Cloud computing and security: SLA compliance and cloud encryption

The benefits of cloud computing are many, but so are the security risks. Learn what questions you need to ask of a cloud provider before signing on the dotted line.

London-based research company Analysys Mason Ltd. has predicted that the global market for enterprise cloud-based services will grow to $35.6 billion (EUR 27.5 billion) within the next five years. No wonder, then, cloud providers are working to ensure data stored in the cloud is properly secured.

Security is becoming one of the biggest differentiators among cloud services providers. Besides emphasizing the projected cost savings, the sales pitches of many cloud vendors often focus on the promise of secure data handling while saving the customer money and hassle.

Yet not everyone is listening, it appears; for many businesses, cloud adoption is still believed to be too risky due to data security FUD. That fear, uncertainty and doubt may not necessarily be unwarranted, but in order for the cloud to realise its potential, businesses need to start asking the right questions about data security and demanding their providers meet their security benchmarks before choosing and implementing cloud services.

To aid in that process, what follows is a list of the top 10 cloud computing and security questions to ask before committing to a provider.

  1. Which cloud platform?

    No The cloud is not a one-size-fits-all entity, but rather comes in three distinct service formats. Understanding which is right for your enterprise is the first step toward creating the security strategy required to protect the data you entrust to the cloud. So be sure to ask architecture-appropriate questions:

    Software as a Service (SaaS) cloud models consist of full application delivery to the end-user paradigm and so dictate that the third-party cloud provider itself also takes full responsibility for data security (though you must make sure this liability is written into any SLA). The enterprise's role is, therefore, mainly contractual. This means the enterprise should ensure the provider's access controls (including application-aware firewalling and IPS) and authentication are to an acceptable (or quite possibly regulatory) standard, and that physical security at the data centre meets enterprise requirements before agreeing to any terms.

    Platform as a Service (PaaS) models, meanwhile, deliver an enterprise's custom client applications hosted via the cloud on the provider's OS and storage platform. The PaaS cloud provider should take responsibility for securing the OS and platform itself, although the enterprise must question exactly what security controls are in place. An enterprise should also ask about how the provider encrypts data at rest within the cloud: A customer should ensure it can hold and control the encryption keys, and question the PaaS provider about its application patch management policy.

    Infrastructure as a Service (IaaS) is the most flexible of cloud architectures in that it equips businesses with the right tools to operate and control their own cloud-based virtual servers. As well as asking the IaaS provider about the network security tools it will be using (and such things as resource allocation to prevent potential data availability problems), it's essential to discuss the best way to work together when it comes to securing your virtual servers using your existing tools.


  2. Is the provider's cloud compliant?

    When constructing a service-level agreement (SLA), compliance is a necessary component to consider. Regulatory compliance is now generally accepted as a data security essential for many business sectors, but applying such data protection legislation to the cloud can become a nightmare. Sarbanes-Oxley in the United States and the Data Protection Act in the UK require companies to retain responsibility for their data at all times, and that legal jurisdiction component will also include a cloud provider if it handles enterprise data.

    If your organisation is bound by regulatory compliance, ask a potential provider if it can ensure your data is kept within your own country, rather than being spread between available servers across jurisdictional territories ; if data is stored internationally, other compliance regulations may come into play. Also, ask them to provide regular audit evidence that these measures are being implemented.

    Don't forget to ask about who can access your data and require proof of logging for who had access and when for administrative functions.

    In general, most regulatory compliance standards will require an enterprise to answer the following questions:


    • What information is stored?
    • Where is it stored?
    • Who can access it?
    • What can be accessed?
    • Is that access appropriate?

    If a cloud provider is unwilling (or unable) to answer those questions or comply with requests for specified data transfer and access constraints, then find one who can.


  3. Put your organisation's security to the test

    In principle, there's little difference between server-based applications coming out of a traditional data centre and those shared in the cloud when it comes to security concerns.

    It's still necessary to ask the cloud provider about what source code analysis it applies, and how regularly it puts its security procedures under pressure through audited penetration testing.

    Also ask about security auditing of virtual servers that are mounted and dismounted dynamically: How does the provider deal with e-discovery requests or any forensic investigation that might be required down the line? What security audit, logging and monitoring systems does the provider employ?

    Remember that breaches and loss can still happen in the cloud. A company must plan for such an event in advance by ensuring its data breach notification policy is properly supported, meaning the provider should be able to give the company the information it needs to meet regulatory breach notification requirements. What about auditing and enforcing service level agreements (SLAs), often forgotten about until the SLA is breached in some way? In the wake of an SLA breach, the invisibility of the cloud can make apportioning blame to the provider difficult indeed, unless these questions of responsibility and liability are sorted out before signing the contract.

    The cloud does not mitigate the need for due diligence; in fact, the reverse is true. Just as cloud providers should have well-documented incident response processes and policies, so should organisations. This doesn't mean that you need to rip up existing policies and start from scratch, but rather be able to modify and extend the policies so as to accommodate the changes required and ensure the cloud-based side of incident response is properly covered, per the questions above.


  4. What intrusion detection system does the provider employ?

    Just because your data is in the cloud, it does not mean (no matter how much the cloud providers may argue otherwise) that it is safer from potential compromise than if the organisation were storing it on-site. In order to be sure that the data is protected, wherever it may be at any given time, ask questions about intrusion detection systems (IDS) in the cloud.

    Intrusion detection capabilities in the cloud will vary depending upon the cloud architecture involved. When it comes to SaaS, the organisation is placing all the IDS responsibility onto the cloud provider, so ask what the provider will be using by way of IDS and whether you can see the logs.

    The same goes for PaaS clouds, although it may be possible for the organisation to perform some simple monitoring and alerting from a central location where your applications have been configured to log in to.

    To ensure the most IDS control, consider the IaaS platform, which enables an organisation to employ IDS within the virtual machine, hypervisor or virtual network.

    However, regardless of which platform you are interested in, the same questions must always be asked:


    • Who is responsible for IDS in your cloud?
    • How will that IDS be deployed?
    • How will you be notified of attacks?


  5. How does the provider protect data at rest?

    One of the great information security myths is that data in transit presents a greater risk of compromise than data at rest, but cloud computing is poised to expose that for the bunkum that it is. Sure, data in transit must always be encrypted and authenticated -- that's a given -- but securing data at rest is a much bigger can of worms altogether, because it is always in one place, making it an easier target, and encrypting data at rest is not always as straightforward as one might hope.

    Ask the cloud provider how its provisioned applications protect the data (particularly in the case of SaaS where provisioning cloud encryption of data is not yet an option) and about encryption when it comes to PaaS models. As mentioned above, a company should determine whether it can hold and maintain control of the encryption keys used. Also make sure that fit-for-purpose encryption is being used in the cloud; it must be possible to access, decrypt, use and encrypt in that sequence before data is written back again in a fully seamless fashion.

About the author:
Davey Winder has worked as a freelance technology journalist for nearly 20 years. He is based in South Yorkshire.

Read more on IT risk management