In general, securing data in public cloud computing is similar to securing data on a local network. Authentication, encryption and identity and access management are security concerns in both scenarios, for example. There are, however, a few different steps to take ensure public cloud security. In this tip, I’ll cover traditional and new security best practices companies should consider when preparing a cloud migration.
As with any application effort, the very first step you should take is to question the need for each piece of data being stored within the application. The most secure data is the data you don’t store. While there are tradeoffs to be made between reducing your security footprint and ensuring you have data around for future use, it’s better to make a conscious decision about those tradeoffs rather than to just accept all data. Pare down the data being sent to and from the cloud app, and work to reduce the overall footprint of data stored within the application.
When negotiating and working with your cloud provider, review and/or establish strong service-level agreements (SLAs) and other control mechanisms. Not all default SLAs are written to benefit the customer, and the responsibility for due diligence is yours in the contracting phase. Make sure the cloud application vendor has IDS/IPS (intrusion detection and intrusion prevention systems) and other security-related tools in place. The SLA should stipulate how often the vendor is reviewing data from those tools, and which metrics will be provided to show an acceptable response time to incidents detected by the tools. Ensure that the vendor’s notification policy supports -- not supplants -- your own notification policy and allows you sufficient time to comply with government or industry regulation.
The fact that cloud applications are under attack is not new. What is new are the ways in which cloud applications will be attacked. A key step in developing your cloud plan is to include attack stories and responses. By modeling various potential attacks, you can begin to develop a security plan which incorporates the appropriate controls (whether owned and monitored by the cloud provider or by your organization itself).
Tailor your security controls to the attack stories you have modeled, which will allow you time to focus on detecting, preventing and mitigating real-world threats, rather than wallowing in the world of “coulds” and “mights”. True, it is difficult to enumerate all the ways an application might be attacked. Bringing in an independent consulting firm with significant security experience can help you think outside of the box and have a higher chance of developing realistic attack stories. Once you have modeled attack stories, you can develop and implement (or ensure your cloud vendor has implemented) the necessary controls to prevent or contain such attacks.
If the application you are moving to the cloud is used to process or store data from other customers (for instance, if you are Business Associate to a HIPAA Covered Entity) you absolutely must consult with your client prior to moving their data to the cloud. This consultation is important because it reduces surprise, but also because some customers may find themselves in a situation where regulation prevents or restricts the use of cloud technologies.
Finally, consider some nitty-gritty details, as well. Most cloud vendors are OK with customers performing penetration and other security-related testing on cloud solutions, provided the testing can be performed in such a way as to not threaten the confidentiality, integrity or availability of other customers’ cloud solutions. Ensure you have clear agreement with your cloud vendor on when and how you can perform your testing.
More resources on public cloud security
Once your contract is negotiated and your application (and data) is deployed, you should implement a second phase of the project where you return to the environment to validate how effective your security tools are at detecting attacks outline in the planning phase. This is important in any setting, but even more so when your application is running in a public space. Don’t just focus on preventative controls, either – test how well detection and mitigation controls address your identified potential threats, too.
In the end, making the transition to the cloud often can provide your company with a great competitive edge. The good news: With up-front planning and careful negotiating, public cloud security can be done.
This was first published in June 2012