How to Assess a Cloud Provider’s Security Posture
Cloud security has always been a concern among government IT and business leaders.
According to a recent survey by the Society of Information Technology Management, 47% of public sector IT professionals surveyed would not use the cloud for IT services involving personal data or business-critical functions. (Source: Computer Weekly).
The creation of FedRAMP has done a lot to alleviate many cloud security concerns. As we discussed in our earlier post, “Ready for the Cloud? Get an Introduction to FedRAMP”, FedRAMP provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products. Basically, it’s a “do once, use many times” approach that can save 30-40 percent in government costs and time (by eliminating the need for redundant security assessments on an agency by agency level).
While FedRAMP documentation can help you determine whether a cloud provider meets your security requirements, you also need to look at the big picture. This involves assessing your agency’s entire IT environment, the cloud model you intend to procure, and understanding your data (how it moves, how people use it), only then should you start reviewing the security profile of your potential cloud provider.
This balancing act is a delicate one and it’s something we emphasize again and again in Cloud Computing for Govies™, our comprehensive eBook for public sector cloud deployments.
To help you assess your cloud provider’s security posture, before signing on the dotted line, here are some tips outlined in the eBook:
- Review the Fine Print. Go over the ToS and SLA until you are sure you have a firm grasp of the potential provider’s terms and conditions before you sign. Get legal and technical advice as you conduct your review.
- Assess Provider Certifications. Certifications and compliance alignment are good indicators of the maturity of a provider’s security posture. Have they achieved a FISMA rating? Have they received an authority to operate from a government agency? From a security perspective, do they have FedRAMP or DIACAP certification, SAS 70 Type II audits or are they ISO 27001 or ISO/IEC 27018:2014 certified? Look for the sort of certifications appropriate to your environment.
- Will they Allow Penetration/Audit Testing? It’s worth asking if the cloud provider will allow this. Not all will be willing, but be sure to ask. Find out if they have a clearly defined process for dealing with audits and penetration testing. Without visibility into and control of the cloud, you are often going to need to rely on third party audit organizations and testers to conduct trust and verification audits on your behalf.
- Understand Incident Response Processes and Procedures. The goal here is to ensure that if there is an issue, the response from the provider is not ad hoc.
- How is Service and Data Recovery Managed? Understand the provider’s processes to ensure continuity of operations, prevent data loss, and ensure high availability.
For more tried and true strategies for securing public cloud resources, get your copy of the Cloud Computing for Govies eBook.