These days it’s nearly impossible to avoid accessing cloud-based information storage and services. That’s why it’s essential to understand how best to measure and monitor cloud security risks and ensure data security in cloud computing.
In the Cloud, Who’s Really in Control?
When data resides in the cloud, or services originate or terminate in the cloud, the service or storage provider on the other side of the amorphous internet connection is ultimately in control of what’s in or running on their systems. This means that individuals, organizations and companies lose direct, hands-on control over system, application and data security in the cloud.
In turn, that means that existing, well-understood best practices for establishing and maintaining information security may not be available to security teams or IT professionals. Alternatively, they may only be available in stripped-down or abbreviated form, or visible but beyond the control of security teams or IT professionals.
That’s why consumers of cloud storage and services must understand and attend closely to contract language and service level agreements (SLAs) when doing business with cloud service providers. It’s important to recognize that control verification and audit reporting within cloud environments may be less detailed and not as readily accessible as what audit or security teams require. Such access can be crucial when it comes to regulatory compliance such as HIPAA (for patient medical records) or PCI-DSS (for credit card transactions and records).
6 Things You Should Get from a Cloud Service Provider
Consumers of cloud services must assess and accept cloud service providers’ offerings with eyes wide open and a full understanding of what they’re paying for and the cloud security risks.
This includes, but is not limited to some or all of the following points well worth insisting upon:
- Data in Motion Cloud service providers (CSPs) should explain how they maintain data security in cloud computing while data is in motion (moving from client to server, or vice-versa), in use in applications or services at runtime and at rest (while stored in the cloud). The best possible solution is for the CSP to assure in writing that it provides strong encryption for data at all times.
- Access Controls and Audit Reports Well-defined CSP access controls, along with ongoing, complete audit trails for in-house access and activity should be in place. The provider should be able to explain and document its in-house access controls – that is, the rules that govern employees or contractors who work for the service provider when it comes to accessing your data and services. In addition, the provider should maintain and be able to provide complete audit records of all actions taken by its staff or contractors that involve your data within a reasonable, well-defined time limit following your request(s) for such information.
- Regulatory Compliance When data or services involve regulatory compliance regimes (like those for patient records or credit card transactions), the provider should be able to explain how they maintain compliance to meet their requirements. They should also be contractually obligated to help you meet required disclosure and reporting requirements you are obligated to support to demonstrate and document compliance and/or breach (should incidents that must be reported unfortunately occur, as they sometimes do).
- Data Security Policies Just as you apply security best practices to in-house operations and activities for data and services, you and your CSP should equally do so for internal-only data and services and data and services that may enter or leave the cloud at some point. In the simplest possible terms, this means you should create and maintain a well-defined security policy for all data and services and understand how security and risk management work across the entire organization. Only then can you determine security issues in cloud computing, in the context of your organization. These best practices embrace the full gamut of IT activities and responsibilities, including patch and configuration management, virtualization security, application security and change management. They include a clear and full understanding of security policy requirements, processes and procedures, along with risk assessment and governance (which includes both compliance regimes and legal concerns).
- Security Assessments Testing and auditing cloud providers is just as important as doing so for in-house systems, storage and environments. CSPs should perform security assessments routinely and regularly and continually evaluate audit trails and monitoring data. Such testing helps to ensure adequate encryption for data, networks and applications or services. It also helps to demonstrate that adequate and sufficient identity management and access controls are in place and working as they should be.
- Incident Response and Management Providers must also document and demonstrate their ability to assist with or provide security incident response and management as part of an overall incident-handling apparatus. Learning to work with CSP security and IT staff will be as important as internal cooperation has always been, given the surrender of control to providers that inevitably comes with cloud computing.
As always, the real responsibility for security continues to rest with the owners of the data and services rather than the service providers. Delegating services and storage into the cloud does not transfer that responsibility. Thus, it’s essential for consumers of cloud computing to make sure that security is understood, working properly, and fully documented and audited, especially when the provider is managing and monitoring such security. By ensuring that security in cloud computing is provided as part of the package and maintaining constant vigilance to see that it is working as it should be, you can feel confident that your cloud service provider is helping you to manage and mitigate security issues in cloud computing.
Do you manage your organization’s cloud services? Take the CompTIA Cloud+ (CV1-002) beta exam by October 27, 2017, to help us fine-tune our latest update.
Ed Tittel is a 30-plus year IT veteran who's worked as a developer, networking consultant, technical trainer, writer and expert witness. Perhaps best known for creating the Exam Cram series, Ed has contributed to more than 100 books on many computing topics, including titles on information security, Windows OS and HTML. Ed also blogs regularly for TechTarget (Windows Enterprise Desktop), Tom's IT Pro and GoCertify.