Cloud Security

One of the most common questions I get is “What’s your take on cloud security?” Well, my answer is relatively straightforward: never assume that all’s well just because someone says it is. In other words trust but verify. You see, with the cloud comes a lot of marketing hype and we all know that stuff is cheaper than dirt. But more so lawyers, management and others outside of IT are often involved with cloud contracts and, unfortunately, they’re approaching many of the issues with their blinders on.

The general belief is that if it’s in writing then things are golden. If the cloud provider says (or guarantees) X, Y or Z in their service level agreement then that’s all we need to be concerned with. The reality is cloud vendors are primarily focused on uptime, not your Web applications nor your data. You see the focus of cloud providers is keeping the joint running – ensuring your systems are up and your data are accessible. After all, it is written into the contract.

But think about it. What good is that water tight contract and super duty SLA when a breach occurs? Sure, it may (and I use that word loosely) give your organization some recourse for a lawsuit and some reimbursement for your troubles. But information security is not all about uptime. It’s also about proactively managing systems and software, monitoring for attacks and perhaps most importantly keeping sensitive data protected. Furthermore, you’re the one left holding the bag when a breach occurs. Sure you can point fingers to failed security practices, careless SQL injection flaws and so on but your organization’s name is the one in the headlines. That’s all that people see.

What does your SLA say about this side of the equation? Let me guess: Nothing. Savvy cloud providers are going to disclaim any such liabilities. And it’s all you from the breach point forward. That doesn’t mean you won’t have any recourse through traditional legal means proving that negligence occurred. You just don’t want to have to go down that path if you don’t have to.

Instead, be proactive and vigilant. Ask the tough questions up front. Go beyond the all too easy claim “We have a SAS 70 Type II audit report therefore you don’t need to worry about anything.” It goes so much deeper than that. In fact, Web applications – and their vulnerabilities – are at the front and center of cloud services. Ask the tough questions like:

  • Are you adhering to any cloud security practices or standards such as those available from the Cloud Security Alliance’s Cloud Controls Matrix or the new NIST Cloud Computing Synopsis and Recommendations (Special Publication 800-146)?
  • How do you perform ongoing security tests of your application environment?
  • What tools do you use to perform your testing?
  • Are you running simple vulnerability scans or are you truly digging in deep with manual analysis and perhaps source code analysis?
  • Can I see the results of your latest assessment?
  • When’s your next round of testing scheduled for?
  • Can I perform my own penetration testing of your system? (this one’s a stretch but worth a shot)

Perhaps the most important thing you need to figure out is who internal to your organization is going to manage your cloud providers. You can’t just hand things over and be done with it assuming all’s well in cloud la-la land. Get involved. Make sure everyone is thinking things through. It’s when we take things like this too lightly that we can end up getting bitten the worst.

Kevin Beaver

Kevin Beaver, CISSP is an independent information security consultant, writer, and professional speaker with Atlanta, GA-based Principle Logic, LLC. With over 32 years in IT and 26 years in security, Kevin specializes in vulnerability and penetration testing, security program reviews, and virtual CISO consulting work to help businesses uncheck the boxes that keep creating a false sense of security.