For most organizations, the process of verifying that cloud providers manage data securely involves looking at security and compliance certifications and reading reports from independent, third-party auditors.
At first glance, this approach makes sense. After all, organizations need some way to confirm that sensitive customer, supplier, and financial information is adequately protected. They also need to verify that data is stored and handled in compliance with applicable security requirements like the Health Insurance Portability and Accountability Act (HIPAA). Third-party audits and certifications can be a big help in that regard.
But although audits and certifications provide some level of assurance that cloud providers and other enterprises are meeting certain requirements related to security and compliance, they don’t always go far enough. For example, some of the biggest security breaches in the last several years happened to vendors with active Payment Card Industry Data Security Standard (PCI DSS) certifications.
The fact that organizations subject to regular security audits can experience breaches shows that certifications and audits aren’t a substitute for vetting a cloud’s security architecture and controls framework for sound design. Organizations that want to be confident that data stored in the cloud is appropriately secured should take some additional steps. Here are a few things that you can do to verify that a cloud provider places a high priority on security.
Understand the Cloud’s Architecture
You can tell a lot about a cloud provider’s approach to security by looking closely at their cloud’s architecture. How was the service built? Was it designed using security-first principles?
Oracle Cloud Infrastructure, for example, was designed with a security-first focus, isolating customer resources such as network, compute, and data. This single-tenant approach increases the granularity of control and reduces the attack footprint. It also results in predictable and superior performance by eliminating problems caused by “noisy neighbors.”
Oracle Cloud Infrastructure users can also create their own virtual cloud networks (VCNs). A VCN is a customizable and completely private network that gives you full control to create an IP address space, subnets, route tables, and stateful firewalls. You can also configure inbound and outbound security lists to protect against unwarranted access and malicious users.
Clarify Roles and Responsibilities
Migrating to the cloud means shifting to a shared-responsibility model for security. This model is often a source of confusion for cloud adopters, as highlighted in a Cloud Threat Report jointly authored by Oracle and KPMG. As you move to the cloud, understanding your cloud use cases and how these impact the division of security roles is hugely important.
Before you select a cloud provider, begin documenting your cloud use cases by making a comprehensive list of your security requirements. This action helps you create priorities and guide conversations with providers. When negotiating with providers, consider using Standardized Information Gathering (SIG) questionnaires from Shared Assessments or the Consensus Assessments Initiative Questionnaire (CAIQ) from the Cloud Security Alliance. And ensure that security roles and responsibilities are clearly defined in contracts and service level agreements (SLAs). Not all vendors offer availability and performance SLAs, for instance.
It’s also important to remember that the customer’s level of responsibility for security shifts depending on which types of cloud services are being used. For example, Oracle customers who choose bare metal cloud deployments have extensive control over their cloud infrastructure. Therefore, they have far greater responsibility for things like identity and access management, password management, firewall configuration, and other controls.
Learn About the Cloud Provider’s Culture
Security should be integral to the culture and everyday activities of a cloud provider—it should never be an afterthought. Ask the following questions to determine if a cloud provider truly embraces a culture of security:
- How do you ensure that engineers know their security responsibilities?
- How do you enable engineers to perform their security-related tasks, and how do you measure their results?
- What are the processes and technologies for reviewing new code and checking for vulnerabilities, and how do you learn from the things that you discover?
- What kind of penetration testing do you use, and how often are tests run?
- Do you give security issues a high priority at daily and weekly stand-ups and meetings?
- Have you ever made a tough decision between shipping a product to meet a commitment or fixing a security bug?
As a longtime security professional and someone who has worked with many IT security engineers over the years, I can attest that we all have good intentions and want to keep customer data private and secure. But it takes more than good intentions to do a job correctly. We must embrace experience and innovation to continually improve the security architecture and ensure the maximum effectiveness of protection measures.