I’m in the middle of writing a practical guide on how you can move services to Cloud and one of the most important aspects of that is managing your risk (and so security). This is an excerpt from that guide.
What I’ve provided here is a list of the type of questions and information you can use to select your Cloud providers. It is provided at a summary level only as each situation demands a different set of sub-questions and headings. It is aimed at the larger company, but can be used by the SMB.
A risk and assurance model is an excellent tool by which all potential Cloud service providers (CSP) can be measured. It is recommended each section be given a weighting. The sample is ordered by weight with the top components being the most important through to the latter sections being less so.
The Risk and Assurance model is not about ruling CSP’s either in, or out. The model is about understanding the risk of the CSP and its service so that the enterprise can make an informed decision about whether to take up its offerings, or not.
It is also worth looking at the Cloud Code developed by the Institute of IT Professionals.
- Ensure the CSP complies with all relevant local law.
- In particular, ensure compliance with tax and privacy legislation.
- Where, physically, and within what legal jurisdiction, will the data be stored?
- Ensure that you take all necessary steps to investigate the viability of the CSP.
- Which legal jurisdiction is the CSP incorporated?
- What industry standards does the CSP adhere too?
- Consider using the Cloud Code of Conduct developed by the New Zealand Institute of IT Professionals as a de-facto standard.
- If you happen to be in Austrasia, ask if the CSP is a signatory to the Cloud Code of Conduct.
- Does the CSP adhere to CoBIT and ISO270001?
- How can the enterprise extract the data from the CSP should it want too?
- This is particularly critical with a SaaS service.
- How is data secured within storage systems?
- Is data within PaaS and SaaS multi-tenanted services segregated?
- Is it possible to move your virtualised workloads in and out of the CSP at will?
Virtual Machine Security
- How is security managed in a multi-tenanted environment?
- How are VM’s kept separate?
- To what level are VM’s hardened at their creation?
- How is patch management completed on the VM’s?
- Is penetration testing routinely deployed against the CSP and are the result of that made transparent to customers?
- How are vulnerabilities managed, tracked, and secured?
- How is network security managed?
- How are DDoS attacks managed?
- Does the CSP use intrusion detection or similar?
- How does this operate?
- Does the CSP have a formal business continuity plan and process?
- How regularly is that plan exercised?
- Following a disaster, how long would be it before your services are restored?
- Does the CSP outsource or other sub-contract services to other providers?
- If so, what and how?
- Are the sub-contractors held to the same standards as the CSP and are they audited?
- Are the sub-contractors in the same legal jurisdiction as the CSP?
- What standards, guidelines, or best practice are used to manage software?
- Software includes; firmware, applications, middle-ware, databases, operating systems, and other like services.
- How are identified vulnerabilities managed?
- How is administrative access to the Cloud service managed by the CSP?
- How will the enterprise’s users connect and authenticate with the CSP?
- How many levels of authentication are available to the enterprise? I.e. Single, two-factor, or complex authentication.
- How are resources managed to insure against exhaustion, over subscription, congestion, or other issues that cause performance issues or outages?
- Can the CSP demonstrate they have a standard incident management process?
- Does the CSP utilise the data generated by incident management for problem management and continuous service improvement?
- If so, how?
- How does the CSP manage disaster recovery?
- Are environments separated (SaaS) into standardised areas such as staging, production, testing, sandboxes, development, and UAT?
- Is there a formalised operations process including manual?
Data Centre Management
- What is the process for allowing physical access to data centres?
- Do the data centres include redundant power and telecommunications?
- Do the data centres include backup power?
- Are all environmental system implemented to industry standards, tested, and regularly maintained?
- Does the CSP utilise an asset management and or configuration management database for all items inside the data centre including physical and logical?
- How are staff security vetted for any role that supports and manages the CSP?
- How many staff carry security clearances and to what level?
- Does the CSP keep a copy of the enterprise’s encryption keys?
- If yes, how are these protected?
- Does the CSP allow for processing of tokenized data (SaaS) via crypto engines on the enterprise side?
- How does the CSP manage breaches of security?
- How does the CSP manage breaches of privacy?
- How does the CSP work with law enforcement in its legal jurisdiction in the case of warrants or requests for access to data being made?
- Does the CSP publish outage information publicly?
- What guarantees can the CSP give that their services will be retained and improved over time?