Cloud Security: Ten Questions to Ask Before You Jump In

The reality is security responsibility will be shared

The hype around cloud computing would make you think mass adoption will happen tomorrow. But recent studies by a number of sources have shown that security is the biggest barrier to cloud adoption. The reality is cloud computing is simply another step in technology evolution following the path of mainframe, client server and Web applications, all of which had -- and still have -- their own security issues.

Security concerns did not stop those technologies from being deployed and they will not stop the adoption of cloud applications that solve real business needs. To secure the cloud, it needs to be treated as the next evolution in technology not a revolution that requires broad based changes to your security model. Security policies and procedures need to be adapted to include cloud models in order to prepare for the adoption of cloud-based services. Like other technologies, we're seeing early adopters take the lead and instill confidence in the cloud model by deploying private clouds or by experimenting with less-critical information in public clouds.

Organizations are asking many questions and weighing the pros and cons of utilizing cloud solutions. Security, availability and management all need to be considered. As part of that process, here are 10 security-related questions organizations should consider to help them determine if a cloud deployment is right for them, and if so, which cloud model -- private, public or hybrid.

1. How does a cloud deployment change my risk profile?

A cloud computing deployment -- whether private or public -- means you are no longer in complete control of the environment, the data, or the people. A change in control creates a change in risk -- sometimes an increase in risk and in some cases a decrease in risk. Some cloud applications give you full transparency, advanced reporting, and integration with your existing systems. This can help lower your risk. Other cloud applications may be unable to modify their security profiles, they may not fit with your existing security measures, and may increase your risk. Ultimately the data and its sensitivity level will dictate what type of cloud is used or if a cloud model makes sense at all.

2. What do I need to do to ensure my existing security policy accommodates the cloud model?

A shift to a cloud paradigm is an opportunity to improve your overall security posture and your security policies. Early adopters of cloud applications will have influence and can help drive the security models implemented by the cloud providers. You should not create a new security policy for the cloud, but instead extend you existing security policies to accommodate this additional platform. To modify your policies for cloud, you need to consider similar factors: where the data is stored, how the data is protected, who has access to the data, compliance with regulations, and service level agreements.

3. Will a cloud deployment compromise my ability to meet regulatory mandates?

Cloud deployments shift your risk profile and could affect your ability to meet various regulations. This requires evaluation of compliance requirements as they relate to the cloud deployment you are considering. Some cloud applications give you strong reporting and are tailored to meet specific regulatory requirements, while others are more generic and cannot or will not meet detailed compliance requirements. For example, if you are bound by a regulation that says your data cannot be stored outside the country, some cloud providers may not be able to accommodate this regulation based on data center locations.

4. Are the cloud providers using any security standards or best practices (SAML, WS-Trust, ISO or otherwise)?

Standards play a very important role in cloud computing as interoperability among services will be critical to ensure the cloud does not go down the path of proprietary security silos. A number of organizations have been created and extended to support cloud initiatives. The wiki lists most of the standards organizations involved in the cloud, including those associated with security.

5. What happens if a breach occurs? How are incidents handled?

As you plan for security in the cloud you need to have appropriate plans in place for breaches and loss of data. This is a critical component to your overall agreement with the cloud service provider and must be handled on an individual basis. The cloud provider (as a service provider), and you as a company, most likely have breach notification policies or regulations you must meet. You must ensure that a cloud provider can support your notification requirements should the need arise.

6. Who is liable or will be viewed as the responsible entity for securing my data?

The reality is security responsibility will be shared. However, in the court of public perception, -- at least today -- it's the company collecting the data, not the cloud provider, who is viewed as ultimately responsible for information security. In well-negotiated contracts you may be able to limit your responsibility and your liability for data loss so that it is shared with the cloud provider, but from your customers' perspectives, you still may be viewed as responsible.

7. How do I ensure only appropriate data is moved into the cloud?

Understanding what data is sensitive and building an appropriate security model based on data and applications is critical to understanding what data could be moved to the cloud. This process should begin long before ever considering a cloud deployment as it is a critical part of good security practices. Many companies use data leakage protection technology to classify and tag data.

8. How do I ensure only authorized employees, partners and customers can access data and applications?

Identity and access management is an existing security challenge that is amplified by cloud deployments. Technical capabilities such as federation, securing virtualized systems, and provisioning all play a role in cloud security, as they play a role in today's IT platforms. Extending and supplementing your existing environments to support the cloud can help solve this challenge.

9. How are my data and applications hosted, and what security technologies are in place?

Cloud providers should provide this information as it can directly affect an organization's ability to comply with certain regulations. Transparency is critical and necessary for you to make informed decisions.

10. What are the factors that tell me I can trust this provider?

A number of factors come in to play when evaluating the level of trust to assign to a provider. They include many of the same dynamics you consider for any outsourced project, such as: the maturity of service and the provider; the type of contracts, SLA's, vulnerability procedures, and security policies; their track record; and their forward-looking strategy, to name a few.

Moving to a new computing platform is not something to jump into without careful consideration. The answers to these questions are complex and often lead to more questions. We've merely scratched the surface at a high level on some of the security questions to think about when considering a cloud platform.

However, enterprises should also understand they have the power to drive the security technologies used in the cloud -- whether it's a private, public or hybrid cloud. Understanding that cloud consumers can, should, and are expected to take responsibility for security measures can lead to the cloud being a secure platform that delivers cost savings and improved productivity.

Tim Brown is a distinguished engineer and chief security architect for the Security and Compliance business unit at CA, Inc. He has worked with many companies and government agencies to implement sound and practical security policies and solutions. Recently he provided expert testimony at the Cyber Security R&D hearing before the (U.S.) House Committee on Science and Technology, Subcommittee on Research and Science Education. Prior to joining CA, Tim spent 12 years at Symantec. He is an avid inventor with 14 patents on file in the security field.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitycloud computing

More about CA TechnologiesinventorISOSymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Brown

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place