Who’s in Charge of Protecting Your Cloud?
Imagine you’re the owner of a brand new app or software program, built on one of the world’s most common and popular cloud technologies, and you’re happy to let your provider handle day-to-day maintenance and security.
The advent of full-service cloud providers makes your job easier, but there might (should) be one question that still bothers you: How secure is my data in the cloud and who is responsible for protecting it?
If a security-related incident happens, who will be responsible for addressing the consequences? In the majority of cases, the answer is you, and not your Cloud Service Provider (CSP), as some might think.
The first and the most important concept to understand is that for Cloud Based Systems, responsibility is shared between you — as the owner of your application — and the CSP that owns part of the technologies beneath it. Depending on the collaboration model (IaaS, PaaS or SaaS), there will be a different distribution of zones of responsibility between you as an Application Owner and Cloud Service Provider. In any case, you should understand how the data is protected, even at layers beyond your personal involvement.
The good news is that most CSPs are well-versed in security, but that doesn’t mean you shouldn’t ask them what has been actually done to mitigate threats. Focus your questions on these four areas:
1. What Compliance Regulations Does Your CSP Conform To?
If you’re working within a highly regulated domain like Healthcare or Finance, you might already know all the certifications that your CSP has, as you would need them as a part of your own application audit. But even if you do not need to get certified on your own, requesting information on available certificates from your CSP is a very good idea.
The most indicative certificates that I recommend looking for are Service Organization Controls certifications (inquire about the so called SOC 2 or SOC 3). While SOC 3 will be a publically available summary of the Security Controls, the SOC 2 report, which contains details, usually can be requested on demand.
2. Do They Have Questionnaires and Certifications from the Cloud Security Alliance?
CSA is a “not-for-profit” organization with the goal of encouraging and advocating for best practices for providing security assurance within cloud computing. The CSA Consensus Assessments Initiative Questionnaire provides a set of questions the CSA anticipates a cloud consumer and/or a cloud auditor would ask of a cloud provider. It provides a series of security, control, and process questions, which then can be used for a wide range of purposes, including cloud provider selection and security evaluation. As one of the goals of the CSA is to educate cloud consumers about security in the cloud, I would also highly encourage you to fill in their questionnaire on your own as a checklist to ensure that you’re protecting your assets effectively.
3. What Are Their Recommendations for Security Controls to Cover Your Zone of Responsibility?
As a part of the cloud services provided by CSPs, there is usually a set of best practices you can follow to use their services safely and most effectively. I highly recommend reviewing them. Keep in mind all of the available mechanisms when building the security architecture of your application. Within this area, it is also wise to mention Security as a Service products that could be delivered by 3rd party companies via a CSP marketplace. Usually, such services provide a very useful and cost effective way to add extra security levels for your application, if needed by your security requirements.
4. What’s Their Policy on Third Party Penetration Testing and Incident Response Processes?
A CSP should be open to your initiatives for conducting Penetration Testing, or any other type of Security Testing (some details on the types of testing can be found here), as one of the mechanisms for verification of your application’s security at the final stages of its development. It could also serve as an indirect indication of the CSP’s confidence in their security measures. When planning Incident Response, it is worth it to map what information can be requested from your CSP, and how they can support you during this process.
Some Key Takeaways
Responsibility for the security level of a Cloud Based Application is shared between a CSP and an Application Owner. However, the Application Owner is the one primarily accountable, thus the Application Owner needs to be aware of all security measures adopted in house, as well as by a CSP.
When verifying the security practices used by a CSP, the available compliance regulations might be the most effective way to get insights into what these security practices are and how they are executed. Look for certifications like SOC 2, SOC 3 and CSA.
Make sure that you’re using all the available mechanisms provided by your CSP to protect your application, and that you’re using the recommended best practices to achieve your security goals.
Clarify your strategy for handling security incidents before they happen. Check how your CSP can help you with incident forensics.
Last, but not least, don’t hesitate to talk to your CSP if you have any concerns about the security of your Cloud based applications. Even you’re accountable for security, a good CSP will be happy to support you in the complex process of building a truly secure Cloud Application.