Top Six Security Questions Every CIO Should Ask a Cloud Vendor

By Ian Huynh, Vice President of Engineering, Hubspan

Cloud computing has become an integrated part of IT strategy for companies in every sector of our economy. By 2012, IDC predicts that IT spending on cloud services will grow almost threefold to $42 billion. So it’s no surprise that decision makers no longer wonder “if” they can benefit from cloud computing. Instead, the question being asked now is “how” best to leverage the cloud while keeping data and systems secure.

With such an astounding amount of cloud computing growth expected in the next few years, it’s important for all executives, not just IT professionals, to understand the opportunities and precautions when considering a cloud solution. Security questions can span from whether information transferred between systems in the cloud is safe to what type of data is best stored in the cloud to how do I control who accesses my data?

It’s important to arm executives with actionable advice when considering a cloud computing service provider. Below is a list of the top six questions every CIO should consider when evaluating how secure a cloud solution is:

1. 1. How does your vendor plan on securing your data?

You need to understand how your provider’s physical security, personnel, access controls and architecture work together to build a secure environment for your company, your data and your external partners or customers that also might be using the solution.

Application Access Control

For application access control, think front-end as well as back-end. While there may be rigorous user access management rules when the application is accessed via the application interface (i.e. front-end), what about system maintenance activities and related accesses that are routinely performed by your cloud vendor, on the back end, to ensure optimal application and system performance? Does your cloud vendor also apply the same rigorous access control, if not more?

Physical Access Control

Most people are familiar with application access control and user entitlements, but physical access control is just as important. In fact, many people forget that behind every cloud platform is a physical data center, and while it’s easy to assume vendors will have robust access controls around their data center, this isn’t always the case. Vendors should limit physical access to not only the overall data center facility but also to key areas like backup storage, servers and other critical network systems.

Personnel Access Control

Personnel considerations are another aspect of network security closely related to physical access control. Who does your vendor let access your data and how are they trained? Do they approach operations with a security-centric mindset? The security of any platform depends on the people that run it. This means that HR practices can have a huge impact on your vendor’s security operations. Smart vendors will institute background checks and special security training for their employees to defend against social engineering and phishing attacks.

Architecture

Your cloud vendor’s solution needs to keep your data separate from that of other cloud tenants that use the same platform. This should be a primary concern when your data resides in “virtual private clouds,” where there is an expectation of stronger segregation controls. As your data is stored in the same storage space as your neighboring tenants, you need to know how your cloud vendor will ensure that your data isn’t illegally accessed.

Also, the overall level of security for cloud applications needs to be addressed. Depending on your vendor’s architecture, there may be customers with differing security needs operating within the same multi-tenant environment. In these cases, the entire system needs to operate at the highest level of security to avoid the “weakest link syndrome.” Incidentally, this highlights one of the benefits of cloud computing – you can have the benefits of world-class security without the cost of building and the maintaining such infrastructure.

1. 2. Do they secure the transactional data as well as the data at rest?

Most vendors claim strong data encryption but do they truly provide end-to-end encryption with security in place while the data is at rest or in storage. Also, cloud security should go beyond data encryption to include encryption key management, which is a vital part of any cloud security scheme and should not be overlooked.

Data Encryption

Most data centers don’t encrypt their data at rest, encrypt their backups or audit their data encryption process – but they should. A truly secure system would take these considerations into account. Data in backups will likely stick around much longer than the information that is currently on your servers. A mandate that provides strong guidance for data encryption is the Federal Information Processing Standards (FIPS)-140 security standard. This standard specifies the requirements for cryptology modules. Ask your vendor if they adhere to FIPS guidelines.

Key Security

How are encryption keys stored and secured? You can encrypt all of your data, but the encryption keys are the proverbial "keys to the kingdom." Best practices call for splitting the knowledge of each key between two or more individuals – hence, to re-construct an entire key, you need all those individuals present for authorization.

Furthermore, where business practice requires that at least one person in the company has knowledge of the entire key (e.g. the CEO or CSO), then procedures and processes should be in place to ensure that those individuals with the knowledge cannot access the data (e.g. they may have the key but cannot get access to the lock to open it – hence, there’s still a degree of separation).

1. Does the vendor follows secure development principles?

A truly secure cloud platform is built for security through and through. That means security starts from “ground zero” – the design phase of the application as well as the platform. It simply isn’t enough to operate your system with a security-centric mindset; you have to design your system using the same guiding principles, following an unbroken chain of secure procedures from conception in the lab to real-life implementation. This means that design reviews, development practices and quality assurance plans must be engineered using the same strict security guidelines you would use in a production data center.

1. 4. What are the vendor’s security certifications, audits and compliance mandates?

There are many regulations in the market, but the two most important ones covering cloud security and data protection are PCI DSS and SAS 70 Type II mandates.

Consider vendors that follow the industry standard PCI DSS guidelines, developed and governed by the Payment Card Industry Security Standards Council. It is a set of requirements for enhancing payment account data security. While created for the credit card and banking industries, it is relevant for any sector, as the goal is keeping data safe and personally identifiable information protected.

Another major control mechanism is the Statement on Auditing Standards No. 70 (SAS 70) Type II. SAS 70 compliance means a service provider has been through an in-depth audit of their control objectives and activities.

In addition to these certifications, there are a couple of other associations and groups the vendor should acknowledge and use as guidance in prioritizing data security issues. They are the Open Web Application Security Project (OWASP), which has a top ten list outlining the most dangerous current Web application security flaws along with the effective methods of dealing with them. And the Cloud Security Alliance (CSA), an industry group that advises best practices for data security in the cloud.

In addition to third-party compliance, the cloud vendor should be engaging in their own annual security audits. Your vendor should have scheduled audits and include penetration tests using an independent third-party audit provider to evaluate the quality of the security provided with your cloud vendor. Although the PCI version 1.2 specifications only mandate annual security audits, find a vendor that goes above and beyond. There are vendors that perform quarterly audits, four times what is considered typical industry specifications.

1. 5. How does your vendor detect a compromise or intrusion?

Attempts by hackers to breach data security measures are becoming the norm in today’s high-tech computing environment. Whether you maintain your infrastructure and data on premise or in the cloud, the issues of securing your data are the same.

Your cloud vendor should include strong mechanisms for both intrusion prevention, or keeping your data safe from attack or a breach; and intrusion detection, which is the ability to monitor and know what’s happening with your data and if or when an intrusion happens. The vendor should be able to monitor, measure and react to any potential breach, particularly the ability to monitor access to its systems and detect any unauthorized changes to systems, policies or configuration files.

Also, what does your vendor do when things go wrong and is that communicated to you? A good Service Level Agreement (SLA) would have an intrusion notification clause built-in. A great SLA provides some transparency into the vendor’s operations in the areas of audits and compliances, and how those processes are comparable to your own requirements.

1. 6. What are their disaster recovery plans and how does data security figure into those plans?

Your vendor’s security story needs to include their business continuity plan. First of all, they need to have a failover system or back-up data center. They should also be able to convincingly demonstrate to you that they can execute their backup plan. Many of the biggest cloud computing outages in recent memory were the result of a failure of disaster recovery processes.

Secondly, this secondary datacenter must have all of the same security processes and procedures applied to it as the primary one. It’s no good to have a second system in place, if you cannot operate securely in that environment.

Finally, if there were some sort of impending disaster, they need to notify you in advance. Keep in mind that you may not always know where your data is physically located, so the onus of reporting is on your provider.

Your vendor’s plan for securing your data should be a like a well-choreographed dance with a strong beginning, middle and end. Their system needs to be protected at the network and application layers and begin with the development process. Access control policies should span the entire operation. The vendor needs to have a coherent plan that protects data at all times, whether in motion or at rest. They need to include robust compliance, auditing and reporting processes, to ensure the integrity of the overall security scheme. And, your vendor should have robust disaster recovery procedures in place, and be able to show you that they are capable of executing them.

While cloud computing brings many benefits, all clouds are not created equal. Make sure your vendor provides the security you need to confidently move your data to the cloud.

Ian Huynh, Vice President of Engineering, Hubspan

Ian Huynh has over 20 years’ experience in the software and services markets, with particular expertise in cloud computing, security and application architecture. Ian has been featured in publications such as Network World and CS Techcast, a technology network for IT pros. Prior to joining Hubspan, Ian served as Software Architect at Concur Technologies, and has held technical leadership positions at 7Software and Microsoft Corp.