In an InformationWeek Cloud Security and Risk Survey, 27% of respondents say they have no plans to use public cloud services. Of those respondents, 48% say their primary reason for not doing so is due to security concerns such as leaks of customer and proprietary data. What about those who have adopted, plan to adopt, or are considering cloud services? They’re worried, too. Security concerns easily beat other significant concerns, including cloud performance, vendor lock-in, and the ability to recover data if a customer ends the service or a provider goes out of business.
When companies adopt cloud computing services, the top response was lower capital costs. So despite security concerns, companies are moving to the cloud for business reasons. In an ideal world, companies would carefully inspect any public cloud provider they intend to use. But that doesn’t seem to be the case in the real world. In comparing a cloud provider’s security controls with their own in house security, 20% say the provider has superior controls, and another 20% say the provider’s controls are on par with their own. However, 31% say they have no idea, because they haven’t examined the controls in depth (they’re going on blind faith).
Companies considering a cloud service should take advantage of the material that most providers make available to potential customers. The most common is the Statement on Standards for Attestation Engagements 16, a set of auditing standards that replaced the well-known SAS 70. In an SSAE 16 report, a provider describes its security and technology controls, a third-party auditor reviews them, and the provider’s management attests that the controls are in place. This is valuable information for a potential customer to help assess a provider. The SSAE 16 doesn’t lay out an ideal security environment for a cloud provider, it only describes the controls the provider chooses to live by. This means each provider’s SSAE 16 will likely contain different system descriptions. SSAE 16 looks at five Trust Services Principles: security, availability, processing integrity, confidentiality, and privacy of personal information that the service organization collects, uses, retains, discloses, and disposes. The cloud service provider determines which and how many of the five principles are reported. So your review of a provider’s SSAE 16 documentation should account for what the provider might be leaving out.
The Cloud Security Alliance is a relatively new organization focused exclusively on security. The CSA has created a set of best practices for cloud providers in areas such as encryption and application security. It also has created the Security, Trust & Assurance Registry or STAR, a free, public registry that documents the security controls provided by various cloud computing products. So far, only a handful of providers have registered with the CSA, but they include big names like Amazon Web Services, Microsoft Azure, and Terremark. STAR is open to assessment reports that document compliance with CSA best practices. Cloud providers can provide ll cloud providers, letting them submit self-answers to more than 140 questions about their security controls.
A technical audit verifies a provider’s security controls using tools such as vulnerability assessments and reviews of logs and other records. A technical audit is perhaps the best option for assessing a provider’s controls, but most providers won’t give you the kind of access required for a comprehensive technical audit, partly for security reasons and partly because it disrupts their operations. However they may conduct their own technical audit or hire a third party to do so, and then share the results with customers.
Customers often conduct vulnerability scans or penetration tests against a provider or potential provider. The value in a vulnerability scan or penetration test depends on the cloud provider, the type of cloud service you’re consuming, and the type of scan you’re conducting. A traditional vulnerability scan targets low-level infrastructure and operating systems. It looks for software holes in the OS that can be exploited by malicious software, as well as for insecure configurations.
A penetration test is a more aggressive mechanism for evaluating security controls. For example, rather than just detecting a vulnerability, a penetration test may also exploit it to gain access to a system. A penetration test will likely use multiple routes to gain access to systems and resources, by manipulating a provider’s firewall rules, employing password-cracking software, and using social engineering to trick a provider’s employees into downloading a software package or revealing sensitive information that can be used to gain access.
It all sounds pretty complicated, but these tools in the hands of a trusted IT professional can give your company the edge if you decide to consider the cloud for management of part, or all of your company data systems.