Who’s in Charge of Protecting Your Cloud?

Originally published at: http://www.sitepoint.com/protecting-your-cloud/

Imagine you’re the owner of a brand new app or software program, built atop of one of today’s most common and popular cloud technologies, and you’re happy to let your provider handle day-to-day maintenance and security.

The advent of full-service cloud providers makes your job easier, but there might be one question that still bothers you: How secure is my data in the cloud and who is responsible for protecting it?

If a security-related incident happens, who will be responsible for addressing the consequences? In the majority of cases, the answer is you, and not your Cloud Service Provider (CSP), as some might think.

The first, and the most important, concept to understand is that for Cloud Based Systems, responsibility is shared between you—as the owner of your application—and the CSP that owns part of the technologies beneath it. Depending on the collaboration model (IaaS, PaaS or SaaS), there will be a different distribution of zones of responsibility between you as an Application Owner and Cloud Service Provider. In any case, you should understand how the data is protected, even at layers beyond your personal involvement.

The good news is that most CSPs are well-versed in security, but that doesn’t mean that you shouldn’t ask them what has been actually done to mitigate threats. Focus your questions on these four areas:

1. What Compliance Regulations Does Your CSP Conform To?

If you’re working within a highly regulated domain like Healthcare or Finance, you might already know all the certifications that your CSP has, as you would need them as a part of your own application audit. But even if you do not need to get certified on your own, requesting information on available certificates from your CSP is a very good idea.

The most indicative certificates that I recommend looking for are Service Organization Controls certifications (inquire about the so called SOC 2 or SOC 3). While SOC 3 will be a publically available summary of the Security Controls, the SOC 2 report, which contains details, usually can be requested on demand.

2. Do They Have Questionnaires and Certifications from the Cloud Security Alliance?

CSA is a “not-for-profit” organization with the goal of encouraging and advocating for best practices for providing security assurance within cloud computing. The CSA Consensus Assessments Initiative Questionnaire provides a set of questions the CSA anticipates a cloud consumer and/or a cloud auditor would ask of a cloud provider. It provides a series of security, control, and process questions, which then can be used for a wide range of purposes, including cloud provider selection and security evaluation. As one of the goals of the CSA is to educate cloud consumers about security in the cloud, I would also highly encourage you to fill in their questionnaire on your own as a checklist to ensure that you’re protecting your assets effectively.

3. What Are Their Recommendations for Security Controls to Cover Your Zone of Responsibility?

As a part of the cloud services provided by CSPs, there is usually a set of best practices you can follow to use their services safely and most effectively. I highly recommend reviewing them. Keep in mind all of the available mechanisms when building the security architecture of your application. Within this area, it is also wise to mention Security as a Service products that could be delivered by 3rd party companies via a CSP marketplace. Usually, such services provide a very useful and cost effective way to add extra security levels for your application, if needed by your security requirements.

Continue reading this article on SitePoint

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.