Essential Guide

How to evaluate, choose and work securely with cloud service providers

Companies are quickly moving to the cloud, though how to choose and work securely with a cloud service provider remains a murky, complex process that is wrought with risk. This guide is designed to smooth the secure route to the cloud.

Introduction

In nature, clouds come in a variety of sizes and shapes, and the same is true in IT. Cloud service providers (CSPs) deliver a variety of cloud computing services, like infrastructure as a service (IaaS), software as a service (SaaS) and platform as a service (PaaS). The security risks inherent in using a CSP are varied, too. There's the threat of corporate espionage and data theft, but also of information contamination.

Yet the move to the cloud is increasingly inevitable. The way forward, then, is to prepare and choose one’s cloud service provider wisely. Take a proactive approach -- learn about the security risks and how best to minimize them -- before proceeding.

This guide focuses on how to work securely with cloud services providers. It considers the risks, reviews ways to evaluate and choose a CSP, and offers a thorough overview about assistance available from the Cloud Security Alliance. Reading this guide is a vital first step in moving any company information or services to the cloud.

1Issues-

Key security issues to keep in mind when working with a cloud service provider

It's imperative that infosec pros consider the security angle of every step to the cloud -- from identifying potential CPSs, to evaluating the contenders, to signing a contract and managing the relationship.

Know upfront how the CSPs you're considering guarantee the safety of company information; never forget that CSPs don't typically keep security at top of mind, which makes it essential that you do. Are CSP guarantees sufficient as presented or must they be adjusted? How will you ensure promised measures are actually implemented?

This guide section focuses on the steps required for a secure move to the cloud and shows why this can be difficult. Read on to get wise to the risks of this increasingly essential business relationship.

News

Serious security gaps at cloud providers, survey reveals

Cloud providers are not giving security sufficient focus, a Ponemon Insitute study reveals. Instead, reducing costs to clients and amping up the speed of their services take priority for most. Continue Reading

News

Who's responsible? Cloud customers must stay aware to be safe

The key difference in security when it comes to the cloud is that the responsibilities are shared. The best infosec pros prepare an enterprise cloud incident response process that delineates those responsibilities. Continue Reading

News

The gap between enterprise and cloud provider ups security risks

An info security gap between cloud providers and their customers is being exploited by sophisticated hackers. The result: the perfect crime. The cause: A lack of provider transparency. Continue Reading

2Evaluate-

How to evaluate cloud providers

It's imperative that infosec pros consider the security angle of every step to the cloud -- from identifying potential CPSs, to evaluating the contenders, to signing a contract and managing the relationship.

Know upfront how the CSPs you're considering guarantee the safety of company information; never forget that CSPs don't typically keep security at top of mind, which makes it essential that you do. Are CSP guarantees sufficient as presented or must they be adjusted? How will you ensure promised measures are actually implemented?

Answer

The security risks cloud providers tend to miss

Security blind spots leave the enterprise vulnerable to attack. The first step in preventing the worst from happening is to take a clear-eyed view of what cloud providers are likely to miss. Continue Reading

News

Certifying cloud provider security capabilities a challenge

In this opinion piece, the CSA's executive director outlines why certifying provider capabilities can be tough. Continue Reading

Tip

Security lifecycle management practices are key to security

An enterprise can minimize risk by learning how to evaluate cloud providers' security lifecycle management responsibilities. Continue Reading

3Working-

The realities of working with a cloud provider

Identifying viable CSPs and selecting the best one for your company is tough, but even after the contract ink is dry there are issues to deal with and hurdles to surmount.

Many CSPs fail to clearly explain how they'll get your confidential company info up on their cloud and keep it there safe and secure. Enter a CSP relationship with eyes open and toolkit packed. There are some ways to determine how secure a cloud service really is, and this segment of our guide explains them.

Feature

What tools help gauge cloud provider security?

Security is a key concern in cloud provider evaluations, and there are tools and research to make this crucial process a bit easier. Learn about audits and other ways to judge cloud providers. Continue Reading

News

Firms left wanting when it comes to validation of cloud security

Moving confidential company data to the cloud is fraught with risk, and yet it seems for now cloud providers offer little more than promises. Continue Reading

News

Cloud providers could coach customers more on security, compliance

Cloud customers are often left in the dark about their responsibility versus cloud providers in the realm of security and compliance. Continue Reading

News

Amazon cloud security weakness revealed

AWS has cloud security flaws that deeply threaten those customers who don't take care. Continue Reading

4Controls-

Cloud provider metrics and controls

Figuring out which CSP is best for your company is difficult but you're not alone: The nonprofit Cloud Security Alliance (CSA) promotes best practices for cloud computing, with a focus on security. It has an education program and also disseminates guidelines to aid both cloud vendors and companies moving to the cloud.

CSA programs like the Cloud Control Matrix and Cloud Trust Protocol provide potential cloud customers parameters by which to judge and compare cloud offerings. Read on to learn how CSA programs can make the tough chore of choosing a CSP a bit easier.

Tip

CSA STAR promises a means to evaluate provider security

Cloud service providers aren't always eager to share security info with others, but that info is critical to customers. CSA is attempting a new certification program to solve the problem. Continue Reading

News

CSA offers Cloud Controls Matrix, cloud standards

CSA updated two sets of industry standards this week -- CCM 3.0.1 and CAIQ 3.0.1 -- with an eye to streamlining guidelines for cloud provider security assessments. Continue Reading

Tip

CSA's Cloud Controls Matrix offers hope for better provider security

Assessing a cloud provider's security and audit program is tough but a new CSA matrix offers guidance. Continue Reading

News

CSA Cloud Trust Protocol promises better provider transparency

Automating customer requests for security info on cloud providers should improve transparency, or at least that's the aim of the new CSA Cloud Trust Protocol. Continue Reading

5Videos-

Expert advice for potential CSP customers

There's nothing like the voice of experience. Here are two videos featuring senior executives with a wide range of advice about working with cloud service providers. They cover everything from how to assess the security controls a CSP offers to what cloud standards are emerging in the industry.

Video

Guard security with a careful cloud provider evaluation

A careful evaluation is essential to picking the cloud provider with the right security controls in place.

Video

What cloud providers' customers must know about security standards and provider visibility

A senior executive for Microsoft reviews emerging cloud security standards and why cloud customers must have visibility into cloud provider security.

6Terms-

Do you know cloudspeak?

Becoming fluent in "cloudspeak" is crucial before entering into the CSP assessment process. Here's a concise glossary of the fundamental terms you should know.

-ADS BY GOOGLE

SearchSecurity

SearchCloudComputing

SearchAWS

SearchCloudApplications

SearchServerVirtualization

SearchVMware

ComputerWeekly

Close