I’ve received a lot of questions lately about security in the Cloud and what CTO’s should be considering when they are evaluating it. Here’s my advice, treat the Cloud like an extension of your corporate or production network, don’t treat it or hold it to a lower standards assuming that your cloud provider knows more than you.
If you have requirements that you can’t get in your Cloud solution make sure that not getting those requirements constitutes an acceptable risk or tradeoff. In evaluating a Cloud provider here are some critical questions to ask:
1. What is the Authentication and Authorization required for access into the Cloud account?
- Many cloud providers will provide a way to authenticate into the Cloud but how will this integrate with the identity solution currently used?
- For these Cloud accounts how will group based auth be used? Can you have security groups like you do today?
- Any good security policy has the philosophy of separation of roles. Make sure roles, access, and accounts can be separated effectively when using the Cloud.
2. When you’re using the Cloud ask yourself the question “where is my data?”
- Do you know? Does your provider know?
- If there are geo restrictions on the location of the data, is the data within these restrictions? For EU companies, is the data in the EU or in a Safe Harbor country or is it elsewhere?
3. What are some of the steps a network admin. should take to secure the Cloud and what are the reasons behind these steps?
- Understand access controls and restrictions.
- Understand IP restrictions and policies. Where can these policies be applied and how? Who has the ability to audit these policies?
- Who has access to view these restrictions?
- In the event of a security compromise how will one find out what happened? Audit logs, IP logs?
- For Cloud APIs how are these secured? HMAC? Certificate based authentication?
- Always evaluate where credentials are stored, can these be compromised?
It depends on the level of security your company is seeking but it’s imperative that the Cloud has a layer of security to protect users and their content being stored. Cloud providers use two-factor authentication to protect data and accounts from being compromised. Read more about two-factor authentication and how it can protect your Cloud users.