Security pros have a lot on their plate dealing with all the breaches and vulnerabilities thrown at them every day. And with more people working remotely during the pandemic, there’s been a push to the cloud, which has forced them to rethink their basic networking and security architectures.
So what should security teams prioritize when they decide to make that move and start considering new cloud providers?
During the RSA Conference's Cloud Security Summit this week, three speakers noted top priorities when making the transition, all tied to establishing expectations of a cloud service provider up front, and ensuring in writing that the provider can and will adhere to specific standards for maintaining and securing data.
One issue to consider at the onset the cloud provider's own infrastructure. Randy Vickers, chief information security officer for the U.S. House of Representatives, said large companies such as Google, Amazon Web Services, and Oracle have a deep bench for software development. They can maintain patches and upgrades and have security teams to make sure the customer’s cloud environment remains secure. They can also provide customers with information on that environment.
But what happens when security teams look at a smaller CSPs? Do they have that depth of knowledge? Do they have that depth of experience to maintain the service that the customer pays for? What happens if the smaller provider gets bought? Are they so small that they can’t maintain the resiliency and redundancy the customer needs to run its business processes?
“It’s crucial to understanding the fitness of the CSP to assess future risk,” Vickers aid, advising security teams to find out if that company will be around and remain as a partner in years to come. “If they are bought, you have to react quickly. Ask if you can get your data back.”
Security teams also need to focus on standards and reporting. Vickers said companies can start by consulting with the NIST 800-53 standards. The General Services Administration has developed the Federal Risk and Management program to help manage the NIST controls. Other standards to consider are the Center for Internet Security (CIS) Controls, FedRAMP, and the Cloud Security Alliance’s Cloud Controls Matrix (CCM).
Mark Houpt, chief information security officer at DataBank Holdings, said security teams should look for a CSP to deliver audit reports, completed questionnaires, and general audit support to the customer.
“When a business places their data into the cloud or physical assets into a data center not owned by the business, maintaining a well-rounded audit program can be difficult,” said Houpt. “But audits and the ability to audit are essential to sound business practices.”
Security teams should make sure that the CSP can provide such audit reports as an SSAE18 SOC2, an annual report on how the provider manages and operates the data center and cloud. Customers can also ask for HIPAA, PCI-DSS, FedRAMP, and FISMA reports and should also expect a completed Consensus Assessment Initiative Questionnaire (CAIQ) or something similar.
There are other considerations, such as managing data repositories more efficiently. said Stacy Halota, vice president of information security and privacy at Graham Holdings, formerly the Washington Post Company.
“When I move to a new cloud vendor I always ask: how can we reduce our footprint? That could be by purging un-needed data, encryption, archiving, anonymizing data, basically doing something different," Halota said. With the cloud, there are many opportunities that weren’t available to us before.”
Halota added that security teams need to take advantage of the automation opportunities the cloud presents, such as automating data masking and compliance controls and updating disaster recovery with more flexibility in the cloud.
Companies sometimes “have too many manual controls, where they are replicating some legacy controls into the cloud environment and not taking advantage of automation,” she said.
Vickers of the U.S. House of Representatives added that security teams also have to recognize that when their company establishes a connection to a CSP, they have to evaluate whether they need to change the networking architecture. Does the company have to make DNS, firewall, or routing changes to make sure data can cleanly get from on-prem systems to the CSP?
“Some CSPs have dedicated links,” Vickers said. “Some require companies put in special VPNs. Knowing that up-front as part of the review will help you determine how best implement cloud service or which one you select. Ensuring clean connectivity will reduce risk so there’s less of a chance for outages.”
DataBank’s Houpt said that security teams also need to ask for a Responsibility Assignment Matrix, also known as RACI. This document clearly defines the provider’s responsibility, the customer’s responsibility, and what gets shared.
“Here’s where both sides get down in the weeds on technical topics,” Houpt said. “For example, does the customer provide a firewall or does provider? If it’s the provider, does it operate in a shared environment? Does the customer take care of reviewing logs and firewall rules and the provider take care of OS?” Houpt said all of these issues must get worked out and it requires that both sides sit down and talk out the technical details.
Finally, Vickers said the CSP will have terms and conditions, as all businesses do. And that’s why security teams have to work closely with the legal team to find out the answers to important questions, such as: What happens if data gets lost? What happens if there’s an incident? What happens if you want to terminate the relationship? Does money have to be paid if they don’t meet the standard of quality? “These are all the questions that need to go through the legal department before a contract gets signed, said Vickers.
Graham Holdings’ Halota said for companies moving forward with a cloud migration, start by developing a cloud strategy. Companies also need to build security and privacy in from the get-go and not try to leverage automation in at the end. And follow a framework, like the Cloud Security Alliance’s CCM.
“Companies also need a continuous process for evaluating and improving,” Halota said. "There’s features that are released all the time, so we make sure that we’re taking advantage of everything we can from an information security and privacy perspective.”