
After understanding that Cloud can give you various advantages in terms of Scalability, Elasticity, and reduced costs, selecting a cloud vendor still requires a thorough security assessment before a customer can give the custody of their data to the Cloud provider.
Cloud Information security assessment has to be done from different angles. In this post, I am sharing some of the important questions to be asked before signing the agreement.
There are many assessment questions which can be broadly categorized in various areas Like
Governance and Compliance
Data Security
Incident Reporting and Handling
Business Continuity and Disaster Recovery
Vulnerability Management
Affiliates & Subcontractors Usage
Data Privacy
Application Security
In each of the above areas specific assessments can be done which a high level are subsets of these basic questions
Is the Cloud Vendor following the governance and compliance policies laid down in there region?
let’s go in little details in each of the areas.
A cloud provider with a good information security policy will have a governance model and personnel accountable.
ISO 27001 provides a model to follow and ensures the providers cloud information security policy covers all the necessary requirements.
SSAE 16 & SSAE 18 are audit reports of an organization that assesses the security operations controls. A Top Cloud provider will be providing these reports.
ISO 27001, ISO 27017, ISO 27018 are the latest certification standards.
Data Centers should be periodically audited for having facilities as per standards. There should be at least yearly reviews and gaps should be addressed on priority.
If a cloud vendor allows independent testing customers can be assured of the audit reports and can specifically test control areas they are concerned about.
KPIs can help the customer understand the performance of the cloud computing application or infrastructure.
Risk management frameworks like NIST and ISO are there which outlines the controls to be established in a cloud computing environment.
Data security architecture industry standards ensures the security of customer data.
There should be controls to avoid data loss, privacy, and access controls with industry standards encryptions.
DLP Tools helps in data loss prevention.
Controls should be in place for third-party subprocessors and contractors.
Data stored when encrypted provides another level of control in data security.
Data transmitted over networks especially over public networks should be encrypted as per standards.
If the customer is allowed to manage keys they can add another level of security control and keeps the keys confidential to themselves.
Practice should be there to ensure data of different customers do not get mixed.
The recovery time objective should be as per industry standards and if the vendor can provide customized RTO that’s add on.
The vendor may have options to provide this feature.
There should be data retention and destruction policy in vendor services.
The physical security policy should be there to physically guard and monitor the location.
Controls and agreements should be there for those who can access the data.
If employees use remote access, security controls should be implemented for remote logins.
Antivirus should be used across org and data centers and frequently updated.
Vendors should have a program to keep checking the system for vulnerabilities.
Network scanning and testing is an important control to be followed by cloud vendors,
Access should be provided on a need-to-know basis only.
All employees and vendors should be identifiable if they are accessing facilities.
Data should be securely destroyed after the termination of service or end of life of storage media.
Third-party neutral audits are another level of security control.
Identity Federation should be possible with cloud services.
multifactor authentication like OTP and biometrics provide another level of security.
An incident response plan ensures proper actions to be taken in case of security incidents.
The policy should be kept updating at regular intervals.
Not every cloud service provider may provide this notification.
Employees should have the right training to handle incident reporting.
This data can help understand the current state of the cloud provider. Audit reports after the attack will help to judge if the issues were remediated.
logs should be created for the application, firewall, database transactions etc.
Proper process should be there to share only relevant data for inspection.
Depends on the cloud service provider policy.
cloud providers have BCP DR plans with responsibility assigned to a head.
Plan should be regularly tested.
Recovery time objective (RTO) and Recovery Point Objective (RPO) help understand the availability of cloud systems.
BCP DR Plan should be as per industry standards.
Primary and secondary sites should ideally have the same level of controls so that it can be switched in case of DR.
Some customers may not want their data to be stored outside their region.
Vulnerability testing should be done as frequently as possible to check for the latest vulnerabilities.
Penetration testing Inhouse and by third parties help in identifying the vulnerabilities.
All vendor systems should ideally be hardened by disabling ports like USB, unnecessary software, accounts, controlled internet access
Generally, this is confidential data for cloud providers.
Cloud providers using subcontractors should have strict contracts with them.
Ideally, Cloud providers should audit their vendors for their service agreements.
The Cloud vendor’s vendor should ideally not have direct access to customers’ data.
Ideally, someone should have the responsibility of data privacy policies and enforcement.
Cloud providers should not read customer’s data except only required data for running the services.
Access should only be on a need-to-know basis. Role-based access should be implemented.
Regular training should be given to employees on data privacy and security.
Confidentiality agreements should be agreed upon prior to employment and misappropriation should have an employee termination clause.
Cloud providers should provision GDPR controls.
Cloud providers may have employees globally and thus they may be accessing customers’ data. Customers should be aware if this applies to their provider.
Someone should be responsible.
Data should ideally be classified in the range of confidentiality.
Security Practices should be there for SaaS applications.
WAF is a security control to enhance application security.
Test , Dev and Prod instances should be separate and no production data should be used for testing.
Extracts should be in standard formats so can it can be imported to another SaaS if required.
SaaS should be complaint of above.
Strict Password policies should be there.
wpsbutton is a Blog on Cloud Computing PaaS SaaS and Cloud Security. Focus of the blog is on Oracle Fusion SaaS, Oracle Integration Cloud , VBCS, PCS , Fusion Apps Tech and Ebusiness Suite.
Affiliate Disclosure: Some of the links may be affiliates links which may earn us a commission without any extra cost to you. As an Amazon Associate, we may earn from qualifying purchases.
All the articles and views are of the author and do not necessarily be of Oracle or any other Cloud provider. All Logos and trademarks belong to respective owners.
All articles are for educational purposes only.
Copyright © 2021 All Rights Reserved