Hardening the Cloud
Security considerations to protect your organization
Illustration by Mick Wiggins
And question the provider’s security practices. Here are some of the questions I’d ask:
- Is administrator (root) access limited to only those requiring that power?
- Do administrators access the servers via encrypted sessions?
- What’s the patch management strategy?
- Do you run antivirus and malware protection software?
- Do server configurations comply with PCI (or HIPAA or Sarbanes-Oxley or insert your law or regulation here)?
- What are the password requirements and composition rules?
- Can the password rules be set to match your organization’s requirements?
Most organizations’ security policies address the actions to be taken during employee terminations or layoffs. Within your organization, these actions are simultaneous with the employment action. You’ll want to ask the cloud provider whether they can quickly identify and shut down the accounts used by these former employees to ensure their access can be removed immediately.
Another question to ask the provider is what logging is performed. Compliance with many laws and regulations usually requires that some level of logging (auditing) be performed. Your security policy may require logging administrator functions, authority failures, reading healthcare data, failed login attempts and more.
Another aspect to consider is the possibility that your organization’s information could fall into hackers’ hands if the cloud provider becomes the victim of a targeted attack. Some intrusions succeed because of poor configurations that let hackers easily access an organization’s network. But some intrusions are targeted because of the value or volume of data. (Think of the attack on the credit card processor Heartland Payment Systems, one of the largest data breaches in history.) While it may be relatively easy to avoid attacks that exploit poor choices in security settings (just use relatively secure settings and the hacker will likely move on to the next target), defending against a targeted attack is basically like going to war with a hacker. Because cloud providers store great volumes of data, they may become victims of targeted attacks. What damage would your organization incur if its information stored in the cloud were stolen? Perhaps the answer is none, except being annoyed that it happened. But depending on the type of data, the result could be very costly—compromised trade secrets—or signal a need to put your breach notification plan into action.
Search our new 2013 Buyer's Guide.
Administrator | How to establish peace in the datacenter between security officers and programmers.
None | Quick and easy intrusion detection at no additional cost