In-Depth
How to Evaluate a Cloud Provider’s Security Features
An introduction to the security requirements you should expect from a cloud service provider.
By Vineet Jain, CEO, Egnyte
Billions of dollars of the world’s most sensitive data are pouring into the cloud. The cloud market is expected to reach $100 billion or more in the next few years. [See note 1.] Yet despite such wild adoption rates, few people know the basic security requirements that any cloud service provider should meet.
Basic Prevention Measures
When Verizon and the U.S. Secret Service researched cyber crimes last year, they found that most attacks are “targets of opportunity” that are “not highly difficult.” [See note 2.] Most data is stolen by obtaining access to servers. If the walls around a cloud server go down, that’s a recipe for an easy attack. If you look for a few key safeguards, the chances of a hacker or an infection slipping through a hole in the fence go drastically down.
Be sure your cloud service provider:
- Uses multi-factor authentication as a standard. Your cloud server should authenticate every user not only for username and password, but for the company-specific domain they are logging into. Web browser and desktop access should be encrypted with SSL; data at rest should also be encrypted.
- Safeguards against cross-site scripting and cross-site request forgery. If a hacker opens your password database, your passwords should already be scrambled so that they are indecipherable. File names should be obfuscated so that metadata at rest doesn’t reflect original file data. To make life even harder for hackers, customer data should be segregated and every request validated with tamper-proof, user-identity credentials -- even for sessions that take place offline.
- Is armored with the right hardware so those “not highly difficult” attacks become nearly impossible. Your provider’s hardware should contain high-end firewalls and routers, as well as redundant independent storage units. The collocation facilities should be locked, guarded, under video surveillance, and with strong physical access controls.
- Is able to restore data quickly. Suppose a hacker or infection erases files from your LAN or local computer. If you use a good cloud provider, your data will still be safe on the cloud (unless you have explicitly requested it to be deleted). Your provider should have the capacity to quickly restore all your data with the click of a button.
Keeping an Eye on the Inside
We’ve covered the basic features that a world-class cloud service provider should have in place. We must also address threats initiated inside your organization. To combat these, your cloud service provider should give you the granularity of controls you need to oversee your business processes. A good cloud server will bear partial responsibility. Whenever a user makes an unsuccessful attempt to log in, the system should detect and log it for administrative review. Your cloud provider should retain all log files and analyze them in real time. Such proactive monitoring will prevent vulnerabilities and break-ins before they happen.
In addition to your cloud provider’s existing security technology, you will want to choose access rights by user and specify read/write/delete. With everyone on a mobile device logging on (and off) anytime and anywhere, that level of oversight becomes a true imperative. You will want to decide whether employees’ files always remain in the cloud or whether employees can download them. Perhaps only select employees can have the files offline and everyone else keeps theirs in the cloud.
You should also be able to set how often users use or change passwords. A good cloud provider will offer you capabilities to match the cloud storage security level with the security requirements of your documents -- and the level of flexibility you offer employees.
Information is your friend in the cloud security process. When you scan your audit for non-authorized activity, such as password and permission changes or failed login attempts, you begin to see patterns emerge that help you pinpoint possible perpetrators. You can get an even better idea of the patterns within your organization when you monitor peak employee download activity and who is connecting to your accounts and when. A mature cloud service provider will offer you all of these opportunities. Instead of being on the defensive for an unexpected attack, you will proactively protect your network and increase your chances of catching a potential breach before it happens.
Invest in the Right Fortifications
Think of the castles kings built on hills hundreds of years ago. With thick walls and a good view of both the interior of the walled city and the land below, kingdoms stood a better chance of defending their territories. Cloud service providers are the same way. You want walls and moats to defend your data, and oversight of the goings on both inside and outside of your walls.
With the world-class security measures above, you have the fortifications you need to be protected inside of the cloud. Anything less and you risk storing your precious data inside a leaking shack in the woods—and calling it protected. Put yourself outside the range of opportunistic attacks. Choose the right castle.
Notes
[1] Computerworld, Cloud Computing by the Numbers: What to all the Statistics Mean?, Ryan Nichols, August 31, 2010.
[2] Verizon RISK Team, U.S. Secret Service, and Dutch High Tech Crime Unit, 2011 Data Breach Investigations Report.
Vineet Jain is the CEO and co-founder of Egnyte. Prior to Egnyte, Vineet founded and successfully built Valdero, a supply-chain software solution provider, and held a rich variety of senior operational positions at companies including KPMG and Bechtel. He has 20 years of experience in building capital-efficient and nimble organizations. You can contact the author at vjain@egnyte.com.