The move to the cloud has become a quick first step when looking to improve application delivery, performance and costs, yet in the back of every executive’s mind is whether or not the cloud is actually secure.
When it comes to cloud these days however, security shouldn’t be a concern as long as you spend the time choosing the right architecture, security options and vetting your proposed vendors.
Security as a Forethought
No matter where you deploy your applications, security must be a forethought. You need to be sure to build security into everything you do and plan for, but you don’t have to do it alone.
From the beginning of time, we have looked for experts to fill gaps in the skills we don’t have ourselves, and security is one of those areas that requires significant expertise. When thinking about your own organization, you likely have many strong capabilities, but you need to look at what gaps you have as well and be sure to fill them—either through hiring, partnering or enlisting outside help.
You also don’t need to fill an entire capability area through a single person, department or entity. Instead, look at it as a set of responsibilities, each of which can be filled by different people as long as you can break up the responsibilities in a logical manner.
Layers of Protection Across Systems
Within each of these areas, you can further break down required capabilities and the owners responsible to ensure that everything is covered by those who know it best.
Related Article: Cloud Security: How to Protect Your Business from Data Leaks
- Multi-factor physical access to all facilities
- Triple-factor biometric access to all data centers
- 24 hour facility monitoring, security and cameras
- Regular review of all security procedures
- Dual factor authentication
- Secure administrative portal
- Administrative audit trail
- SSAE-16 and SOC 3 reporting
- Intrusion Detection Systems (IDS)
- Intrusion Protection Systems (IPS)
- Denial of Service (DoS/DDoS) protection and mitigation
- Best practice edge IP filtering
- Dual factor authentication
- Vulnerability scanning (internal and external)
- Vulnerability monitoring
- Virtual Private Networks (VPN) including site-to-site
- SSL VPN
- Hardened operating systems
- Managed OS patches and updates
- Virus and malware protection
- File Integrity Monitoring (FIM)
- Security Information and Event Management (SIEM)
Application and Database Security
- Web Application Firewall (WAF)
- SSL certificates
- Application security scanning
- Database and backup encryption
- Proactive policy updates
- Application and database vulnerability remediation
Related Article: Is Your Small Business Vulnerable to Security Threats?
Security in the Cloud
Now think about the expertise you have and the expertise you need. Factor in the need for a team focusing on security 100 percent of the time, day or night. Not only are they looking at your systems, but they are gaining insights and experience from other companies by looking at hundreds of systems across industries and technologies.
That is what a good cloud provider should have. They are focusing on securing your environment because a breach may put not only them out of business, but many of their clients. They have trained experts who live and breathe security, focusing not just on what security means, but how to implement rules for prevention and actions if an attack may occur.
Security Capabilities to Look for in a Cloud Provider
When looking for a cloud provider, you need to ensure that they understand security and have the full set of capabilities in place to help augment the needs of you team. Now remember, the cloud provider can bring expertise that you don’t have, and should be working as if they are an extension of your team.
The provider should bring with them capabilities that fill in the gaps your organization has in security knowledge and ability, but also a deep set of expertise that comes with being a security expert. They should:
- Have a Security Operations Center (SOC), staffed with people around the clock to protect your systems and deal with any concerns that may come up at any time.
- Bring strong technology partnerships with them to provide security technologies that are not built in-house.
- Help you to design your architecture to be secure, including making proactive recommendations for different software and hardware solutions.
- Determine firewall rules and settings, and work with you to understand the unique requirements defined by your application.
- Provide 24x7x365 monitoring, because you never know when an attack may occur.
- Supply automated patching of operating systems and other key components of your systems.
- Have audit experts ready to work with your team if you are undergoing, or preparing to undergo, a security audit.
- Be willing to sign a Business Associates Agreement (BAA). A BAA is a contract between a HIPAA covered entity and a HIPAA business associate (BA). The contract protects personal health information (PHI) in accordance with HIPAA guidelines.
The provider should also undergo audits of their own to ensure that both their data centers and their internal processes are secure, and meet different regulatory requirements. These may include:
- AICPA SOC 3: SOC 3 reports are designed to meet the needs of users who want assurance on the controls at a service organization related to security, availability, processing integrity, confidentiality or privacy.
- PCI DSS Compliance: Service providers that store, process or transmit cardholder data must be registered with Visa, and demonstrate PCI DSS compliance. PCI DSS compliance validation is required every 12 months for all service providers. Inclusion on the registry indicates that the service provider successfully validated PCI DSS compliance with an on-site assessment, based on the report of an independent Qualified Security Assessor (QSA).
- TRUSTe: TRUSTe powers trust by ensuring businesses adhere to privacy best practices regarding the collection and use of personal information on their websites and apps. If you see the TRUSTe Certified Privacy Seal on a website or app, the company operating that property has met the comprehensive privacy certification requirements established by TRUSTe.
The cloud can be secure, and if you choose the right cloud provider, they can help you and your systems be more secure than they would have been even within your own data center. The right providers bring expertise and experience that a single person within your company may not have, and sees security risks every day by working with many companies and systems. In reality, just like you live and breathe your business, they do the same for security.
When choosing a provider, you must look at their security policies, provided capabilities, certifications and the role they will play in securing your application. The application is yours and you will be ultimately held responsible, but if you can find a provider that will share that responsibility, bring you added expertise and help guide you to a more secure environment, you will be well ahead of the game.