I know.
I subscribe too.
‘Failure is an event not the person.’
‘Failure is critical to success.’
And my favorite,
‘fail forward.’
But if your cloud security project fail, you will have hell to pay.
Nobody wants to pay hell.
Nobody.
Have you considered what your hell will look and feel like if your cloud security project fails?
Further reading: Four key ways to overcome security concerns in the cloud.
Because remote computing opens up new possibilities for cloud security breaches, failure to address the following 13 concerns with your cloud service provider (CSP) spells doom.
Neglecting to ask these 13 questions guarantee IT cloud security failure.
- What security services are included in the offering (s)
- Governance
a. What kind of IT Security policies are in place?
b. How will the CSP engage with your organization to ensure that offerings comply with security policies?
- Encryption:
a. What encryption technology is used?
Has the encryption technology been granted a National institute of Standards and Technology (NIST) Cryptographic Module validation Program (CMVP) certificate?
b. What encryption options are available?
c. What encryption algorithm is used and what is the key size?
d. Who stores the keys?
- Incidents
a. What are the security incident response policies and procedures?
b. How will the CSP engage your organization security incident response team?
- Reporting:
a. What kind of proactive monitoring/support is available?
b. How are requests for information or data about IT security addressed?
- Monitoring:
a. What kind of proactive monitoring/support is available?
b. To what extent is it possible for your organization to monitor security in the cloud environment?
- Firewalls:
a. How are firewalls managed?
b. Can your organization require firewalls in the cloud environment?
- Can the CSP segment or isolate data and, if so, under what circumstances?
- How is Virtualization Security addressed?
- What levels and types of IT security have other entities within your industry adopted for cloud services?
- For CSPs that do not share application, system, or security logs but make a console available to view the status of services:
a. What views are available? If possible, ask for samples to the response.
b. What, if any, customization of views is possible?
c. If the visibility to actual provider infrastructure is limited, how does this the impact the ability to identify security incidents and security trouble shooting?
- Does the CSP conduct penetration testing (Pen tests)?
a. Are these tests conducted by the CSP or by a third party?
b. What is the frequency of PEN testing?
- Can the CSP conduct vulnerability scans?
a. What is the vulnerability scanning and remediation process?
b. What platforms/services do the vulnerability scans address?
c. Does the CSP report vulnerability scan results to the customer?
Every CIO has cloud security on their radar. The federal government has taken this concern even further by creating the Federal Risk And Authorization Program ( FEDRAMP).
What is FEDRAMP?
Think of it as the police for cloud security.
Officially, it is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
Not government?
Consider the 13 ways mentioned above to vet your CSP for your cloud security project.
Further Reading: