Good cloud and bad cloud – Nathaniel and Orlando explore how you can tell the difference
Spring finally arrived and ironically, the sun was shining in London at Infosecurity Europe with no clouds to be seen. The good news for us was this didn’t deter people from joining our Chief Scientist Nathaniel Borenstein and Technical Evangelist, Orlando Scott-Cowley to talk about the cloud. The session was so well received, we thought it’d be useful to summarize the content of the presentation (below):
They started by agreeing what the cloud is and what it means for security. There’s the public cloud (fully open and accessible), which many vendors use for customer’s data; private cloud (closed), which offer private, business-sensitive uses, and hybrid cloud, which combines features of both. Each allows you different levels of control and security.
“There’s plenty of cloud washing going on with many vendors claiming things to be in the cloud that aren’t.” -- Orlando Scott-Cowley
The Cloud is now accepted as being more secure than your own network.
Putting your data in the cloud does give you an opportunity for better security, as cloud vendors’ security is usually a core part of their business. They’ll have more security and cloud expertise available to them, and are strongly motivated to do a great job – developing a reputation for poor security would likely destroy them. Generally, reputable cloud vendors have the resources to keep up to date with advances in technology and are highly motivated to do a good job and continue innovating.
But it’s also fair to say that cloud providers are bigger targets for attack. So a good place to start your assessment is taking a look at the vendor’s security reputation. If they've been around for a while (Mimecast has been here for over 10 years BTW) and you haven’t found any horrifying stories then as Nathaniel said they’re “…likely to be good at cloud security. Cloud vendors live or die by their security. The trick is really knowing whether or not a particular vendor is good at it”. Good cloud vendors are deeply committed to security and very open to talking about it.
So once you know you want a cloud how do you assess a vendor – what questions do you need to ask about them?
Talk to them about security standards. ISO 27001 accreditation is important. But assessing the scope of their compliance is vital – ensure the scope of the accreditation includes the production systems that process customer data, rather than unrelated systems like internal HR or billing platforms.
Also, the workshop discussed the CSA STAR registry from Cloud Security Alliance which allows customers to see detail on participating vendors’ activities and procedures, helping you to compare and evaluate how they protect your data.
Willingness to be open about security standards is an important test for vendors. If they’re happy to share this they have nothing to hide. (Of course, there are certain kinds of data that they don’t disclose because it would be a security leak to do so; passwords are just the most obvious example of this class of information.)
Where is my data?
Some customers also need to know where their data is housed and under what jurisdiction it sits. Assess what this means for your business. If this matters to you, then the cloud vendor should be willing to discuss this with you. This is not just a matter of legal concerns. Think also about connectivity – businesses in areas with poor Internet connectivity will often be much better off accessing servers that are nearby.
Will you get the service you want if the data is located somewhere you can’t guarantee the network performance you need? What continuity plans does the vendor have in place to keep their performance guarantees? It’s always acceptable to ask questions about the service – a good vendor will say ‘yes’ to allowing you to test the reliability of their service too. (However, if they’ve already been tested by several independent auditors that you’re inclined to trust, it’s not necessary that you burden them by repeating the tests.)
What do you take to the cloud?
When you've a service or application that is commoditized, it’s well suited to benefiting from the cloud. There’s also a whole set of apps, such as data mining, that largely can’t exist outside the cloud – they’re made possible by the characteristics of processing data aggregated in the cloud, or analytics for example. With older apps and services hybrid systems are often a good option – ask, ‘can you get the benefits of the cloud without going fully to the cloud?’
Nathaniel then laid out a list of questions customers should get answers to from all vendors – the questions that vendors “dread being asked.” The questions were:
- How do you manage your cryptographic keys?
- How do you handle change control in your software?
- How do you handle patches to your OS and other key software?
- How do you encrypt all client data at rest? Do you guarantee its integrity? What is my role in keeping it safe?
- Are your development and operational platforms well separated?
- What access do your administrators have to customer data?
- What are BCPs on matters like testing, documentation etc?
- How redundant is your data and how do you prevent/recover from outages?
- Do your employees have constrained, granular roles that are easily configured?
- How do you manage security incidents? What is logged? How long is it retained?
- Who are your third party security auditors?
- Do you do regular penetration testing and vulnerability scanning?
- Is your platform and business IOS 27001 accredited? If not, why not?
By the end of the session, it was clear both that there’s a strong appetite for this kind of help in assessing cloud vendors, and that there are even more questions that belong on the list.
Watch this space for more on this as we will explore the questions in a future post.
If we’ve missed out a great question that worked for you we’d love to hear it – post the question here or email Orlando at firstname.lastname@example.org.