Will 2016 be the year security stops being a reason to avoid public clouds? Because, face it, by now established cloud vendors have likely invested more in security than you can hope to duplicate in-house. But when you’re used to pulling your own security levers, how do you let go of some of that control?
What we need is the cloud security version of a trust fall.
You may have taken part in this team-building exercise: You fall backward into the arms of a coworker while trusting that they’ll catch you before your khakis-clad behind hits the ground. It’s easier to take that plunge when your colleagues have given you reasons to trust them: They step up when you need a hand at work, they have built a solid reputation, they have your back when things go awry.
In order for you to trust security measures that are offsite and out of your control, you need to replicate these trust cues with your cloud vendor.
How? Here are three questions to start with:
1. How well can the vendor replicate my security requirements?
“In general, companies are all very used to having incredibly stringent and granular security controls,” says Ben Nelson, vice president, cloud security, at Oracle. “Since most of these controls are implemented on site and under the direction of enterprise IT, companies can impose very specific requirements.”
Look for vendors that clearly lay out security protocol and are willing to work together to identify and close any gap between what they do and what you need. In the end, it might just be a communication issue. “Big cloud vendors have thousands of customers with unique security requirements and over time have factored the best of those into the solution,” Nelson says. “We are probably already giving you everything you want, but it may not be articulated in the precise manner your company is used to.”
Also, look for infrastructure security that focuses on protecting your data in addition to securing the network. “Modern information security requires a layered approach that integrates security technology throughout the stack, from the silicon foundation all the way out to the application layer,” he says.
2. How clearly does the cloud vendor define shared responsibilities?
Depending on the implementation, you will likely retain responsibility for some technical and procedural areas of security. For example, vendors are often responsible for security in the physical infrastructure and network virtualization for infrastructure-as-a-service (IaaS) deployments, while customers handle security for the operating system, applications, data, and service configuration. But make sure to clearly define the division of labor. “Unless both parties are clear on who does what, cloud security won’t be effective,” Nelson says. “Therefore, building a shared responsibility model is an important component of trust verification.”
Groups such as the Cloud Security Alliance provide templates for infrastructure-, platform-, and software-as-a-service models that will help you get started.
3. How transparent are the cloud vendor’s policies and processes?
Not only should vendors be able to quickly produce written descriptions that cogently outline hosting and delivery policies, but they also should provide Service Organization Control (SOC) reports covering security and privacy.
Third-party validation is another key component of the verification conversation. It’s a good sign when vendors use outside companies to regularly audit and review their security controls, particularly in the context of things such as HIPAA and PCI. “It helps to have a third party be able to validate answers to customer questions,” Nelson says. “Outside auditors should also do security assessments and technical security testing of vendor services, and all of these results should be readily available to prospective clients.