A solid detailing of the service-level agreement (SLA) in your contract is extremely important because the control comes fully from the internal IT and security teams. If any infrastructure unavailabilities, distributed denial-of-service (DDoS) attacks, vulnerabilities or other security incidents are not established in the contract, you will not be able to properly prevent penalties and fines in the case of a security incident.
Your supplier must align with you and detail in the contract the security architecture used in this environment. The supplier may not necessarily have to inform the manufacturer, but it must ensure there are aspects such as firewall segregating environments (Internet, operation, card data, etc.), antivirus solutions and intrusion detection solutions.
Technological security is not restricted to firewalls. Your business partner, who is making the cloud solutions available, must be prepared to protect the perimeter in the most effective way possible.
A cloud email solution should have the following:
A cloud application solution should have the following:
It is important to address segregating beyond the perimeter, including application servers and the general database, the database and credit card data and the operational environment and server environment.
The provider, who acts inside the data center, may not be the same person who operates the system. This ensures that someone who has direct access to the equipment does not necessarily have logical access to this equipment. This measure reduces several potential problems, such as someone connecting an external HD and copying inside information or directly accessing a server to manipulate its configuration files.
In the contract, the cloud solution provider should allow for vulnerability analyses and properly scheduled ethical hacking on the environment to be performed. This sort of analysis should be done by a third-party company hired by the supplier you have deemed credible.
It is important to align with the provider to allow access to the environment log. It is necessary to see the whole traceability management of users and access profiles. This includes the creation, alteration and exclusion of profiles and password changes in addition to registering who is performing certain extreme transactions. For instance, this may be available through a portal.
The provider must allow the use of log collectors to send the correlation tools and the log retention that are inside your company (on-premises). After that, it is the responsibility of the correlator to cross this log with other logs in order to identify possible security threats.
The provider must have a person who is the bridge between security and the final client. This person is responsible for managing the security-related requests and problems that could happen. He or she is also responsible for organizing security reports for the contractor.
Basically, the management cycle of vulnerabilities, threats and risks must be aligned with the information security area of the contractor so that the contracting company has control of the security risks without being blindfolded. This is the most complicated aspect because suppliers do not typically feel comfortable sharing this information. This is why vulnerability analyses and ethical hacking are an essential part of determining security flaws.
In this case, it is recommended that the contract establishes how the supplier manages these points in order to ensure business continuity.
SAS 70 and new similar certifications are related to data centers, not necessarily cloud solutions. Even though this sort of certification is mandatory for a data center, it is not enough to check the other cloud computing items.
It is important to detail in the contract how information will be treated in case the cloud service contract ends. It must be determined who is responsible for the exportation and delivery of information and the destruction of backups and data tracks.
The methods used for data disposal, server storage and backup tapes related to your business must be established in the contract.
A cloud services provider may occasionally be legally required to deliver information, which may vary according to the laws of each country. It is necessary to establish a communication process with the contractor in cases of legal requirements in which the contractor is advised whether the delivery of information is necessary.
The backup frequency must be agreed upon and set in the contract, and the backup storage must be in a safe place.
This aspect needs to be clearly established between the parties and documented in the contract. There are several segregation possibilities that might occur in a cloud solution environment, such as the following:
This is one of the major points of cloud security confidentiality because a code or infrastructure vulnerability may inappropriately release data. Data segregation possibilities must be analyzed in the case of information leakage.
Your information is in a place that is operated by other people, outside of your control. Because of this, it is necessary to understand and detail in your contract how information leakage will be managed by the contractor. It can be an extremely restrictive environment in which operators do not access the Internet or removable media (USB, CD, DVD, etc.), or in an environment with a data loss prevention solution installed.
It is vital to detail in the contract how your DDoS prevention works and how the communication procedure works.
Basically, it is important to set in the contract where the data centers containing your cloud solution data will be. This will influence which legal requirements must be met according to the country.
This is one of the most important parts of cloud computing security because it is crucial in relation to data confidentiality. The data should be encrypted, and the cryptographic keys should be in the hands of the contractors. If they are in the hands of the contracted, there is an increased risk of someone stealing and using them.
Imagine your application is now outside your company. How does the matter of managing users and access profiles work? Options include managing through an interface provided by the contractor or using a resource known as federation.
Federation consists of a base of users trusting external bases. For instance, the cloud application can consult a user inside its own company and network base. This brings a series of advantages, such as having control of the closest users, easily blocking a user and having exclusive passwords.
Another concern related to access control is the use of strong authentication. Considering the service will be more exposed on the Internet, the most proper method is to have the user resort to something extra beyond the traditional username and password pair. In this case, it is recommended to use one or more of the following:
After the supplier has promised the several items above, it is time to consider in the contract that you, the contractor, can visit to perform regular audits to assess the course of the security-related commitments outlined in your contract. It is suggested to use a checklist to do this.