security risks, and cloud providers must be ready with thorough, auditable and bulletproof answers to those questions.
Below is a cheat sheet of cloud security questions that providers should anticipate from customers. These are in no particular order of importance nor are they exhaustive in scope. This list, however, demonstrates the general topics of discussion that any CIO or CISO will expect a cloud provider to respond to with clarity and documentation, as well as insight into underlying concerns that should help to position a response.
- What encryption algorithms are in use? Are they vetted? Are they strong? Customer concern: All unencrypted data is vulnerable, regardless of where it is stored.
- How are you using third-party security tools to identify and address potential cloud computing security risks and vectors for attack? What kind of reporting will you provide me with? Customer concern: I'd like to know that you are getting preemptive information about malware and exploitable vulnerabilities.
- What are your policies regarding patch management? How will I be updated regarding patch status? Customer concern: About 80% of all exploits in 2010 would have been prevented if patch levels had been up to date. I'd like your patch management policy to be at least at parity with mine, if not better.
- How will your engineers be notified of a potentially exploitable vulnerability in your cloud? Where do you get that information? How timely is it? How is it addressed? Customer concern: On average, the security industry isn't aware that malware writers have released beta code to exploit vulnerabilities until 3.5 days after the vulnerability is exposed. That means you may not know the vulnerability exists. That exposes my data to attack, and I am not meeting compliance requirements if you don't have it documented.
- How do you deal with cloud compliance requirements? Customer concern: Seventeen new potentially exploitable vulnerabilities surface every day, and all of my compliance documentation requires acknowledgement of the existence of the vulnerability and its instances within your environment. How will you track those updates? How will you notify me?
- What are your disaster recovery and business continuity plans and processes? How are they tested and how often? How are those processes and plans aligned with my processes and plans? Customer concern: I need to know how you will respond to my required recovery time objectives and response time objectives.
- How are you separating and segregating duties to limit or eliminate insider abuse within your organization? Customer concern: I want to know that no single person has complete authentication or authorization to move, manipulate, manage or manhandle my data.
- With respect to legal and e-discovery considerations in the cloud, how will activities such as litigation hold, discover searches and providing expert testimony be addressed? Customer concern: How quickly you would be able to respond to subpoenas, service of process or other legal requests? Can you demonstrate that for me?
- How do you deal with data loss prevention in the cloud? Is my data commingled with other clients' data, separated only by a tag? Customer concern: Assure me that none of my information is going to be inappropriately released.
Cloud computing security risks: Find safety in numbers
I wish I could say that these are all of the questions cloud providers should expect from customers and that their answers are fixed and absolute. In the world of cloud security, the truth is that any answer is yesterday's answer. Security on any level is an art form, and the hackers have and exercise a huge advantage over the white hats. They share everything there is to know about exploiting security holes -- chat rooms, forums, tools and source code are all available if you know where to look. They do a great job of spreading and exercising new technology.
But what would happen if cloud providers were to share cloud security best practices with each other? What would happen if they were to discuss cloud computing security risks, issues, concerns, breeches and new policy requirements with their peers? Three, four or five heads are better than one, and the exchange of ideas and experiences would be much more practical, applicable and organic than the static cheat sheet and considerations above. Cloud providers may compete with each other at a variety of levels, but should security be one of them? The timbers used to fortify the security of your cloud services could be cut from the same forest as your competitor. Neither of you are in the timber business.
I believe that the oldest axiom of security is more relevant today than ever before: There is security in numbers.
Read the part one of this series: Building a secure cloud: What customers want from providers
About the author: Neils Johnson is a consulting strategist at ACG Research. He has more than 20 years of experience in the security industry, including more than over 16 years with Symantec, where he continues to present, teach and offer security expertise to sales, CXOs and partners focusing on security for their customers.