Are You Secure? Top Security Considerations When Evaluating Cloud Services

By Joseph Pedano

Late one night, 911 operators received a harrowing phone call from a woman who heard strange noises at her front door. She grabbed her six-month-old baby, a licensed pistol, and locked herself in an upstairs bathroom, holding her breath while the intruder violently tore apart the first floor of her home and stole her valuables.

In minutes, he was gone. Later, they found the intruder along with over 100 different house keys, presumably belonging to other unsuspecting victims. A creepy story, and one that will likely remind you to set your house alarm tonight, but it’s the scary tales of network invasions that make even the most powerful executive shudder. In fact, security is the number one fear of IT directors. Just as alarming, a new report from Silicon Valley Bank reveals that only one-third of 200 tech executives surveyed are completely confident in the security of their information.

Stories of cyber security attacks flood the news with disturbing frequency. A breach in Epsilon’s network leaked millions of names and email addresses from the customer databases of some of its biggest clients. Sony’s PlayStation network and Sony Online Entertainment suffered a series of attacks that placed 100 million customer accounts at risk, costing the company up to two billion dollars. A group of individuals claiming to be affiliated with the “hacktivist” collective Anonymous stole 75,000 credit card numbers and 860,000 user names and passwords from Stratfor, a subscription-based provider of geopolitical analysis. And in the fall of 2013, the websites of several large US financial firms were disrupted by a monster DDoS attack that reportedly exceeded 60 Gbps – much larger than the typical 5–10 Gbps attack.

It seems like security standards are being compromised every day, masked by hasty assurances that the occasional breach is inevitable and everyone takes network security seriously as we’d like.

Or not. Lapses in security practices may not be obvious, especially when obscured by contract liability language and certain unstated assumptions. But while no cloud provider can absolutely guarantee an ironclad defense against the threats of tomorrow, every cloud vendor should be expected to maintain robust procedures that anticipate and mitigate data security risks before they cause harm.

In order to ensure maximum protection from all the existing and emerging threats to any network’s security, whether in the cloud or on premise, there are two major buckets that need to be filled with proper security measures: physical construction and architectural design.

Physical Construction: Critical Components to Ensure Control and Constant Visibility: Fewer than 10 percent of cloud providers own and operate 100 percent of their own facilities; instead, they rely on partners to provide data center resources. As a result, enterprises need to ask the right questions to ensure they have selected the right organizations, ones that provide the necessary controls and visibility into the physical security measures in place to protect their service offerings.

Look for cloud providers that either own or work with Tier One data centers, those strategically located in regions with low risk of natural disasters. This helps ensure that the provider also maintains rigorous protocols for securing these centers from unauthorized access.

For example, each data center should only be accessible at a single point of entry and exit, secured with a biometric scanner or a video call box that allows security guards to visually identify each visitor before granting entry. Also ask if the provider monitors each data center around the clock via closed-circuit TV cameras that record all footage. Be sure to probe the cloud provider about security within the facility. For example, are all areas individually segmented with badge-secured doors, two-factor authentication, and biometric and scanning systems? Inside the server rooms, are each rack, cage, and cabinet individually locked with keys held in a monitored lockbox?

In addition to protecting a provider’s data centers from unauthorized access, each center should be safeguarded from environmental threats. Extensive environmental controls and backup power units must be installed, complete with dual power grids, multiple battery lines, emergency generators, a backup fuel supply, a fire-suppression system, smoke and thermal detectors, and a fail-secure door and alarm system. Do the data centers have adequate cooling and ventilation? Are they physically separated from underlying service providers and other third parties? These are important questions to ask when considering a new provider, whether in the cloud or not.

Last, it’s critical to find out how thoroughly the provider checks the background of each employee on-site. Does the provider enforce mandatory drug testing? Run full background checks? Vet each potential employee with a detailed interview process? If you’re not convinced of the reliability of their hiring process, reconsider.

Architectural Design: Protecting How Data Is Moved, Stored, and Transacted: Studies show that most data security compromises worldwide do not involve direct physical access to or theft of data volumes, but instead result from the exploitation of weaknesses in firewalls, data processes, and other network design elements.

The first line of software defense is virtualization. This ensures that any malignant software process that emerges in one virtualized volume cannot infect or interact with any others. Additionally, virtualized networking processes allow technical staff to easily monitor incoming and outgoing production traffic for any early signs of security risks.

Next, be sure to find out how network information is protected. Some providers leverage load-balanced firewalls, architected to deliver a full and detailed range of protection solutions that include port blocking, VPN, DDoS protection measures, automatic antivirus enforcement, real-time traffic reporting, and intrusion detection. Firewalls should be engineered for N+1 redundancy, guaranteeing that each unit has at least one backup component in case of equipment failure. Further, some providers censor their networks with security event systems that monitor and log traffic.

Most importantly, look for cloud providers whose networks are regularly SSAE-16 SOC 3 audited by independent third parties and compliant with the stringent demands of all major regulatory regimes, including HIPAA and PCI-DSS. Your organization may also require a company that is designated a Qualified Security Assessor (QSA) with the PCI council. Lastly, make sure your provider is a registered and participating member of the CSA Security, Trust, and Assurance Registry (STAR). The CSA was formed to encourage transparency of security practices among cloud providers.

A Well-Lit Tour Removes All Fear: Creepy stories notwithstanding, everything is less frightening out in the open daylight. Nowhere is this truer than with the security of your cloud network provider, so insist on touring the facility to personally meet the provider’s team and review the data center design and operating procedures. Also, request permission to do a full security audit, including application penetration testing and vulnerability analysis. If the provider balks, preferring to keep you in the dark, take that as a fearsome sign of trouble.

Joseph Pedano is the senior VP of Data Engineering for Evolve IP. His expertise lies in building and maintaining next-generation networks that provide value-added services to customers seeking advanced products and services. Joseph is responsible for the overall data architecture for customer and internal networks, as well as the efficient operation and performance management of those networks.

[From Connection Magazine May/Jun 2014]