6 cloud security questions CIOs should ask a service provider
By Khoo Boo Leong 18-Jul-2012
Amit Sinha Roy, Tata Coomunications
Security invariably heads the list of concerns that any CIO outsourcing IT to a cloud service provider would have. Questions have to be raised on the reliability of the service provider's infrastructure and how access to the infrastructure as well as data, applications and other assets placed outside the company's premises are secured.
For Tata Communications, the critical factors extend beyond securing the cloud environment to transforming the customer's value chain. "It's about generating real [business] value, consolidating and leveraging resources, shortening time to market, having a system that automate upgrades and patches, innovating and so on," said Amit Sinha Roy, the company's vice president of Marketing & Strategy for Global Enterprise Solutions, at the recent CommunicAsia show in Singapore. "These are some areas that companies adopting the cloud should be mindful of."
From the perspective of a service provider that has served many enterprise customers in the region, Roy suggests six questions that enterprises should ask to better understand the key differences in vendor security.
1. How does the service provider safeguard its IaaS service?
"[Virtualization] provides service providers like us the visibility into what's happening [in the environment] so we can leverage hardware more efficiently and gain better control of the infrastructure," said Roy. "Trained network and security professionals must proactively monitor [the logs and traffic] 24 by 7 and implement carrier-class mitigation solutions to prevent any distributed denial of service (DDoS) attacks."
Ultimately, access to the compute infrastructure is really about the network. So, the service provider must ensure traffic from different customers are segregated with virtual LANs (VLANs). They must protect the network and provide secure network access with industry-leading Evaluation Assurance Level 4-certified firewalls.
"Beyond these fundamental [measures], there should be [the ability] to do penetration testing to see if it has any weaknesses. Are they using industry-standard platforms with security built-in? Are there any vulnerabilities in the system? Are the firewalls business-grade and can they be managed? The logs tell us a story over a period of time, such as someone trying to repeatedly hack into the system. It's about proactive monitoring."
Nonetheless, compared to a service provider environment, an organization may have more endpoints and many OS environments that create a greater attack surface and higher chances of data loss or misuse. In addition, with hardened facilities and restricted access to data centers, the service provider's infrastructure is not as directly accessible as a server room in a traditional enterprise.
2. Has the service provider mitigated the chief risk of malicious insiders through strict hiring standards and practices that restrict access to the IaaS service management platform and to the virtual machines?
The problem of a disgruntled employee of the cloud service provider intentionally breaking into the system to steal information is real. So, ask questions about the service provider's organizational culture and employees.
Determine how long the provider has been in business, how it is professionally run and how good is its track record. For instance, they should isolate hosting equipment and employee access by physically segregating equipment within locked cage areas and controlling access to operating systems, applications or data on virtual machines. The data center facilities should be under 24x7 closed-circuit video camera surveillance, and protected by guards and security alarms.
3. Does the service provider allow you to restrict access to IaaS resources through self-managed governance and access controls?
The governance and access control include physical security. "The management console is where customers can take control of systems and data," said Roy. "There are certain recommendations and industry best practices to make sure that, from the vendor, the OS is completely hardened, the patches are bridged and any unnecessary services are turned off."
"One needs very technically adept, experienced staff who may have to monitor 24/7 in some cases, and to safeguard all of these areas. A service provider does this as part of the business. A [typical] company or business is unlikely to do all of these."
- Amit Sinha Roy, |
"There are best practices for Linux and Windows. There are IS security and web server practices, avoiding the use of SMTP to secure connections, detecting virus and malware, configuring databases and protecting data through backup."
Securing data, applications and operations is a great challenge, particularly for an in-house infrastructure team that has to manage a heterogeneous environment. "That means one needs very technically adept, experienced staff who may have to monitor 24/7 in some cases, and to safeguard all of these areas," Roy added. "A service provider does this as part of the business. A [typical] company or business is unlikely to do all of these."
4. Are the virtual machines and data sufficiently isolated from other customer's virtual machines and data via sound platform configuration and management practices employed by the service provider?
In ensuring virtual machines and data are sufficiently isolated, there could be issues in the infrastructure where the service provider fails to provide rock-solid partitions between the various hypervisors. Issues could include the lack of cloud platform hypervisor configuration and hardening in accordance with industry best practices.
Digg
Print0 reader's comment
MOST VIEWED IN PAST 30 DAYS
Sponsors
SEARCH BY KEYWORD
Strategy
Infrastructure
Outsourcing
Cloud Management
Data Management
Security & Compliance
E-NEWS SUBSCRIPTION
Select the newsletter(s) to which you want to subscribe or unsubscribe.
