How Secure is your Cloud?
Cloud security is perhaps the number one topic when it comes to cloud computing and this is still definitely the case if you look like meetings like CloudCamp for example. So why then is there not more of a focus on it from the cloud vendors?
In their June report, "Assessing the Security Risks of Cloud Computing" Gartner provided a fairly competent list of questions that customers should raise with their prospective cloud vendors.
1. Privileged user access.
2. Regulatory compliance
3. Data location
4. Data segregation (which includes Encryption)
6. Investigative support
7. Long-term viability
Although the list is useful, and I especially like number 7 raised in a security context, there are a couple of key points missing, that while they maybe covered in some subtext under these seven items I personally believe they should be raised to the top level. So here’s my additional set of security topics to raise with your vendor:
8. Internal threat management
11.Security in depth
Internal threat management
As we all know too well (or should), one of the majority of security threats of traditional data centres comes from within, with the cloud you’re passing this issue on to someone else. So what are the internal threat management procedures of your cloud vendor? How do they safe guard your data from prying eyes? Sure, encryption and segregation are elements that help here, but what are the data centre processes themselves?
A real favourite topic out there that in many ways overtakes the issues of interoperability is that of portability. How do I safeguard my ability to move from one cloud to another? Once my data is in a cloud how easily (expensive, quickly) can I get it off again? Now add to this the question of secure and robust portability and this becomes a really interesting question to ask.
So if there is a breach of security what is the cloud vendors policy? Is this transparent? Made publically available? What sort of compensation could you expect? Free hours? SLAs are an obvious discussion point with cloud vendors but are seldom discussed in terms of security.
Security in Depth
This is one I particularly like and relates to internal threat management and processes but specifically to the development and creation of the cloud vendor’s infrastructure itself. Clearly clouds just don’t happen, someone has to build them and that means software engineering. Therefore a clear explanation of their cloud development processes should be clearly articulated at a software development level. This is one of the key lessons Microsoft has learnt over the years and one I know well.
So what other security questions would you want answered by your prospective cloud vendor?