In a previous blog post, I mentioned that the measure of success with a cloud provider comes down to your ability to get the “real story” during the sales cycle. While I touched on the physical security of the provider’s data center – what about the logical, remote and application data security in the cloud stack?
The most prominent “as-as-service” cloud categories today center around Infrastructure as a Service (IaaS) and Software as a Service (SaaS). Each flavor has its own security story in regard to what the cloud provider inherently builds-in and what can be layered on at an extra cost.
Before marketers took the word “cloud” in a thousand different directions, IaaS was simply known as “virtual colocation,” meaning anything you can do physically in your data center you can do virtually in the provider’s single pane of glass web console. Building virtual machines or VM’s at will, adding IP’s and most importantly, full control of three layers of high-availability (HA) firewalls – usually Cisco ASAs.
The customer controls the ins and outs of traffic through all these security devices. Bottom line, you, the customer, locks down your virtual data center in the cloud. You can export the firewall logs from the web console just like you do with physical firewalls into an Excel spreadsheet or use an API to push it to a Security Information and Event Management (SIEM) product.
The last thing to consider in laaS is to hire an outside security firm to run Intrusion Prevention Systems (IPS) and Intrusion Detection Systems (IDS) against your specific virtual data center context in the cloud. With enough notice, your cloud provider can make this happen for you.
In the SaaS model, where a cloud provider codes, hosts and secures an application consumed over the web, you have less control than in an IaaS environment. However, that doesn’t mean you shouldn’t investigate what the SaaS provider has under the covers in regard to security.
Just like the IaaS provider, the SaaS company has to design a security context around the web application that protects sensitive data like usernames and passwords or Personally Identifiable Information (PII) data. One of the biggest areas of security lapses in SaaS are incorrectly configured databases, operating systems and middleware deployed by the provider.
Make sure you get the SaaS providers full list of compliance, regulatory and audit results, as they are bound to prove to customers and regulatory bodies that they are on top of their security game. Compliance regulations include PCI, SOC 2, HIPAA, SSAE16 and the various ISO standards.
Other security considerations that should be part of a cloud service agreement include:
Risk Assessment: This is more on the customer, than the cloud provider. The good providers will have their full security breakdown available for your company’s compliance/security department. Plus, demand to meet with the cloud provider’s own security engineers for a deep-dive on how they design, maintain and protect your applications in the cloud. This will lower your risk profile using cloud services.
Authentication: Most entry-level cloud providers offer single-factor authentication based off of your log-in credentials given to you by the web console admin. The cloud providers with the most forward-thinking authentication technology are using multi-factor authentication. Whereas after logging in with your credentials, you will be called on the phone for a second password to access the cloud environment.
Encryption: The real salt of a cloud provider is whether it can encrypt your data at rest, while still allowing you to own the encryption keys. This allows you to mirror the same encryption policies as in your physical data center.
Data loss Prevention: You obviously have your own Data Loss Policies (DLP) internally. For today, cloud providers will allow you to use DLP SaaS-based offerings to layer over their offering, thus alerting you to potential security violations.
At CDW, we believe cloud security should be a first and last conversation in every procurement. Every cloud vendor will tell you that their IaaS or SaaS offering is secure, but can they prove it? Where are their potential points of –failure? Could they end up becoming yours? All cloud vendors are not created equal – neither is their security design and protection from internal and outside threats.
Learn more. Jump into the cloud.
To learn more about CDW cloud solutions, go to CDW.com/cloud