Understanding Best-in-Class Cloud Security Measures and How to Evaluate Providers
Published 07/11/2011
By Fahim Siddiqui
Despite a broader interest in cloud computing, many organizations have been reluctant to embrace the technology due to security concerns. While today’s businesses can benefit from cloud computing’s on-demand capacity and economies of scale, the model does require they relinquish part of the control over the application and data.
Unfortunately, security controls vary significantly from one cloud provider to the next. Therefore, companies need to make certain the providers they use have invested in state-of-the-art security measures. This will help ensure that a company’s customer security and data protection policies can be seamlessly extended to the cloud applications to which they subscribe. Best practices dictate that critical information should be protected at all times, and from all possible avenues of attack. When evaluating cloud providers, practitioners should address four primary areas of concern — application, infrastructure, process and personnel security — each of which is subject to its own security regimen.
1. Application Security
With cloud services, the need for security begins as soon as users access the supporting application. The best cloud providers protect their offerings with strong authentication and equally potent authorization systems. Authentication ensures that only those with valid user credentials (who can also prove their identity claims) obtain access, while authorization controls allow administrators to decide which services and data items users may access and update. Multi-factor authentication may also be provided for controlling access to high sensitivity privileges (e.g. administrators) or information.
All application-level access should be protected using strong encryption to prevent unauthorized sniffing or snooping of online activities. Application data needs to be validated on the way in and on the way out to ensure security. Robust watermarking features ensure that materials cannot be reproduced or disseminated without permission. More advanced security measures include the use of rights management technology to enforce who can print, copy or forward data, and prevent such activity unless it is specifically authorized, as well as impose revocation and digital shredding even after documents leave the enterprise.
2. Infrastructure Security
Best-in-class providers will have a highly available, redundant infrastructure to provide uninterruptible services to their customers. A cloud provider or partner should use real-time replication, multiple connections, alternate power sources and state-of-the-art emergency response systems to provide complete and thorough data protection. Network and periphery security are paramount for infrastructure elements. Therefore, leading-edge technologies for firewalls, load balancers and intrusion detection/prevention should be in place and continuously monitored by experienced security personnel.
3. Process Security
Cloud providers, particularly those involved in business critical information, invest large amounts of time and resources into developing security procedures and controls for every aspect of their service offerings. Truly qualified cloud providers will have earned SAS 70 Type II certification or international equivalents. Depending upon geography or industry requirements, they may have enacted measures to keep their clients in compliance with appropriate regulations (e.g., the U.S. Food and Drug Administration (FDA) 21 CFR 11 regulations for the Pharmaceutical industry). ISO-27001 certification is another good measure of a provider’s risk management strategies. These certifications ensure thorough outside reviews of security policies and procedures.
4. Personnel Security
People are an important component of any information system, but they can also present insider threats that no outside attacker can match. At the vendor level, administrative controls should be in place to limit employee access to client information. Background checks of all employees and enforceable confidentiality agreements should be mandatory.
Putting Providers to the Test
When evaluating a cloud provider’s security approach, it’s important to ask them to address how they provide the following:
- Holistic, 360-degree security: Providers must adhere to the most stringent of industry security standards, and meet client expectations, regulatory requirements and prevailing best practices.
This includes their coverage of application, data, infrastructure, product development, personnel and process security.
- Complete security cycle: A competent cloud provider understands that implementing security involves more than technology — it requires a complete lifecycle approach. Providers should offer a comprehensive approach to training, implementation and auditing/testing.
- Proactive security awareness and coverage: The best cloud providers understand that security is best maintained through constant monitoring, and they take swift, decisive steps to limit potential exposures to risks.
- Defense-in-depth strategy: Savvy cloud vendors understand the value of defense in depth, and can explain how they use multiple layers of security protection to protect sensitive data and assets.
- 24/7 customer support: Just as their applications are available around-the-clock, service providers should operate support and incident response teams at all times.
Tips for Obtaining Information from Service Providers
When comparing cloud providers, it is essential to check their ability to deliver on their promises. All cloud providers promise to provide excellent security, but only through discussions with existing customers, access to the public record and inspection of audit and incident reports can the best providers be distinguished from their run-of-the-mill counterparts.
Ideally, obtaining information about security from providers should require little or no effort. The providers who understand security — particularly those for whom security is a primary focus — will provide detailed security information as a matter of course, if not a matter of pride.
Fahim Siddiqui, chief product officer, IntraLinks – www.intralinks.com
Fahim has been with IntraLinks since January 2008. Prior to joining IntraLinks, he served as CEO at Sereniti, a privately held technology company. He was also the Managing Partner of K2 Software Group, a technology consulting partnership providing product solutions to companies in the high tech, energy and transportation industries. Previously, Fahim held executive and senior management positions in engineering and information systems with ICG Telecom, Enron Energy Services, MCI, Time Warner Telecommunications and Sprint.