Please note that this is a page from a previous version of Continuity Central and is no longer being updated.

To see the latest business continuity news, jobs and information click here.

Business continuity information

Question everything: considerations to raise with your cloud service provider

What information do you need to obtain from your cloud provider when it comes to the protection of business-critical data?

By Stephen Coty.

The cloud has well and truly arrived. It's scalable, flexible, cost-effective and offers the huge convenience of not having physical on-site hardware to maintain. However, while these benefits certainly are compelling, these are the only considerations to take into account when undergoing a cloud project. Companies need to do their homework and think about the scale and type of information that will reside within a cloud provider’s infrastructure and give weight to the security of that data.

This is for a number of reasons:

The same type of attacks typical to on-premise data centre/center environments are moving to the cloud: what used to be historically on-premise based attacks, such as malware, botnet and brute force attacks, are now targeting cloud environments. A big driver for this is that businesses are starting to deploy traditional enterprise applications like ERP and virtual desktop infrastructure (VDI) in the cloud. Hackers that see this happen run vulnerability scans and brute force attacks, that attempt to siphon valuable company data, in hopes of finding and taking advantage of lax security policies in the cloud. Furthermore, as more end user applications move to the cloud, malware and botnet attacks follow suit.

The breadth and depth of attacks means that threat diversity in the cloud is on the rise: threat diversity is basically a measurement of how many different types of attacks exist and companies are facing. This year, threat diversity in the cloud increased to rival that of on-premise data centres. This means that companies need to be just as vigilant with the same security sophistication in the cloud that would normally apply to protect an enterprise’s on-premise data centre.

The point solutions typically relied upon to combat these threats are not enough: to gauge the effectiveness of security solutions, such as anti-virus protection, in major public clouds around the world, new patterns of attacks and emerging threats were observed through a honeypot project. One particularly interesting and disturbing observation was that 14 percent of the malware collected was considered undetectable by 51 of the world’s top anti-virus vendors.

Despite this stark reality, it is certainly not to say that businesses should stop using the cloud: there are just way too many benefits. The good news is that there is a lot that organizations can do to protect themselves in the cloud; and the first step is to get educated on what their businesses and applications require from a compliance and security perspective. The following guide to the questions you should be asking your service provider when it comes to security in the cloud is a good starting point. Make sure that the cloud service provider can answer these questions confidently and comprehensively so you feel assured that it takes the security of your business-critical data seriously:

1. What is their data encryption strategy and how is it implemented?
While there are many considerations to give when it comes to encryption, preferably, the cloud service provider will be able to answer questions like who controls the keys and what standard of encryption is used.

2. What is the hypervisor and provider infrastructure patching schedule?
As previously explained, malware and exploits continue to rise, so it is important that the cloud service provider patches and updates their infrastructure on a regular and frequent basis. This will minimise the threats to their customers’ data by fixing any ‘holes’ that malicious actors can exploit to gain access to their systems.

3. How do you isolate and safeguard my data from other customers?
Due to huge capacities, cloud providers often (unless specified as private) house data for more than one company; this is referred to as multi-tenancy. Ask how they segment the data, what controls they have in place to make sure data isn’t accidentally shared, and how those controls are implemented.

4. How is user access monitored, modified and documented?
With offloading your data to a provider, it is difficult to maintain control over who has access to it. So therefore it is important that the provider gives you good, clear documentation and reporting.

5. What regulatory requirements does the provider subscribe to?
There are a number of regulatory controls that a cloud service provider can adhere to in order to demonstrate best practice and compliance. If you are putting card holder information in the cloud, for example, you will want to make sure that the provider is PCI compliant. If it adheres to industry standards, such as ISO27001, it is a good indication that it takes security and the integrity of your data seriously.

6. What is the provider’s back-up and disaster recovery strategy?
Like most services, occasional downtime is an inevitability. Find out what the provider’s track record is on availability and make sure there is transparency into its infrastructure. It may very well be that you will be responsible for your own data backup, so make sure the boundaries are defined and each party knows its responsibilities.

7. What visibility will the provider offer your organization into security processes and events affecting your data?
This is a key component to the security strategy, especially from an audit and forensic stand point. If an incident does occur, be it a breach, cyber attack or uncharacteristic transaction and it needs to be investigated, you want to be armed with every piece of information at your disposal in order to piece together the puzzle of how and why it may have occurred, and more importantly, how the provider remediated the action. Therefore, the provider should be able to tell you how it goes about this process and how you are kept alerted to these instances.

While this is not an exhaustive list of the questions you want to be asking a cloud service provider about the security of sensitive information residing in the cloud, it is a good base point. The answers can help you match your expectations with cloud platforms that fit your criteria to help you implement the right coverage of products, security threat intelligence, analytics/correlation and people to watch over your business critical applications and data. They will help you quickly judge how seriously they take the security of the data that backs and fuels your business and how safe your data will be with the cloud service provider.

The author

Stephen Coty is chief security evangelist for Alert Logic.

•Date: 10th July 2014 • World •Type: Article • Topic: Cloud computing

Business Continuity Newsletter Sign up for Continuity Briefing, our weekly roundup of business continuity news. For news as it happens, subscribe to Continuity Central on Twitter.

How to advertise How to advertise on Continuity Central.

To submit news stories to Continuity Central, e-mail the editor.

Want an RSS newsfeed for your website? Click here