Having identified the assets the organization wants to move to the cloud and having completed an appropriate risk assessment, organizations can now look to confidently migrate to a Cloud Service Provider. Depending on the type of platform the Cloud Service Provider offers will determine the security controls that can be implemented and also the amount of control the organization will have over those security controls. The main platforms to consider are
Organizations need to be aware of the differences between each of the platforms in order to ensure that the most appropriate and effective security controls are implemented.
Governance and Compliance Controls
▪ Cloud Governance Frameworks
Organizations should ensure when engaging with a Cloud Service Provider that the Cloud Service Provider employs a cloud governance framework. By employing a cloud governance framework the Cloud Service Provider will demonstrate it takes its commitments to security seriously and has adopted industry-recognized best practices. An example would be the “Best Practices for Governing and Operating Data and Information in the Cloud” which is part of the Cloud Security Alliance’s Cloud Data Governance Project.
24One of the challenges faced by organizations with cloud computing is ensuring they are compliant with various legal, industry, customer, and regulatory requirements. Organizations based in the European Union who process personal data of individuals have to comply with the European Union’s Data Protection Directive
25 while organizations in the United States that process personal medical records have to comply with the Health Insurance Portability and Accountability Act.
26 Other compliance requirements including the Payment Card Industry Data Security Standard dictate certain security requirements that organizations must comply with should they process any credit card information. Organizations that have compliance requirements will need to ensure that the Cloud Service Provider has the appropriate controls in place to ensure the organization can remain in compliance.
An example would be organizations that are obliged to comply with the European Union’s Data Protection Directive. Under that directive it is illegal to export personal data outside the European Economic Area
27 unless it is to approved countries with similar privacy laws to the EU, while to the US it is to companies that sign up to the US Safe Harbor
28 Framework, or are contractually obliged
29 to protect the data in accordance with the EU Data Protection Directive’s requirements. Given the nature of the cloud it can be difficult to determine exactly where data resides. It could be on a number of servers, over a number of datacenters, located in various locations around the world. The Cloud Service Provider will need to demonstrate to these organizations that their data will stored, processed, and deleted in accordance with their Data Protection obligations.
A Cloud Service Provider that has a full time compliance office, or officer, would demonstrate they take this issue seriously. Organizations engaging with a Cloud Service Provider should request details on the Cloud Service Provider’s compliance function such as who is responsible in the provider for compliance, what regulations and requirements the provider complies with, and also whether or not the Cloud Service Provider has a compliance policy in place.
It should be noted that an organization is still responsible for all of its compliance requirements even when the data and/or services are provided by a Cloud Service Provider.
Many suppliers, be they Cloud Service Providers or traditional IT suppliers, will assert that they provide good service and they take security seriously. While many are sincere in these proclamations, it is akin to buying a second-hand car and taking the word of the sales person that everything is okay with the car. When buying a second-hand car it is recommended to take it for a test drive and to have a trained mechanic examine it for any potential problems. Similarly when engaging with a Cloud Service Provider, an organization should consider whether or not it should take the provider at face value with regard to their assurances regarding security. Ideally, the organization should seek some independent third-party assurances as to how effective the security controls are within the Cloud Service Provider.
The ISO 27001 Information Security standard is a well-recognized international standard which is independent, vendor neutral, and covers many aspects of security. Organizations that are certified to the standard demonstrate that they have implemented the security controls within the standard that are applicable to them and that these controls have been independently verified by a trusted third party. Further details are included in
Chapter 6.
Another initiative that can be used is the Cloud Security Alliance’s Security, Trust & Assurance Registry (STAR)
30 initiative. The Cloud Security Alliance’s STAR was launched in 2011 with the aim of improving transparency and assurance of Cloud Service Providers. Further details are included in
Chapters 2 and .
It may seem strange to have to bring this item to the fore but it is important to ensure that when an organization moves its data into the cloud that it is clearly understood who owns the data that is migrated into the system and, just as importantly, data that is created within the cloud.
There should be no ambiguity over the ownership of the data. In order to ensure the organization meets its compliance requirements, it is essential ownership of the data is clearly understood. Should the Cloud Service Provider claim that any data held within their platform belongs to them and they can do with it what they wish, this could place the customer organization in breach of its compliance requirements.
The issue of data ownership needs to be defined in the event the customer organization decides not to engage with the Cloud Service Provider and move the service back in-house or to another provider. The customer organization will want to ensure that should they take this route the initial Cloud Service Provider does not claim ownership to the customer organization’s data.
So before engaging with a Cloud Service Provider an organization must clearly agree with the provider who actually owns the data.
▪ Legal Interception, Court Orders, or Government Surveillance
Ever since recent revelations by Edward Snowden relating to government surveillance of Internet companies and Cloud Service Providers, the issue of government access to private data has come to the fore for many organizations. In particular, organizations that are located in one jurisdiction may have concerns whether the government from another jurisdiction can access the organizations’ data because it engaged with a Cloud Service Provider that is located in that foreign jurisdiction. This issue was recently demonstrated when Microsoft were ordered by a US court to surrender email data belonging to one of its customers, even though the data was stored on a server physically located in Dublin, Ireland.
31 This has raised many concerns for some organizations as to whether or not they should store sensitive data with a Cloud Service Provider, particularly a Cloud Service Provider that is subject to court orders from a different jurisdiction.
Organizations that are considering storing highly confidential information, be they private companies with commercial or intellectual data or government
bodies with sensitive information, should seek assurances from the Cloud Service Provider as to what their policy is regarding requests from government bodies or law enforcement agencies. Questions to ask include
▪ Will the Cloud Service Provider respond to all requests without question?
▪ Will the Cloud Service Provider respond only to legal court requests?
▪ Will the Cloud Service Provider notify the organization of any requests it received relating to the organization’s data?
▪ Does the Cloud Service Provider provide access to customer data for intelligence agencies? If so, under what conditions?
▪ Under which jurisdiction and courts is the Cloud Service Provider bound?
▪ Does the Cloud Service Provider publish a transparency report outlining how many requests for data it has received from governments and law enforcement agencies?
Supply chain security: Many Cloud Service Providers rely on third parties to help them provide their services. These services could range from customer call center services, to technical support, to cleaning companies, to utility suppliers such as water and power, and contractor staff. Organizations engaging with a Cloud Service Provider should determine what other third party the Cloud Service Provider employs and what the security controls, protocols, and assurances that are in place with those providers.
Organizations should note that if they have any compliance requirements, in most cases those requirements not only extend to the Cloud Service Provider(s) they engage with, but also to any third parties the Cloud Service Provider uses to provide its service to the customer. Under many compliance regimes, the customer organization will retain responsibility for ensuring that the entire supply chain is compliant with the relevant regulations. Organizations therefore should ensure that the Cloud Service Provider provides full transparency with regard to its own suppliers and the security controls those suppliers have in place.
Security testing and auditing: While assurances from a Cloud Service Provider or from independent third parties can provide an organization with a certain level of confidence in the security of a Cloud Service Provider, there may be times the organization would like to verify for itself the claims being made. Traditionally in many cases this would involve allowing the organization to conduct an audit of the suppliers systems, premises, and/or services. The organization would arrange for its own internal audit team or engage with a trusted external provider to conduct an audit of the supplier.
In the traditional procurement and engagement model this approach worked in most cases, however when it comes to the cloud this model breaks down. Given that an organization’s data may be located anywhere in the cloud at any time it will be extremely difficult for an auditor to conduct an audit relating to the physical location of the data. Many cloud providers have developed
their own proprietary platforms and systems which many auditors will not be familiar with. Finally, many Cloud Service Providers simply do not have the manpower to facilitate every request from a potential or existing customer to audit their facilities and systems.
The issue of penetration and vulnerability tests is also an issue. A Cloud Service Provider may not wish to allow customers to perform penetration tests against their systems in the event it causes availability or other issues with the provider’s services and impacts other customers. There may be legal and liability issues that could impact on the customer organization should a penetration or vulnerability test cause issues. This could extend to where customers may not wish to perform any penetration or vulnerability tests against the Cloud Service Provider’s own services but simply perform such tests against their own applications. However, performing application penetration tests or application vulnerability tests may breach the Cloud Service Provider’s terms and conditions.
If an organization cannot get agreement from the Cloud Service Provider for it to perform security tests or audits, it should seek agreement from the Cloud Service Provider that it will provide the organization with access to any penetration tests or audits the Cloud Service Provider engages with. While not as independent as engaging their own preferred testers and auditors, this option could help the organization determine how secure the Cloud Service Provider is.
Service-level agreements: In the world of Cloud Computing the selection, implementation, support, and ongoing management of security controls are under the control of the Cloud Service Provider and not the customer organization. The only influence and oversight the organization will have will be via the Cloud Service Provider’s SLA. It is therefore vitally important that organizations spend time and energy in ensuring the SLA is suitable to their requirements and provides them with the tools and ability to manage the security of the data and services entrusted to the Cloud Service Provider.
The ENISA provides a very comprehensive guide on how to establish and manage an SLA with a Cloud Service Provider. This is detailed in the “Procure Secure: A guide to monitoring of security service levels in cloud contracts”
32 and should be referred to by any organization looking to engage with a Cloud Service Provider.
An effective SLA will provide an organization with continuous feedback on the effectiveness of the security controls being provided by the Cloud Service Provider. An effective SLA should also enable the organization to seek recompense or service credits in the event the Cloud Service Provider does not meet the goals and targets agreed in the SLA. An effective SLA can be a powerful tool
in ensuring a provider continues to meet the levels of service required by the customer organization.
Policies and Procedures Controls
Processes and procedures ensure a structured approach is taken when dealing with certain tasks or practices. This is even more important when engaging with a Cloud Service Provider to ensure the security of an organization’s data is not undermined or compromised by provider staff, or indeed the organization’s staff, not following correct procedures. There are a number of key policies and procedures an organization should ensure the Cloud Service Provider has in place when engaging with that supplier.
Privacy policies are important as they demonstrate to others what the company’s approach is to privacy and how the company will protect the privacy of individuals. Some countries have very strict privacy regulations, such as those within the European Union, Switzerland, and Iceland, which require companies operating from them or selling to customers in them to take strict measures to ensure privacy of personal information.
When engaging with a Cloud Service Provider an organization should ensure that it first has its own privacy policy in place and then ensures that the Cloud Service Provider’s privacy policy is in line with that of the customer organization.
In addition to the above the customer organization should determine what approach the Cloud Service Provider takes to building privacy controls into its services, otherwise known as Privacy by Design.
33The Cloud Service Provider should also have a policy of conducting Privacy Impact Assessments when it develops new services and alters or decommissions existing ones. The United Kingdom’s Information Commissioner’s Office provides a “Conducting Privacy Impact Assessments Code of Practice”
34 which is an excellent guide on this topic.
Change Management
All IT environments grow and change over time. New network components will be added, existing components will be upgraded or replaced, and software levels on components, services, and applications will be revised and updated. Likewise a Cloud Service Provider’s environment will grow and change. It is essential that assurances are got from the Cloud Service Provider that any change to the provider’s production environments are managed in a structured and controlled way to ensure minimal disruption to service.
When engaging with a Cloud Service Provider an organization should ensure it has visibility of the provider’s Change Management Policy and get assurances that this policy can
▪ reduce the risk associated with unplanned changes;
▪ inform affected parties, such as the customer organization, of a planned change so that they may take appropriate action;
▪ minimize the effect a planned change may have on the quality or availability of services and/or data;
▪ minimize the overall cost and time associated with planned changes;
▪ provide an auditable trail for compliance, troubleshooting, and review purposes;
▪ facilitate continuous learning and improvement of personnel, processes, and procedures; and
▪ provide metrics for management decisions.
In addition the customer organization should ensure its own Change Management Policies are robust and are adapted to engage with the Cloud Service Provider. In particular the policy should ensure that
▪ changes made on the customer organization’s infrastructure are assessed to ensure they do not impact on how the organization accesses the services provided by the Cloud Service Provider and
▪ any changes made on either the customer or the Cloud Service Provider’s systems are assessed to ensure any coordinated changes required on both sides are completed in a timely and appropriate manner.
Patch Management
Patch management is the discipline of ensuring fixes to software bugs, otherwise known as patches, are applied in a timely manner while maintaining the service being provided. Applying patches in a timely and process-driven manner is important as
▪ critical bugs could cause a failure in the underlying infrastructure resulting in a prolonged outage for the cloud service or any dependent services within the customer organization’s environment;
▪ without a formalized patch management policy it is possible that applying a patch to one element of the Cloud Service Provider’s platform could have negative consequences for a system or other element that depends on the patched element; and
▪ critical bugs in the underlying database, services, or platform could be exploited by individuals to gain unauthorized access to sensitive data.
When engaging with a Cloud Service Provider the customer organization should make sure it is aware of what the provider’s patch management policy is. In some cloud platforms, e.g., SaaS, the impact of applying a patch may have little impact on the service being provided. However, should the customer organization be integrating their own systems with the SaaS platform then the application of a patch could disrupt that interoperability. Similarly changes to a PaaS or an IaaS platform could impact negatively the services subscribed to by the customer organization.
When examining the Cloud Service Provider’s patch management policies, the customer organization needs to ensure that all patches are managed in a structured manner. It is also important that the provider’s patch management policy is integrated with its Change Management Policy.
The key elements an organization should look to be included in the Cloud Service Provider’s Patch Management Policy are
▪ How often patches are applied?
▪ How the provider will manage emergency or critical patches?
▪ That the provider has outlined the level of testing that is required before applying patches
▪ Who within the provider authorizes the application of the patches, and will the customer organization have any input into this thought process?
▪ How does the Cloud Service Provider ensure patches are centrally controlled, distributed, and applied?
▪ The policy should also provide clarification as to roles and responsibilities for applying key patches and updates to the various systems and platforms within the service provider and where the demarcation lies for patches within the customer’s systems.
Incident Response Plan
Computer security incidents are a matter of course for every organization, even more so for Cloud Service Providers given the large number of clients they have which in turn could make them a bigger and juicier target for criminals. While the Cloud Service Provider will provide many assurances that they have excellent security controls in place, it is important to recognize that there is no such thing as 100% security and that at some stage there may be a security incident.
As the party responsible for all its data, the customer organization should satisfy itself that the Cloud Service Provider has appropriate incident response plans and processes in place. It should also ensure that roles and responsibilities regarding dealing with security breaches are clearly identified, agreed, and assigned between the provider and the customer organization.
Business Continuity Plan
There are two broad aspects to business continuity: one is having the countermeasures in place to prevent a disaster happening in the first place, and the other is having the countermeasures and plans in place to minimize the effects if a disaster does occur.
Organizations migrating to the cloud should realize that simply because the data or service is hosted in the cloud, it is not a license for them to forget about business continuity. The organization is still responsible for ensuring its business can continue in the event of any interruption, be they to their own in-house systems or that of the Cloud Service Provider.
As such, the customer organization should seek reassurances that the Cloud Service Provider has a comprehensive business continuity plan in place, and the customer organization integrates that plan into its own business continuity plans. The key areas the customer organization should look at include
▪ Has the provider identified the business processes critical to the continued provision of its services?
▪ What is the priority of restoring services for the specific customer, i.e., is the cloud provider restoring the largest customers first and then small ones?
▪ Has the provider conducted a detailed Business Impact Analysis (BIA)?
▪ Has the provider conducted a detailed risk assessment upon which to formulate its Business Continuity Plan?
▪ Has the provider identified the staffing requirements it needs to support the provision of critical services in the event of an interruption to the business?
▪ What solutions has the provider implemented to restore its services in a timely manner and to minimize interruption to the customer organization’s business processes?
▪ Has the provider identified and provisioned the facilities required to support the continuation of critical services in the event of an interruption to the business?
▪ What are the provider’s processes and procedures for invoking the Business Continuity Plan?
▪ What notifications will be provided to the organization in the event the Business Continuity Plan is invoked?
As well as ensuring the Cloud Service Provider’s business continuity policies, processes, and procedures are appropriate, it is equally important the customer organization revises its own plans and adapts them to the change in service delivery model. In many cases moving to the cloud can enhance business continuity for the client organization but this should not be taken for granted. The organization should review its plans to ensure the business can continue
to operate should there be a business interrupting event either at their own facilities or those of the Cloud Service Provider.
Access Control
Ensuring only authorized personnel have access to the data and services stored in the cloud is another key challenge that organizations need to address. Once the data has migrated to the cloud, any authorized person with access to the Internet can theoretically gain access to that data.
It is important the customer organization has its own processes to ensure only authorized personnel have access to the cloud service based upon its security and business requirements. The organization should work with the Cloud Service Provider to ensure access to the service is provided in a manner which will protect the confidentiality and integrity of that information. This could be based on two-factor authentication solutions, restricting access to certain IP addresses associated with the organization, and/or restricting logins during certain times and from specific regions.
The organization should regularly review the access control rights to the service for users and groups of users to ensure that all access rights are appropriate for the role of the individual users.
The organization should also ensure that administrator access to the cloud service is limited to only those members of staff with a valid business requirement for such access. It should also ensure that other staff, such as developers and other application personnel, do not have administrator access to the service, except in emergencies and then with appropriate authorization.
As well as ensuring it manages the access to the service of its own staff, the customer organization should seek assurances from the Cloud Service Provider that appropriate access controls are in place regarding the provider’s staff.
Forensics and eDiscovery
Computer forensics and eDiscovery are relatively mature disciplines within traditional IT environments.
35 However, when it comes to cloud computing these disciplines are still in their infancy. Cloud computing brings a number of challenges when trying to forensically capture data. Firstly there is the issue of where the data is stored and located, and how can the data be gathered in a forensically sound way. There is also the issue of the dynamic nature of the cloud and how to soundly capture threats, processes, and memory to support an investigation. In a cloud environment there is also the challenge of how to isolate logs and other critical supporting evidence for one customer’s instance from all of the other customers using that Cloud Service Provider.
When engaging with a Cloud Service Provider the customer organization should ensure it fully understands what the Cloud Service Provider can, and just as importantly cannot, provide with regard to computer forensics and eDiscovery requests. With that information the customer organization should review its own computer forensics and eDiscovery processes and procedures and adapt them accordingly.
The Cloud Security Alliance’s research group on Incident Management and Forensics
36 is looking to developing guidelines on Best Practices for Incident Handling and Forensics in a Cloud Environment.
Data Migration
Migrating data into a Cloud Service Provider’s environment can be a timely task. Data may have to be reformatted or restructured to fit in with the architecture of the Cloud Service Provider. However, once this has been completed many organizations enjoy the benefits of managing and processing their data using the power of the cloud. Customer organizations should ensure though that when they first engage with a Cloud Service Provider that they clearly understand and agree how their data can be migrated away from the provider in the extent that provider closes business, is taken over by another service provider, or should the customer organization decide to engage with a competitor providing a similar service. It is important that the customer organization takes these steps to ensure it does not get “locked in” to the service provider simply because they cannot retrieve their data in a timely and secure manner. The customer organization should familiarize itself, and be satisfied, with the data migration policy of the Cloud Service Provider. A key thing the customer organization should consider is what format the data will take should it decide to migrate away from a service provider. Will their data be returned as a flat text file, a CSV file, or in a structured file format? Each of these formats could have implications for how easy it is to migrate the data to another platform. In addition the customer organization should ensure the Cloud Service Provider securely erases all data that is no longer required to be stored with that provider.
Technical Controls
Technical controls are key to protecting data in the cloud. It is important to note that many of the technical controls for the cloud are the same as those used in traditional IT environments. This is because even though the cloud is a relatively new evolution of how data is managed, stored, and processed, the threats that face traditional systems, such as viruses, hacking, spam, are as relevant to the cloud.
Different implementations of technical controls will provide different levels of effectiveness. Also some providers may employ alternative controls in place of those expected by the customer organization. When engaging with a Cloud Service Provider customer organizations should use their risk assessment to ensure the controls provided by the Cloud Service Provider are adequate for the customer organization’s needs.
The Cloud Security Alliance’s Security Guidance for Critical Areas of Cloud Computing provides excellent details of what security controls should be implemented based on the customer organization’s needs and the type of cloud provider platform.
The core controls that a customer organization should ensure are in place are as follows.
Backups
Customer organizations should not assume that simply because their data is stored in the cloud there is no reason to worry about backing it up. Data can be deleted, lost, corrupted, or destroyed whether it is stored on traditional or cloud systems. When engaging with a Cloud Service Provider it is important to determine how the customer organization’s data is backed up,
where is it backed up to (bearing in mind any compliance requirements), how the backups are secured, and how the backups can be accessed. It is also important to determine how long backups are held for and indeed the time taken to restore either all of the data or individual files. This information will be key to the customer organization as it adjusts its business continuity and disaster recovery plans to take into account the adoption of cloud services.
Secure Deletion
Data when deleted from disks is never fully deleted. Instead references to where that data is stored are removed so the operating system knows it can overwrite those areas. As such many data recovery and forensic tools can easily restore any deleted data. As data stored in the cloud can be located across different disks, across different systems, and across different data centers, it is important that the customer organization knows when data is deleted it is done so in a way to prevent it from being recovered. This is important in situations where customers are migrating from one service provider to another and need to ensure their data are properly and securely removed from the previous provider.
Secure Development
Engaging with the cloud in many cases involved accessing services, data, and systems via an interface or application. The complexity of these applications will depend on the cloud platform. In the IaaS platform, it may simply be a control panel, whereas in the SaaS environment it will be a full blown application. It is important therefore that the customer organization has assurances that these applications, interfaces, and control panels have been developed in a secure manner and that security is built into the development cycle as early as possible.
When engaging with a Cloud Service Provider customer organizations should get visibility into how security has been built into the Software Development Lifecycle (SDLC). It should seek assurances from the provider that their development team has regular training in developing secure code. The provider should also be conducting secure code reviews of their software to identify any potential security bugs in their code. Another area to be examined by the customer organization is to see how often the provider conducts threat tree analysis against their systems. Finally, the customer organization should determine from the Cloud Service Provider what the provider’s policies are regarding identifying vulnerabilities in its code, patching those vulnerabilities, and how it keeps customers abreast of these issues.
The customer organization should also discover what secure coding principles the Cloud Service Provider is using. There are a number of guides that are easily available for organizations to incorporate into their SDLC such as
▪ The Open Web Application Security Project (OWASP) Top 10 Project
37;
▪ The Open Web Application Security Project (OWASP) Cloud Top 10 Security Risks
38;
▪ SANs Top 25 Most Dangerous Software Errors
39; and
▪ SafeCODE’s Practices for Secure Development of Cloud Applications.
40Data Encryption
One of the most effective security controls when engaged with the cloud is to implement encryption both when the data is at rest and when in transit. Customer organizations need to ensure that any data transmitted to and from the Cloud Service Provider is encrypted. This could be either by employing SSL to encrypt traffic as it traverses the Internet or by using a VPN to connect to the provider.
When data is stored (at rest) on the Cloud Service Provider’s systems it should also be encrypted. It is important to understand what encryption algorithms the Cloud Service Provider employs for this. Ideally the encryption algorithms should be industry standard and peer reviewed. Should the Cloud Service Provider offer its own in-house developed solution then this should be a cause of concern.
Encrypting data is not just about the algorithms used but also how the keys to encrypt and decrypt that data are managed. In a cloud environment, it is important that the customer organization considers whether they need to retain all access to the keys and that the provider cannot access them. It is important to note that if the cloud provider does not have access to keys (i.e., plain text data), it is going to be limited in what functionality (value) it can deliver (except when using homomorphism encryption in certain use cases).
Should the provider have access to the keys then it is possible the provider can also then use these keys to decrypt the data. Ideally any encryption solution should only be managed by the customer organization with the provider having no ability to generate its own keys or modify those of others.
Denial of Service Attack Mitigation
In recent years we have seen an increase in the use of Denial of Service (DOS) and Distributed Denial of Service attacks against various organizations. DOS attack is where attackers send some traffic to the targeted systems that they can no longer provide the service to legitimate users. Customer organizations should determine what mitigation tools and services the Cloud Service
Provider has in place, not just to protect the provider’s own service, but also the instances of the service for the customer.
Security Monitoring
Recognizing that there is suspicious activity occurring against systems is key to being able to respond quickly and effectively. Logs provide security teams with the ability to identify potential attacks, be alerted to ongoing attacks, and help investigate an attack. In a tradition IT environment, it is possible to implement monitoring of security and other relevant logs. However, it is not as straightforward in a cloud environment. To determine how effective a customer organization’s incident detection and response will be in the cloud the organization needs to determine what visibility it will have to logs.
It may be a case that the organization will not have direct access to the logs and will have to rely on the Cloud Service Provider’s security team to monitor the services and report any suspicious activity to the customer. In this case, it is important the customer organization ensures this activity is included and managed within the SLA.
Should the Cloud Service Provider allow access to the logs for the customer then the customer needs to determine
▪ The level of access they can have to the logs. Will it be direct access or via an API?
▪ How the customer’s log data is isolated from another customer’s log data.
▪ How the customer will monitor those logs.
▪ The devices, such as firewalls, routers, servers, and switches, which should be configured to record events.
▪ The events that should be recorded for each type of system or component on the service.
▪ Where events should be stored. Will they be stored on system within the provider’s environment or will the customer store the events on their own premises?
▪ The retention policy for event logs and their details.
▪ How alerts are created in certain events, event patterns, or combination of events.
▪ What tools and utilities are implemented to monitor for these events.
Firewalls
Firewalls are security devices used to manage network traffic between two networks. In most cases firewalls are configured to only allow certain traffic through and to deny all other traffic. While it would be expected that a Cloud Service Provider would have firewalls in place, the customer organization should familiarize itself with the types of firewalls the provider employs and
whether or not they satisfy the risk profile of the customer organization. Areas to consider are
▪ Whether or not the firewall is dedicated to the customer or shared among other clients?
▪ How often are the firewall rules reviewed regularly to ensure they are still applicable and required?
▪ Are changes to the firewall rules reviewed to ensure they do not conflict with other rules for the customer or indeed with other customers’ rules?
▪ How often are the latest software patches and security updates installed on the firewall?
▪ Are they regularly tested to ensure that they provide the level of security required?
▪ How often are the firewall configurations reviewed to ensure they are still applicable and appropriate?
▪ Are the firewalls monitored for security alerts?
▪ Are Web Application Firewalls in place or available for use by the customer?
Intrusion Detection Systems
While the Cloud Service Provider should have mechanisms in place to detect threats such as computer viruses, it should also have mechanisms in place to detect malicious or suspicious network traffic, such as an IDS or Intrusion Prevent System (IPS). An IDS can monitor network traffic for suspicious activity that may indicate an attack is taking place and raise an alert should it do so. An IPS is similar to an IDS system with the additional ability to automatically launch a number of prescribed actions to react and prevent the attack.
Customer organizations should determine if the risk profile requires the Cloud Service Provider to have an IDS or IPS in place.