The cloud has gone mainstream, and as a result, it is tough for companies to not at least give it a look when undertaking a technology refresh or new application deployment. The benefits the cloud delivers around simplified management, rapid scalability and reduced capital expenditures are real. However, the thorn in cloud computing’s side are perceived security threats, especially in the investment management industry where data leakage is lethal.
As the security risk landscape continues to evolve, companies must take a proactive security posture to protect their environments. In reality, the threats facing on-premise IT systems are just as dangerous as those facing systems in the cloud, however, the cloud brings some unique security considerations since traffic is routed differently over virtual machines than it is with a traditional network. Another key (and fairly obvious) difference is that in the cloud a company must trust their security to a third party, which can add an element of the unknown.
Conducting extensive due diligence of a cloud provider’s technology, processes and track-record can help alleviate concerns. A key concept to ensure a cloud provider is using is defense in depth, which speaks to placing security safeguards at multiple layers.
The Outside Layer
Physical Security: Inspecting the foundation
First up, the data center facility housing the cloud environment must be highly redundant, built to house mission-critical systems and be SAS 70 Type II certified – a designation that indicates its control objectives and activities have been thoroughly audited and meet the AICPA standard.
To minimize concerns around downtime, the data center should be a Tier III (or greater) facility, have multiple active power and cooling distribution paths and employ an N+1 configuration throughout. You will also want to ask the cloud provider if the data center is in a region that could experience seismic activity, natural disasters (i.e. flooding) or other environmental threats that could disrupt service.
With the resiliency of the data center established, a careful review of the physical security is necessary. The data center should have professional security staff on-site 24x7x365 and surveillance cameras that cover all common areas as well as the cloud computing environment. Security logs for all visitors must be vigilantly maintained and reviewed. Beyond logs, a comprehensive, multi-level, biometric security system – pin-code access keypads, proximity card readers, and biometric iris scanners – should be in place to ensure only authorized personnel have access to critical systems.
Processes, and Policies and Controls! Oh my!
Rock solid controls and clearly defined policies that are regularly audited are essential to securing a cloud environment. Security policies a cloud provider should have in place include:
• Access Control Policy: Who has access to the cloud infrastructure and client systems? Is there a separation of duties between individuals with access? Can a client request more restricted access? How is access logged and monitored? How often are controls reviewed?
• Information Security Management Policy: What safeguards does the provider have in place to protect against physical and virtual threats? How are security violations and incidents reported and managed? What information does the provider collect about clients and how is it handled? Has the provider ever had a security breach and what was the outcome?
• Employee, Visitor and Contractor Physical Security Policy: What background screening, verification and employee agreements does the provider have established? How are employees and visitors monitored while on premise (office or data center)?
Beyond reviewing written documentation, you should inquire about how employees are trained on the policies and held accountable. Also, be sure to ask the provider how often its policies are reviewed and how changes are incorporated.