How to Evaluate Cloud Security What to consider when selecting a cloud vendor Donny C. Shimamoto - March 10, 2015 Cloud security continues to be one of the greatest concerns of anyone considering putting any type of data into the cloud or a mobile app. Make that data your donor, constituent, health care-related, or financial data, and cloud security jumps to be the number one criterion on most organizations' vendor selection list — or at least it should be. Continued increases in the incidence and sophistication of cyber attacks should have any reasonable person cautiously paranoid about who could get access to data in the cloud. Editor's note: This article is part 2 of 2 on cloud security. Don't miss part 1 of the series.When considering whether to switch to a cloud application or service provider ("cloud vendor"), people usually have one of two positions:Questioning and skeptical: How secure are these cloud applications and systems? Can I really trust these vendors? Is my data truly secure? How do I know for sure?Assumed competence: These people are experts. They're more technical than I am, so they should be better at this security than I am … right?Which position is correct? Actually, both are correct. The key when selecting a cloud vendor is to start with the assumption of competence, but remain skeptical and ask questions to obtain evidence that your assumption is true. In other words, you need to do good due diligence as you select your vendor.Cloud Security Considerations for Due DiligenceCloud security has both technical and procedural aspects that are often taken care of by the cloud vendor's information security infrastructure (the vendor's responsibility), and technical and procedural aspects that rely upon proper configuration and training in your organization (your responsibility). Cloud security isn't effective unless both parties fulfill both responsibilities. As part of the due diligence process, you need to get an understanding of what the cloud vendor is doing to meet its responsibilities, and also what you need to do to meet your responsibilities.Your data can also be subject to confidentiality or privacy requirements, including privacy requirements from multiple jurisdictions. It's important for you to identify which data is subject to which requirements so that you can ensure that your organization is appropriately securing the data — and communicating the requirements to cloud vendors when that data will be entrusted to them.How to Evaluate Technical Security in the CloudTechnical security measures are built in, configured, or implemented as part of the cloud vendor's technical infrastructure (network, servers, platform, databases, and applications). If you think of the technical infrastructure as a physical building, then these measures are equivalent to ensuring that the building has the proper physical security measures in place: doors have been made of appropriate strength materials and have the appropriate types of locks, sensitive areas like electrical and network closets have been extremely well secured, and so forth.There is secure configuration guidance published for most of the commonly used infrastructure component manufacturers. You want to check that the vendor's infrastructure is based on commonly used manufacturers. Commonly used manufacturers are often usually more proactive about updating their products to patch security holes and other vulnerabilities as they are identified.Sometimes vendors may use components that are less common as part of their "competitive differentiation" strategy. In that case, check that the vendor's staff has the technical security expertise to ensure that a secure configuration was developed properly.Once an infrastructure is secured, vendors need to ensure that changes to the infrastructure components and their configuration don't open up a security hole. So the next thing you want to ask about is what policies and procedures the vendor has in place to manage changes. The vendor should explain to you in plain English how it manages changes. Make sure you understand:How the need for a change is identified and prioritizedHow the required change is determined — what actual programming or configuration change is neededHow the change is tested (usually not in the production environment) to ensure that it doesn't impact operations or securityHow a tested change is approved to move into the production environmentOf the above, the testing and approval of changes are key steps to ensuring the security of the infrastructure. If programming is involved, the best practice is that programmers don't have direct access to the production environment — this ensures that they can't sneak in any changes without proper testing and authorization.Technical Security Considerations — Major VendorsWhen using a major vendor like Google, Microsoft, or Salesforce, you can generally assume the vendor has taken care of the majority of technical security concerns. For these vendors that are so well-known, the press would jump on any perceived problem in a heartbeat, and the vendors wouldn't want to risk that damage to their reputations. With major vendors, a large volume of customers would also be affected if something did occur, so good technical security is usually a safe assumption.If you still want to do due diligence, many major vendors have published descriptions of their management processes and technical measures. Another resource to check may be the Cloud Security Alliance, which has a framework that it is encouraging vendors to adopt for publishing security information. Your last option is to ask the vendor for a Service Organization Controls (SOC) report covering security and privacy.Data Security Considerations for Confidentiality Security of data has technical and procedural aspects that need to be addressed too. Continuing the building analogy, if the infrastructure is the building itself, then the data is all of the stuff inside the building: desks, chairs, filing cabinets, and so on. Just as different offices in the building may have better locks or additional security measures because they have more sensitive files or valuable items, you may want to secure different sets of your data differently. This is often called logical access security or user access rights.When entrusting data to cloud vendors, you need to understand what facilities they provide to separate different sets of data and how you designate who has access to each set of data. This may be as simple as saving data files into different cloud folders and being able to control who has access to the folders, or being able to control which users have access to different modules in a cloud application and verifying that access to data in those modules is also tied to those user access rights.The vendor should be able to explain and show you:The different areas where data may be stored and how they are logically separatedHow you can control who has access to each of the areasHow you can control which users have access to which modules and functionalityWhether the vendor provides any logging of who has accessed or tried to access particular areas, modules, or functionsAlso ask which of the areas (if any) the vendor's staff members are able to access as part of their regular system maintenance or operational duties. For example, data files uploaded to a vendor's application may be stored within a database or written to the file system on the server. If data is stored on the server's file system, it's easy for the server administration staff (or someone with hacked user or administrator access) to access the files, so you may want to understand what the vendor does to prevent this potential type of abuse.Additional Data Security Considerations for PrivacyWhen dealing with data subject to privacy compliance, additional requirements often come into play. The additional requirements will vary depending on the privacy standards that you need to comply with, but all of them build upon the considerations already provided above.For example, HIPAA (the Health Insurance Portability and Accountability Act) requires that organizations obtain Business Associates Agreements from their cloud vendors that will be handling or have access to health care data. These agreements explicitly state that each vendor must comply with HIPAA provisions, and by signing the agreement, the vendor asserts that it is in full compliance with the provisions. HIPAA also requires that staff have a "business need to know" to access health care data and requires that the organization be able to identify when staff may have violated this principle — a higher bar than standard user access security.The Payment Card Industry Data Security Standard (PCI DSS) also raises the bar for data security. It has specific provisions for what credit card data can be stored, how it's encrypted when it's stored, how it's encrypted if it's transmitted, and how you dispose of the data or any media (for example, USB drives or backup tapes) that credit card data may have been saved on.PCI DSS also has a vendor certification program and requires that you use only certified vendors for processing and handling of credit card data. To obtain certification, vendors must go through a PCI audit to prove their compliance with the PCI DSS provisions.Due Diligence Is Essential for Cloud SecurityCloud vendors are often more thorough and advanced in their information security practices than the vast majority of small to mid-sized organizations, but you can't just assume that they are up to par. Take the time to understand their security measures as part of your due diligence process.Remember that the best time to ask all the questions and communicate requirements is in the vendor selection process. That is when the vendor wants to earn your business and it will be most responsive to your requests for information.Cloud security considerations are an important part of evaluating vendors — and failure to meet minimum information security standards is often grounds for automatic disqualification. Once you explain that to salespeople, they usually quickly become very interested in getting you the information that you need. If they aren't willing to provide the information, then you have to wonder what they may be trying to hide.And what if you already have hired the vendor? Go back and perform due diligence and evaluate the vendor's cloud security. In fact, a best practice is to annually update your due diligence to ensure that there haven't been changes in a vendor's security practices or staffing that may negatively impact its ability to secure your data. If you get resistance, the contract renewal point is another good point where the vendor has an incentive to provide you with the information you need.Good due diligence, especially as part of vendor selection, is key to ensuring your data is secure in the cloud. Take the time to do it right — protect your organization's reputation and reduce the risk of fines and penalties.Learn MoreDonny Shimamoto welcomes questions, comments, and feedback via email at firstname.lastname@example.org, or reach him by phone at (866) 737-9991 ext. 200. This work is published under a Creative Commons Attribution-NonCommercial-NoDerivs 4.0 International License.