By Kerry Anderson
February 14, 2017
This decade has emerged as the "decade of the cloud." While cloud has technically existed in earlier forms—application service providers and hosted solutions, for instance—for almost twenty years, the current cloud marketplace offers a wide selection of services designed to meet the requirements of organizations looking to outsource certain aspects of operations.
There are three main cloud delivery models to-date: SaaS (Software as a Service), PaaS (Platform as a Service), and Iaas (Infrastructure as a Service). Each model offers a choice of how the cloud service will operate and the degree of control the organization will possess in regards to security oversight.
If the myriad types of cloud solutions were not confusing enough, some cloud providers offer options with different risk profiles, such as on-premise private cloud or multi-tenant public cloud. With the vast number of alternatives available, making a decision on the correct fit for a particular organization can be daunting, to say the least. However, a few tips can help narrow the field to a few potential solutions that may be comprehensively evaluated to determine the one best suited for the organization's particular needs.
Understand the requirements and business objectives
Before exploring possible cloud providers, it is important to document the business issue the organization seeks to remedy by moving data and functionality to the cloud. Doing so prevents a selection from being unduly influenced by vendor features or cost as the sole factor. Understand the specific business objectives the organization desires to address through a cloud implementation to avoid becoming focused on the technology alone.
A key area of consideration is security requirements. Each provider approaches security differently and provides varying levels of security controls. The rule of thumb should be to make no assumptions when it comes to security. SaaS, paaS, and IaaS models differ in how security management is shared between the provider and the customer. Request copies of the following information on each potential cloud offering:
• SOC II and other independent audit-type reports
• Copies of information security policies, documentation, and the structure of the cloud provider's security organization
• Copies of certifications, such as ISO-ISO 27001 or Standards for Attestation Engagements 16 (SSAE 16)
Inquire about your ability to perform on-site audits of facilities. If your cloud provider's delivery model requires active security management, such as the performance of vulnerability assessments, inquire about ability to perform these procedures, either through a third party or with your own staff resources. If these assessments are permissible, ask about any constraints, such as testing windows or blackout periods, that would affect your ability to effectively and accurately test.
Access to systems and data should be discussed. Ensure that the potential provider has a defined, document chain of custody plan and that any and every person who has access to the system or data is thoroughly vetted and must authenticate through, at minimum, two-factor. Ask about their decommissioning plan as well; when an employee leaves or changes roles, make sure the provider is accouting for a change in permissions.
Last but certainly not least, data breach response and responsibilities must also be discussed, including incident response procedures, customer notifications, and access to any resulting forensic reports.
One of the most touted benefits of cloud computing is elasticity. However, the cost and ability to expand the scope of the should be explored as part of the evaluation process. Cloud contracts shuuld have provisions for expansion that don't end up costing an arm and a leg.
In some cases, physical location will be a factor in the selection of a provider, especially when compliance is involved. Compliance and security requirements differ (and sometimes conflict) by country, notably in EMEA due to privacy laws which limit the transfer of personally identifiable information (PII) over national borders.
Latency may be a significant factor if users are geographically distant from data center location(s). In addition, if high-availability is a requirement, backup data center locations need to be geographically separated adequately enough that they would not both be affected by man-made or natural disasters.
Determine if the organization needs to comply with specific government or industry regulations. It is important to determine up front if a provider is fully compliant with any industry or regulatory requirements, such as the Health Insurance Portability and Accountability Act (HIPAA), which requires controls around patient health data, or Payment Card Industry (PCI) for credit/ debit card transactions. This process avoids wasting time and resources by looking at non-viable options.
Support, Training, and Maintenance.
Excellence in implementation can determine whether a cloud solution is a success or failure. Industry experts estimate that 90% of the total cost of any technology solution is in its maintenance, training, and support. Training of new hires may be essential to success. It is important to explore support options, including online chat, phone, and email customer support channels. Consider making inquiries related to customer support, such as average time to resolve open technical issues.
About the author: Kerry Anderson is a Lead Cyber Security Engineer at Plymouth Rock Assurance Companies. Ms. Anderson has more than 18 years of experience in information security and compliance across a number of industries. She has been awarded an Executive MBA (Anna Maria College), MSCIS (Bentley University), and MSIA (Norwich University). She recently completed a Certificate in Advanced Computer Security from Stanford University. Ms. Anderson has served a speaker, panelist, and chairperson at various security conferences. Her talk, "Evaluating Cloud Solutions: Swapping the Cost of Failure for Success," will be part of the Cloud Security World program on June 14, 2916.
More Infosec Articles