Cloud Security Checklist

Cloud computing is well on track to increase from $67B in 2015 to $162B in 2020 which is a compound annual growth rate of 19%. Cloud platforms are enabling new, complex global business models and are giving small & medium businesses access to best of breed, scalable business solutions and infrastructure.

Moving to cloud presents its own security challenges all of which should be considered before signing up to a new service. A cloud service provider should be able to demonstrate that their service offers you an acceptable level of security. The key thing to remember is that it’s not a cloud, its someone else’s computer, so what you need is a handy cloud security checklist, like the one below:-

Service Maturity and Capabilities

  • Look for evidence of industry maturity including a capability to provide proofs of concepts and customer references
  • Evidence of a scalable service that meets user requirements
  • Defined procedural model for IT processes such as ITIL, COBIT etc.
  • A recognised information security management system such as ISO 27001
  • An organisational structure for information security led by senior management
  • Service terms which provide for confidentiality and data protection requirements
  • Acceptable service availability and scheduled downtime/outages
  • Evidence of effective, responsive customer support
  • Service level agreements that provide acceptable compensation/credits for unscheduled outages or service interruptions

Security Lifecycle

  • Controls in place to protect the  lifecycle of customer information from creation through to deletion
  • Your information in digital and physical formats is securely isolated
  • Back-ups are encrypted and are in a format that meets your requirements
  • Back-ups are tested for restoration capabilities
  • Data retention schedules ensure information is sanitised/deleted when no longer required
  • Disposal/sanitisation procedures are auditable and where applicable disposal certificates are provided

Personnel security

  • Appropriate screening and vetting procedures for internal personnel
  • Personnel are required to undertake mandatory information security awareness
  • Processes in place to ensure personnel return assets when they leave or change role
  • Disciplinary processes include Information security violations being subject to disciplinary action

Data Centre Physical Security

  • Key components such as utilities, air-conditioning, internet connection are designed to be redundant
  • Physical and environmental security controls in place, like fire suppression, access control system, CCTV systems, movement sensors, security personnel, alarm systems)

Application and Platform Security

  • Secure system engineering principles are followed within their Software Development Lifecycle (SDLC) processes
  • Host configuration is hardened against vulnerabilities e.g. deploying hardened operating systems, disabling unnecessary services based on secure build images
  • Monitoring and management technologies implemented for all systems
  • Multi-tenancy mechanisms operated to separate your applications from other customers
  • Web applications compliant with security standards e.g. OWASP
  • Change management process in place to ensure deployment of validated application patches and updates
  • Segregated development environment to test application patches and updates

Access Control

  • Two factor authentication is available for all users and administrators
  • Role-based access control and least privilege models
  • Supplier’s user access is reviewed/revoked when personnel change role or leave the supplier’s employment

Network Security

  • Network connectivity is adequate in terms of availability, traffic throughput, delays and packet loss
  • Gateway security measures in place against malware attacks
  • Security measures operated against network-based attacks e.g. IPS/IDS systems, firewall
  • Multi-tenancy mechanisms operated to separate your network traffic from other customers
  • Secure configuration of all components in the cloud architecture
  • Remote administration operated via a secure communication channel e.g. SSH, TLS, IPSec, VPN

Encryption Security

  • Communications use secure encryption protocols e.g. TLS
  • Encryption controls are operated for customer information at rest
  • Encryption keys are adequately protected from unauthorised access

Technical Vulnerability Management

  • Notifications about scheduled vulnerability testing that may impact services
  • Routine penetration tests on cloud service infrastructure, including supporting third party subcontractors
  • Regular independent information security reviews are performed on organisation/infrastructure (including any supporting third party subcontractors)

Incident Management

  • 24/7 monitoring of the cloud services and prompt response to suspected and known security incidents
  • Monitoring and logging of system activity including system operational status and user events
  • Process in place to notify you about security incidents that impact your service or information
  • Internal or external forensic capability to support incidents

Business Continuity and Disaster Recovery

  • Demonstrable business continuity /disaster recovery processes and plans
  • Regular BC/DR tests to ensure your information and service can be adequately restored

Portability and Interoperability

  • Supplier agrees to provide your information in an agreed format when the service arrangement terminates
  • Supplier standardised or open interfaces to mutually exchange information between applications

Compliance and Transparency

  • Supplier and any subcontractors are compliant with data protection legislation in applicable jurisdictions
  • You retain legal ownership of information processed by the service provider
  • You have the right to audit and/or monitor that information processing is lawful
  • Details are available of all locations where customer information will be processed
  • Details of subcontractors involved in the delivery are available
  • Transparency as to which software will be installed on your systems and the security requirements / risks resulting from this
  • Transparency on governmental intervention or viewing rights, on any legally definable third party rights to view information