(Note: In this article, all references to the Cloud = PUBLIC CLOUD)
The adoption of the Cloud has been quite erratic.
Many organizations embraced the Cloud because they were swept up in the hype. They later realized the various compliance and security risks that the Cloud entailed. Cloud was not the silver bullet they were expecting!
Several organizations decided never to venture near a Cloud due to fears related to security. Recently I was at a small company and they were mortified about adopting any Cloud solution due to security concerns.
After having defined what exactly Cloud Security entailed through my involvement with Cloud Security Alliance and ISC2; and having worked with several organizations, I think I can say with some conviction what are the bare essentials that organizations must understand to be secure in the Cloud:
The Cloud definitely means a loss of control. That means you have to depend on/TRUST some third party who hosts your application/instance.
WHAT THIS MEANS: You have to ensure that the third party is trust worthy. How do you do that?
- Check if the vendor is reputed
- Check if the vendor has the basic hygiene certifications like ISO27001, SOC2, ISO22301
- Do your own audits of the vendor if possible (mostly for small ISVs)
- Ensure that you have SLAs with penalties in place
- Ensure that the Cloud Service Provider agrees and adheres to your Information Security
- Get the NDAs/SLAs checked by a proper TECHNO LEGAL person organization. Sounds complicated? Yes, it is….
If you store data on the Cloud ensure that it is encrypted and where possible ensure you manage the keys
WHAT THIS MEANS: You must ensure data encryption at rest and in motion. How do you do that?
- If you use IaaS where the vendor gives you the ability to manage your own keys, go for it!
- Ensure all communications with your instance/application are through SSH/HTTPS or some form of encrypted channel
- Use strong encryption!
- Put in place a Key Management process
Geo-location of data can be a major issue for regulated industries like banking and insurance
WHAT THIS MEANS: If the vendor does not have a datacenter in your country, your Cloud initiative may be a NON STARTER. The earlier you check this out the better so as to avoid a lot of your hard work going down the drain!
Even if the Cloud Service Provider has a datacenter in your country, it does not mean that your data is 100% safe
WHAT THIS MEANS: Cloud Service Providers often come under the laws of the country that they are incorporated in. In case of the government requesting the Cloud Service Provider to provide that data albeit through legal means, the Cloud Service Provider may be obliged to provide it WITHOUT EVEN NOTIFYING YOU. What do you do?
- If you have data that is of such sensitive nature, don’t put it on the Cloud
- If you must use the Cloud, ENCRYPT ENCRYPT ENCRYPT (needless to say with STRONG ENCRYPTION AND SELF MANAGEMENT OF THE KEYS)
Beware of VENDOR LOCK IN
WHAT THIS MEANS: Cloud Service Providers can make it difficult for you to exit their service by using proprietary data formats etc. You cannot transition easily to any other Cloud Service provider. What do you do?
- Do your DUE DILIGENCE before you get locked in
- While it is never easy to exit for e.g. a SaaS application, bare minimum requirements like export of data should be verified
- Check for use of OPEN STANDARDS by the Cloud Service Provider and their stand on portability of data
Backup your data
WHAT THIS MEANS: Just because the Cloud promises resiliency, it does not mean that your data can NEVER get lost. You cannot pass on your backup responsibilities to the Cloud Service Provider! What can you do?
- Backup your data either to your datacenter or to another Cloud
Plan for Business Continuity / Disaster Recovery (BCP/DR)
WHAT THIS MEANS: Business Continuity cannot be outsourced. You need to plan for BCP/DR
- Buy additional resiliency options from your Cloud Service Provider
- Evaluate BCP/DR options just like you would do for onsite IT infrastructure
Check the Privacy compliance (e.g. GDPR) especially for SaaS applications
WHAT THIS MEANS: You cannot bolt on Privacy requirements later. You should check whether the Cloud applications that you buy have in-built Privacy compliance features
