Cloud Security Policy: The questions you need to ask

Top 5 must take actions for security based on 2018 trends
Carey van Vlaanderen, CEO at ESET South Africa
Cloud Security Policy: The questions you need to ask
Carey van Vlaanderen, CEO at ESET South Africa.

What would your reaction be to someone who told you that “Cloud” is so secure you don’t need to do anything else to protect your data? Because, this gem of questionable advice is becoming quite popular, says Carey van Vlaanderen, CEO at ESET South Africa.

The truth is, Cloud Computing is not some magic security sauce that you can liberally apply to make your data safer. It’s unfortunately apt that two dictionary definitions of the word “cloud” are “making less clear or transparent” and “cause of gloom, suspicion, trouble, or worry”. Cloud services are very much what you make of them, and you need to apply at least an equivalent level of rigorousness, in terms of risk assessment, as you would with assets that are hosted on your network.

Because the Cloud can make risks and responsibilities less clear, you’ll need to be extra dogged about asking vendors what steps they take to secure their services. When choosing a new vendor, you should be thoroughly vetting their security policies and procedures. It’s also a good idea to clearly spell out what responsibilities fall to the vendor and what you need to do on your organisation’s end to protect yourself.

Cloud security policy questions
Before approaching a vendor, you should be clarifying the answers to a few questions about the needs of your organisation:

  • What type of Cloud services will you be using?
    Will you be using the Cloud simply to store files, to host software applications, or to host virtual machines?
  • How will these services be deployed?
    Your Cloud could be deployed publicly, privately, or somewhere in-between depending on your specific needs and tolerance for risk.
  • How sensitive is the functionality or data that they will be hosting?
    Keep in mind that Cloud is another way of saying “someone else’s computer”. Quantify how much risk it would create for your organisation if this vendor were to experience a breach or go out of business.
  • Who will have access to this functionality?
    It may be that not all of your users need access to the Cloud in order to do their jobs effectively
  • What legal or regulatory compliance requirements do you need to consider?
    Each industry has its own relationship with the alphabet soup of national and international data security relations. Something that would work well for a retail establishment may not be sufficient for a legal or financial business, for instance.
  • What will be the consequences of failing to adhere to best practices?
    This goes for both the cloud vendor and your users, thought consequences for the former will likely be the product or negotiation or existing Service Level Agreements. It should be clear to all concerned what will happen if someone fails to live up to their responsibilities in safeguarding your data.

Cloud Security Procedures
Once you’ve clarified your goals and boundaries for Cloud services, you can start asking vendors about their procedures.

Here’s a list of possible topics you may wish to consider:

  • Does the vendor have regular 3rd party audits?
  • What is their policy on updates and patching?
  • Do they have anti-malware or intrusion detection products scanning their machines?
  • What types of authentication are available with their service?
  • What types of controls are available for identity and Access Management of your user accounts?
  • Is encryption available for traffic to and from the cloud, or in storage?
  • How will the Intellectual Property rights relating to data stored on their servers be protected
  • What types of alerting and reports of events are available to you?
  • How are their customers’ resources segmented from one another?
  • How often do they make and test backups, and how are they stored?
  • Do they have an established incident response policy?
  • Do they have a published responsible disclosure policy?
  • Do they have event logging that would allow forensic analysis in case of a security incident?
  • In what country are their servers located physically?
  • What are their policies regarding data mobility and retention?
  • What options are available to secure data deletion or destruction?

Clouds don’t have to bring opacity or uneasiness, if you do some homework before implementation. The ability to access files and services from wherever you are is a powerful one, which can either introduce new risks to your environment, or it can be an opportunity to enlist the services of a trusted partner to improve your overall productivity. The coming of Clouds can actually clear the air and provide a welcome respite.

By Carey van Vlaanderen, CEO at ESET South Africa