Eight Steps For Cloud Security

With the current break-neck pace of software and technology we can often overlook the fact that "the cloud" is really just outsourcing. The term "cloud" is simply a catch-all term for subscription-based services running on someone else's network. 

Evaluating the security of such services requires digging in and asking the provider some possibly uncomfortable questions. If you aren't currently doing this for each cloud opportunity, and thinking through how its failure will impact your firm and your clients, you are simply putting the firm at risk.

As an example, recently a Partner forwarded information about a potential cloud service that we could be used to help staff by easing their manual data entry tasks. The idea behind the service was straightforward. Their cloud service would aggregate a client's transactions and allow the transactions to be bulk downloaded into our chosen software. To accomplish this, we would need to have each client enter their financial institution credentials into this cloud provider's system.
Our use of a cloud application like this would necessarily mean asking the client to participate. And, even if not actually stated, the fact that we would use it and ask the client to use it, conveys to the client that we "endorse" this software in some way. That means ask the right questions before committing. If we ask our clients to participate in a cloud application, and then down the road that application is breached or found to be low quality, the client will be asking us the hard questions.

These are the questions to ask any potential cloud vendor:

1.    What is the security of the facility running the servers?
2.    Is client data encrypted? If so, what encryption method is being used?
3.    Is the cloud provider's internal system segregated from its internet-facing cloud servers?
4.    Does the provider have a security audit they can share with us?
5.    What safeguards do they employ on their web service interface and/or API?
6.    Do they back up their data regularly and perform test restores for proper disaster recovery?
7.    What general data breach and protection policies are in place?
8.    Is client data shared with any third parties?

If you can't get satisfactory answers to these questions, deciding to do business with such a provider boils down to a decision about how much risk your firm is willing to take on to gain the potential benefits the service will provide. And, if this is an app for doing client work, you will also be passing on that risk on to your clients. That has to be fully understood at the Partner level.

So, what are the considered "satisfactory" answers to the questions above?

1.    Facility: Many cloud startups choose AWS, Google or Microsoft for their server hosting. All three of those providers have top-notch security controls, so physical facility security should not be an issue. In case they are using a lesser-known provider you would want assurance that the facility meets industry standard security compliance specifications.
 
2.    Data Encryption: This is a tricky thing to get an answer to, because encryption can happen at many levels and be implemented in different ways. A simple answer of "yes we encrypt all client data" is just not sufficient. You need the details on what hashing and symmetric encryption algorithms are being used, and at what level. For instance, many database servers have an option to encrypt the data in their tables. But, in case of a SQL injection attack, that encryption exists at a lower level and doesn't prevent the data from being accessed.

3.    Service Segregation: This is a critical piece of knowledge. What you are asking is whether the servers running the cloud application are connected in any way to the cloud provider's own internal company network. Do staff workstations at CloudApp, Inc. have access to the databases and servers used to store client data? If so, something as simple as opening an infected email by a staff person at the cloud app organisation could impact the service and client data stored in it. Bottom line is that there should be no integration between those two networks.

4.    Security Audit: Is the cloud provider in question being audited on a semi-regular basis to a known standard such as SOC1/2/3 or the like? If so, it would definitely go a long way to confirming their security footing.

5.    Service Safeguards: Any competent cloud provider should be able to provide a document that spells out their basic security protocols. You are looking for such things as password complexity requirements, two-factor authentication, API token granting and revocation processes and account lockout and recovery protocols. In essence, you're asking the cloud provider to explain what hoops a person or application has to jump through in order to gain access to their service. Those hoops should be high.

6.    Data Backup: This is a no-brainer. You will want assurances that the cloud vendor takes data backups seriously. In 2017 we have already seen two notable cloud services (GitLab and Instapaper) severely impacted by lack of disaster recovery testing. As discussed earlier, being "in the cloud" just means an application or service is hosted on publicly accessible infrastructure. That in no way implies that the data is secure or backed up responsibly. That's up to the provider itself.

7.    Breach Response: Running and protecting a large cloud service is difficult. Just because a provider has been breached before doesn't mean that they are not trustworthy or competent. What you really want to know is what their response to a breach looks like. Do they have a policy in place for responsible, timely disclosure? Have they been breached in the past and it became known that they covered it up? Will they provide you documentation on their breach response strategy? The information provided in response to these questions will be very telling about the culture of the company being evaluated.


8.    Information Sharing: Is any of the data stored in the cloud application shared with "partners", vendors or other third parties? If so, they should be willing to provide documentation on who it's shared with and under what circumstances.
Not answering one of the above questions doesn't necessarily shut the door on using the service. As long as the refusal to answer makes sense. For instance, a provider might tell you they definitely hash passwords stored in their database, but for security reasons they don't want to divulge which hashing algorithm they use. 

Unfortunately, you will run into many startups that refuse to give straightforward answers to these questions. It's not enough that an app works well or solves a problem. If the people running the service don't have enough experience running and protecting such a service reliably at large scale, it's up to us to identify that ahead of time before we commit the data of our firm or our clients into their hands.

CPAPracticeAdvisor

You Might Also Read:

Directors Report: Cloud Security Analysed For Management (£):

Keeping The Cloud Safe: Exclusive Report:

CIOs Are Neglecting Process & Most Efficient Options:

Banks Look Up To The Cloud:


 

« WannaCry Also Hit Windows 7 Systems
Mathematical Analysis Suggests Marlowe And Shakespeare Co-Wrote »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

DataGuidance

DataGuidance

DataGuidance is a platform used by privacy professionals to monitor regulatory developments, mitigate risk and achieve global compliance.

Maureen Data Systems (MDS)

Maureen Data Systems (MDS)

Our mission at Maureen Data Systems is to digitally transform business environments with the use of cloud infrastructure, security and privacy controls, data analytics, and managed services.

Skkynet Cloud Systems

Skkynet Cloud Systems

Skkynet is a leader in real-time data systems for the secure management and control of industrial processes (SCADA) and embedded devices (M2M).

Massive Alliance

Massive Alliance

Massive is a global service agency providing internet monitoring, data & security threat surveillance and reputation management.

Industrial Networking Solutions (INS)

Industrial Networking Solutions (INS)

INS Services specializes in designing, deploying and providing on-going support for critical OT (Operational Technology) and IIoT (Industrial Internet of Things) networks.

Six Degrees

Six Degrees

Six Degrees is a leading secure, integrated cloud services provider. We protect UK organisations and help them thrive in the cloud by giving them secure platforms to innovate and grow.

Indusface

Indusface

Indusface offers best website security, web application firewall and SSL certificate to keep your online business much safer.

TypingDNA

TypingDNA

TypingDNA uses AI to recognise people by the way they type on desktop keyboards and mobile devices.

BwCIRT

BwCIRT

BwCIRT is the Computer Incident Response Team (CIRT) for Botswana and provides an official point of contact for dealing with computer security incidents.

Tugboat Logic

Tugboat Logic

Tugboat Logic was created to address the skills and expertise gap in the security and compliance industry. Our goal is to simplify and automate information security management for every enterprise.

Birch Cline Cybersecurity

Birch Cline Cybersecurity

Birch Cline specializes in helping Local Government and Education agencies, as well as mid-market organizations, build and maintain successful cybersecurity programs.

Cybersecurity Dubai

Cybersecurity Dubai

Protect your business from cyber-attacks with Cybersecurity Dubai, your partner in online security solutions.

Hushmesh

Hushmesh

Hushmesh is a start-up aimed at securing the world’s digital infrastructure by developing develop the Mesh, a global information space with automated security built in.

Board of Cyber

Board of Cyber

Board of Cyber offers Security Rating: a fast, non-intrusive, continuous, 100% automated solution to evaluate the cyber performance of an organization.

Sentar

Sentar

Sentar is a cyber intelligence company, applying advanced analytics and systems engineering expertise to protect our national security by securing mission-critical assets.

Panoplia Digital Protection

Panoplia Digital Protection

Panoplia Digital Protection is a cutting-edge cybersecurity company that leverages the power of AI and ML to help businesses and consumers protect themselves against cyber threats.

Fairly AI

Fairly AI

Fairly AI is on a mission to democratize safe, secure, and compliant AI across the enterprise.

Adili Group

Adili Group

Adili Group is a leading pan-African corporate advisory firm. We deliver tailored solutions in regulation and compliance, risk management, and improving business efficiency.