Showing posts with label cloud security. Show all posts
Showing posts with label cloud security. Show all posts

Sunday, January 29, 2012

Question for cloud vendors. Part Two

Infrastructure as a Service (IaaS) & Platform as a Service (PaaS)
·      Will the cloud vendor clearly communicate network topology and security practices?

Software as a Service (SaaS)
       Is cloud vendor willing to provide documented secure coding practices and security (penetration) testing results from 3rd parties?
       Does cloud vendor communicated information about OS-level patches and updates and how does Cloud vendor provide information of schedules of patches so not to affect customers businesses?
       What is the cloud vendor’s terms with respect to ownership of the data?
       How does the cloud vendor delete the data when the customer is no longer a customer?

Legal:
       What about e-discovery?
       Can we be locked out due to legal action taken against another one of your customers?


Posted by at 3:42 PM 0 comments
Labels:

Questions for cloud vendors. Part One


Before we move applications/data into the cloud we need to consider vendor’s SLA and their security and our audit needs. Let’s get a basic list of questions together as we review vendors SLAs to help frame what information we need to consider. Some of these questions are basic but getting the answers will not easy.

Access Control:

       What security controls are in place to protect our data?
       How many instances of live data are maintained and where is our data physically located?
       How many copies of backup data are maintained and where is our data physically located?
       Who has access to the data?
       What is the nationality of people who have access to our data?
       Can we specify who shares physical (or logical) resources with us?

SLA:
    Is our cloud provider SLA in conflict with any of our customer SLAs (right to audit, 
etc.)?

Auditing:
    What ability do we have to conduct audits or assessments?
    Will a 3rd party be allowed to audit the system and can we have the results of that 
audit?
    Can you provide assurance of data destruction?
    What ability do we have to conduct pentests?
    Is operational-level information available for review both by enterprise security personnel and by internal/external auditors?

Security:
    What is the defense-in-depth architecture of the system?
    How will we be notified if a security breach occurs?

Operational:
    Who is managing our data?
    Where is our data replicated?
    What dependencies do our cloud providers have?
    What about a denial of service that comes from a peak load of one of your other customers?
    What is the financial viability of the provider and what happens if the provider 
fails?
    What is the cloud vendor’s backup and disaster-recovery procedures/plans in the event of an earthquake, tsunami or other natural disaster?
    What tools will the customer’s IT team use for administration control of cloud services?


Posted by at 3:34 PM 0 comments
Labels:

What is the Cloud?


Cloud computing is a product service you use. Hun? Best way to understand what the cloud is to think of it like a utility. We all use utility services like electricity, natural gas, and cable television. Very few of us understand the entire infrastructure of the service. All we know is we turn on a switch we have light, turn up our thermostats we have heat or turn on our televisions and we can see our favorite TV show. 

Cloud computing is the same thing. Any device connected to the Internet can access applications, files, or data. It can access these files by using Cloud computing vendor infrastructure.  The potential for Cloud computing is for IT professionals to stop putting resources (Time and Money) into the infrastructure to support their applications and move those resources into delivering better services for their companies and customers. This can become especially appealing when dealing with large surges in demand or cyclic demand for seasonal products and services.

The National Institute of Standards and Technology (NIST) has identified three service models of clouding computing[1].

1.     Software as a Service (SaaS): If you have used Hotmail, gmail or yahoo mail then you have used Software as a Service. In most cases you have little control over the Service. If you have contracted a vendor to provide SaaS then your Service Level Agreement (SLA) will be your major document what control you have. Make sure if you are entering into an agreement your legal department reviews your SLA.
2.     Infrastructure as a Service (IaaS): Allows you to deploy our application to a cloud-based host. But does not provide control over operating systems, network servers or storage. In most cases your application is going to be deployed as a virtual instance on your cloud providers infrastructure.
3.     Platform as a Service (PaaS): Provides IT with the most control even limited control over network access, firewalls, etc. You have control over operating system, network servers and storage. You still may be deployed in a virtual instance and you have no control of the underlying hardware infrastructure.

Ok, that that we are on the same page as to what is the cloud, I will be blogging on security and privacy issues concerning Cloud services. So stay tuned-in and please RSS this blog and tell your friends.



Posted by at 2:56 PM 0 comments
Labels:
Subscribe to: Comments (Atom)