I have the pleasure of doing a large volume of phone calls with our customers, consulting with them on various aspects of Information Technology and Information Security. Recently, a large number of questions have been focused on proper cloud adoption and what goes into cloud security. With that focus, let’s shed some light onto cloud security and discuss how to evaluate your security posture as it pertains to it.
First off, when you are choosing cloud, you really are taking on two different security postures and positions. Those are:
- Your Security: Since your network is accessing a cloud provider, the security posture of your network comes into play as to how that data is securely accessed. Questions like, “Can someone exploit your internal network to gain access to the cloud provider?” have to be considered. The risk of your security coming into play with a cloud provider varies depending on the type of provider and service they are providing. IaaS or PaaS has a lot more risks here than a pure SaaS environment.
- Their Security: Beyond your network, the greater risk is exploiting the provider’s network which would allow someone to make off with your data, and potentially that of your customers’. Depending on the data you store with the cloud provider, this could result in very sensitive information being leaked out.
Since the topic of “your security” is very broad, let’s focus on the security of the cloud provider.
In our threat and risk matrix, we break down cloud security into three different buckets:
1) Prevention: Preventative measures are specifically designed to deter, defend, and discover a threat coming at a cloud provider before the threat is realized. In some cases, this is in the form of blocking IPs, patching regularly, and IDS systems that can flag irregular traffic patterns or identify common attacks against the platform as they begin to occur. A good provider will have some level of prevention up front on their cloud, and also implement best practices to have their preventative counter-measures tested by themselves and third parties at regularly scheduled intervals.
3) Correction: Finally, in the cases where there are security exploits, or a diagnosed risk during the preventative controls, there is correction. This is the part where we take all of the feedback from people evaluating our products, the risks that we can identify and proactively get them back into our coding process and build/architecture process. This phase sews up all the loose ends to ensure that our risk and threats are constantly managed and mitigated.
With all of the above, a cloud provider should be able to very easily answer the questions for you surrounding the various controls they have in place around prevention, detection, and correction. If you are satisfied with their answers – they are likely a good provider for you. If they don’t have all three in place… well, just remember, most gamblers in Vegas end up losing money.