6 tips for secure cloud shopping

Cloud service providers are taking advantage of buyer ignorance about cloud security, pushing tantalizingly low-cost service contracts that don’t meet prospective customers’ security needs. The result, according to recent reports from HfS Research: Organizations unknowingly leave themselves exposed to a host of threats, while unable to easily escape their service provider’s grasp.

Before being wooed into signing a cloud deal by extraordinarily low subscription fees, promises of unparalleled flexibility, and 99.999 percent uptime, there are some steps you should take internally and at the negotiation table to ensure your foray into the clouds doesn’t quickly turn stormy. These tips come from papers titled “Sweating the Insider Threat” and “Top Security Issues for Cloud Buyers,” both written by Hfs Research Director James R. Slaby.

Cloud shopping tip No. 1: Make sure your data is defended. Organizations need to examine cloud providers’ options for protecting sensitive data, both as it flows across the network and when it resides on an endpoint, a server, or a piece of storage gear.

For starters, ask providers about the strength of their VPNs, key management, and end-to-end encryption. Before signing a contract, examine terms pertaining to data privacy, auditability, service reliability, and contingencies against provider status changes, Slaby writes.

Additionally, organizations representing industries with strict privacy regulations need to be sure that providers have mechanisms in place to prevent data from, say, being stored in unauthorized geographic locations. Also, ask whether those mechanisms extend to the provider’s third-party partners.

Rounding out the lifecycle of data, potential cloud customers should inquire whether their provider has mechanisms in place to prove that sensitive data has been securely deleted.

Cloud shopping tip No. 2: Prepare against new insider threats. Organizations should be well aware by now of the risk of insider threats, perpetrated both by malicious as well as simply ignorant employees. When you migrate an application or service from a private data center to a cloud computing environment, the chance of insider threats increases. Per Slaby:

… the cloud provider’s IT staff are now the ones with unimpeded access to applications, their sensitive data, and the systems they run on. They may be endowed with far-reaching access and powerful privileges in order to do their jobs. And they are by definition more highly skilled and knowledgeable of system vulnerabilities.

To reduce this threat, prospective cloud subscribers need to ensure their providers vet and monitor their IT staff properly. Ensure that providers limit their staff’s access and authorizations only to what’s necessary to do their jobs. Request specifics about a provider’s incident response plan. Ask about that sort of security countermeasures they have in place, such as change management controls, DLP (data loss prevention) systems, and SIEM (security information and event management) systems. Also be certain your provider “conducts appropriate forensics to pinpoint, diagnose and prosecute insider breaches,” Slaby advises.

Cloud shopping tip No. 3: Keep everyone on the same page. Clear, open communication is a must for a cloud-computing initiative — not just within the customer’s organization, but among the customer, the cloud provider, and any third parties the provider brings to the table.

In terms of internal communication, for example, “the CSO’s team is often not invited early enough to cloud-services evaluations to adequately surface its concerns,” according to Slaby. “As a result, data privacy and other security issues get short shrift, barely getting shoehorned into contracts late in the game.”

HfS also recommends that companies involve their providers in developing their risk strategy and migrating applications to the cloud. “Don’t assume your service provider is doing what they need to do,” Slaby cautioned. “Ensure they are handling their end and that no gaps exists.”

Cloud shopping tip No. 4: Know whom to blame. Some cloud providers rely on third parties for certain services, a point a prospective client needs to know up front for the sake of identifying potentially problematic interdependencies. A component outage might have a limit to no discernible impact on a service; then again, it might bring a service to a crawl. “Consider a governance model in which one provider owns overarching responsibility for outages and security breaches, serving as a proverbial ‘one throat to choke’,” Slaby recommends.

Cloud shopping tip No. 5: Don’t get trapped. Even with proper due diligence, you might find down the road that you need to dump your cloud vendor. Make sure to devise a risk mitigation strategy so that you’ll be able to migrate your workload to a new provider (or in-house) quickly and easily should that eventuality arise. Carefully consider how much control you want to give any single provider. Finally, make sure you have in-house experts on cloud infrastructure and services to ease the transition to a new provider, HfS recommends.

Cloud shopping tip No. 6: Don’t buy the snake oil. Providers are taking advantage of buyer ignorance about cloud security, according to Slaby, pushing dirt-cheap standardized contract that don’t necessarily meet a customer’s compliance, auditability, reliability, or data-transfer requirements. Cloud shoppers should be prepared to negotiate for better protections — and to pay for it.

This article, “6 tips for secure cloud shopping,” was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest business technology news, follow InfoWorld.com on Twitter.