Learn to ask the right questions on cloud security before it's too late

Many potential customers are finding it hard to evaluate the security profiles of potential providers and should take a broader view of their objectives and standards

The hard sell around cloud computing is in full swing, but many potential customers are finding it hard to evaluate the security profiles of potential providers and should take a broader view of their objectives and standards, an expert in the auditing of IT security infrastructures has warned.

"We make the assumption, often incorrectly, that things are being done correctly," says Brahman Thiyagalingham, manager of ICT risk and assurance with standards compliance firm SAI Global. "But the term 'cloud' means a lot of different things to different people. As an audit body, we've found there's a communications break between suppliers who struggle to sell their cloud services, and their customers. Customers are scared to put their stuff into the cloud, and don't know the sorts of questions they should be asking."

Brahman was recently joined by Alastair MacGibbon – a former AFP agent who's now director for the Centre for Internet Safety at the University of Canberra and managing partner of consultancy the Surete Group – to reach out to Melbourne customers keen to tap into the cloud to improve service reliability and security.

Their advice to customers was to become familiar with global process standards such as ISO 27001 ISMS (Information Security Management Standard) and ISO 20000, for IT service management. These and similar guidelines are not only prescriptive but auditable – helping customers evaluate the capabilities of potential cloud providers based on well-understood metrics.

Yet even with these standards in hand, many businesses are still asking the wrong questions when it comes to the security of their data in the cloud. It's important, MacGibbon warns, to get clear answers to questions such as: where will my data be kept? Who has access to my data? In what countries will my data sit? Is it encrypted? What type of backups does the provider keep? Is it in more than one location? How well-trained are the provider's staff?

Even obvious things – like at what point the cloud provider will contact the customer, if at all, in the event of a problem – need to be clarified as providers may have a threshold for notification that doesn't necessarily gel with the governance requirements of the customer and the industry in which it operates.

"There's a general assumption that a service will be provided to a certain standard online because we've lived so long offline that we have developed certain expectations," says MacGibbon. "But many large businesses still don't know what questions to ask. They put their data into other peoples' hands and assume they're doing the right thing, and they assume that they're as well off in the cloud as with data resting in server racks within the business. However, I don't know if that's a fair assumption to make."

Another potentially problematic assumption is one that Thiyagalingham said he has uncovered in many organisations he audits: the failure to revisit plans as technologies and working patterns change. One company, for example, had developed a comprehensive security policy six years ago but neglected to revise it to consider the new security posture of mobile devices.

The need for strong cloud security is greater not only because of the different structure of the model, but because "the threat environment has changed extremely dramatically in a very short period," MacGibbon continued, citing the rise in criminal data-farming operations since the early part of the last decade. In June, for example, Kaspersky Lab researchers identified a new TDSS 'super-malware' rootkit that was working to build a 4.5 million-strong botnet.

Since wholesale theft of customer information stored in the cloud could be devastating for any company – just look at the fiasco in which First State Super has found itself – MacGibbon recommends customers take "almost a product liability or product-safety standards approach" to cloud security and, similarly, be able to walk with their feet if they feel their current cloud provider simply isn't living up to expectations. While most cloud providers are well-meaning when it comes to security, the proof is ultimately in the pudding.

"If they were buying a car," he explains, "they'd have a reasonable expectation that the bits of the vehicle are going to perform in certain ways based on standards and engineering. But I don't think these standards have been applied consistently online, and while you'd like to see end users voting with their feet, many don't really know when to vote and what over. They won't know about whether there's a disaster recovery plan until their data is breached, and then it's gone."

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

Tags Cloudsecuritycloud securitycloud computing

More about First StateISOKasperskyKasperskyUniversity of CanberraUniversity of Canberra

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts