Sharing Security Responsibilities with your Cloud Provider

If you’re using a public cloud service, you’ve relinquished some measure of physical control of your computing platforms to a third party. And those platforms are highly likely to be shared with other entities. So how do you reap the economic and management benefits of cloud services while remaining forthright about the security of your organization’s data?

First, assess your provider’s security practices and how well they align with your own policies for identity management and access permissions, access logging, threat defense, and data partitioning. Once you have a provider that has convinced you that physical and administrative access is robust and that it offers the latest protections from malware, the two of you need to agree upon some remaining security responsibilities:

• Data protection. It goes without saying that your data should be encrypted to, from, and through your cloud service. Whether or not your particular industry requires it, you likely have confidential and competitive data that should remain private. So encrypting data both in the network and at rest in cloud storage servers is in order. While most cloud providers will handle many encryption tasks for you, retaining control of the encryption/decryption keys is a best practice. Some have compared letting the provider handle your encryption to locking your house or car, but leaving the keys dangling from the lock.

• Regulatory compliance monitoring. Compliance monitoring can be challenging when you’re not sure at any point in time where your data resides. It might even be in the network of a partner of your provider. You need full disclosure as to where your data could end up. If that’s not in compliance with your industry or corporate rules, you’ll need to negotiate a guarantee that your data doesn’t end up two or more hops away from you.

Also, what type of log data are you able to get from your provider? Access to logs is required for Payment Card Industry Data Security Standard (PCI DSS) compliance, for example. So PCI auditors and regulators could ask you for these logs. If you’re in that industry, you need to negotiate access to your provider’s logs in your contract so you can produce them and comply. At the end of the day, your industry will hold your organization – not a third party – responsible for compliance.

And check that your provider supports strict privacy standards, such as ISO/IEC 27018, an international, uniform approach to protecting privacy for personal data stored in the cloud.

Obviously, you need a way to enforce your multifaceted security policy when data is no longer under your immediate control. It’s prudent, then, to evaluate your vendors’ security practices, address custom requirements in your contract, and work with your vendor to put security responsibilities in the hands of who’s best equipped to enforce them.