Cloud computing is well on track to increase from $67B in 2015 to $162B in 2020 which is a compound annual growth rate of 19%. Cloud platforms are enabling new, complex global business models and are giving small & medium businesses access to best of breed, scalable business solutions and infrastructure.
Moving to cloud presents its own security challenges all of which should be considered before signing up to a new service. A cloud service provider should be able to demonstrate that their service offers you an acceptable level of security. The key thing to remember is that it’s not a cloud, its someone else’s computer, so what you need is a handy cloud security checklist, like the one below:-
Service Maturity and Capabilities
- Look for evidence of industry maturity including a capability to provide proofs of concepts and customer references
- Evidence of a scalable service that meets user requirements
- Defined procedural model for IT processes such as ITIL, COBIT etc.
- A recognised information security management system such as ISO 27001
- An organisational structure for information security led by senior management
- Service terms which provide for confidentiality and data protection requirements
- Acceptable service availability and scheduled downtime/outages
- Evidence of effective, responsive customer support
- Service level agreements that provide acceptable compensation/credits for unscheduled outages or service interruptions
Security Lifecycle
- Controls in place to protect the lifecycle of customer information from creation through to deletion
- Your information in digital and physical formats is securely isolated
- Back-ups are encrypted and are in a format that meets your requirements
- Back-ups are tested for restoration capabilities
- Data retention schedules ensure information is sanitised/deleted when no longer required
- Disposal/sanitisation procedures are auditable and where applicable disposal certificates are provided
Personnel security
- Appropriate screening and vetting procedures for internal personnel
- Personnel are required to undertake mandatory information security awareness
- Processes in place to ensure personnel return assets when they leave or change role
- Disciplinary processes include Information security violations being subject to disciplinary action
Data Centre Physical Security
- Key components such as utilities, air-conditioning, internet connection are designed to be redundant
- Physical and environmental security controls in place, like fire suppression, access control system, CCTV systems, movement sensors, security personnel, alarm systems)
Application and Platform Security
- Secure system engineering principles are followed within their Software Development Lifecycle (SDLC) processes
- Host configuration is hardened against vulnerabilities e.g. deploying hardened operating systems, disabling unnecessary services based on secure build images
- Monitoring and management technologies implemented for all systems
- Multi-tenancy mechanisms operated to separate your applications from other customers
- Web applications compliant with security standards e.g. OWASP
- Change management process in place to ensure deployment of validated application patches and updates
- Segregated development environment to test application patches and updates
Access Control
- Two factor authentication is available for all users and administrators
- Role-based access control and least privilege models
- Supplier’s user access is reviewed/revoked when personnel change role or leave the supplier’s employment
Network Security
- Network connectivity is adequate in terms of availability, traffic throughput, delays and packet loss
- Gateway security measures in place against malware attacks
- Security measures operated against network-based attacks e.g. IPS/IDS systems, firewall
- Multi-tenancy mechanisms operated to separate your network traffic from other customers
- Secure configuration of all components in the cloud architecture
- Remote administration operated via a secure communication channel e.g. SSH, TLS, IPSec, VPN
Encryption Security
- Communications use secure encryption protocols e.g. TLS
- Encryption controls are operated for customer information at rest
- Encryption keys are adequately protected from unauthorised access
Technical Vulnerability Management
- Notifications about scheduled vulnerability testing that may impact services
- Routine penetration tests on cloud service infrastructure, including supporting third party subcontractors
- Regular independent information security reviews are performed on organisation/infrastructure (including any supporting third party subcontractors)
Incident Management
- 24/7 monitoring of the cloud services and prompt response to suspected and known security incidents
- Monitoring and logging of system activity including system operational status and user events
- Process in place to notify you about security incidents that impact your service or information
- Internal or external forensic capability to support incidents
Business Continuity and Disaster Recovery
- Demonstrable business continuity /disaster recovery processes and plans
- Regular BC/DR tests to ensure your information and service can be adequately restored
Portability and Interoperability
- Supplier agrees to provide your information in an agreed format when the service arrangement terminates
- Supplier standardised or open interfaces to mutually exchange information between applications
Compliance and Transparency
- Supplier and any subcontractors are compliant with data protection legislation in applicable jurisdictions
- You retain legal ownership of information processed by the service provider
- You have the right to audit and/or monitor that information processing is lawful
- Details are available of all locations where customer information will be processed
- Details of subcontractors involved in the delivery are available
- Transparency as to which software will be installed on your systems and the security requirements / risks resulting from this
- Transparency on governmental intervention or viewing rights, on any legally definable third party rights to view information