6 cloud security questions CIOs should ask a service provider
By Khoo Boo Leong 18-Jul-2012
For Tata Communications, the critical factors extend beyond securing the cloud environment to transforming the customer's value chain. "It's about generating real [business] value, consolidating and leveraging resources, shortening time to market, having a system that automate upgrades and patches, innovating and so on," said Amit Sinha Roy, the company's vice president of Marketing & Strategy for Global Enterprise Solutions, at the recent CommunicAsia show in Singapore. "These are some areas that companies adopting the cloud should be mindful of."
From the perspective of a service provider that has served many enterprise customers in the region, Roy suggests six questions that enterprises should ask to better understand the key differences in vendor security.
1. How does the service provider safeguard its IaaS service?
Ultimately, access to the compute infrastructure is really about the network. So, the service provider must ensure traffic from different customers are segregated with virtual LANs (VLANs). They must protect the network and provide secure network access with industry-leading Evaluation Assurance Level 4-certified firewalls.
"Beyond these fundamental [measures], there should be [the ability] to do penetration testing to see if it has any weaknesses. Are they using industry-standard platforms with security built-in? Are there any vulnerabilities in the system? Are the firewalls business-grade and can they be managed? The logs tell us a story over a period of time, such as someone trying to repeatedly hack into the system. It's about proactive monitoring."
Nonetheless, compared to a service provider environment, an organization may have more endpoints and many OS environments that create a greater attack surface and higher chances of data loss or misuse. In addition, with hardened facilities and restricted access to data centers, the service provider's infrastructure is not as directly accessible as a server room in a traditional enterprise.
2. Has the service provider mitigated the chief risk of malicious insiders through strict hiring standards and practices that restrict access to the IaaS service management platform and to the virtual machines?
Determine how long the provider has been in business, how it is professionally run and how good is its track record. For instance, they should isolate hosting equipment and employee access by physically segregating equipment within locked cage areas and controlling access to operating systems, applications or data on virtual machines. The data center facilities should be under 24x7 closed-circuit video camera surveillance, and protected by guards and security alarms.
3. Does the service provider allow you to restrict access to IaaS resources through self-managed governance and access controls?
"One needs very technically adept, experienced staff who may have to monitor 24/7 in some cases, and to safeguard all of these areas. A service provider does this as part of the business. A [typical] company or business is unlikely to do all of these."
- Amit Sinha Roy,
"There are best practices for Linux and Windows. There are IS security and web server practices, avoiding the use of SMTP to secure connections, detecting virus and malware, configuring databases and protecting data through backup."
Securing data, applications and operations is a great challenge, particularly for an in-house infrastructure team that has to manage a heterogeneous environment. "That means one needs very technically adept, experienced staff who may have to monitor 24/7 in some cases, and to safeguard all of these areas," Roy added. "A service provider does this as part of the business. A [typical] company or business is unlikely to do all of these."