momius - Fotolia
My organization is increasing cloud use and was told that extensive due diligence was critical. What are some of the cloud security controls that should be considered for both internal and cloud provider due diligence?
Due diligence is the process of evaluating cloud vendors, and in some cases internal procedures and resources, to ensure business objectives are met and the company's interests are protected. In the case of selecting a cloud computing provider, due diligence entails investigating the potential cloud providers to understand how they implement best practices, protect their customers' assets and meet the scope of your requirements.
Due diligence should include verifying that the cloud provider can offer the cloud security controls and meet the scope of services expected by the enterprise. A request for proposal (RFP) can be used to define what is expected and cloud providers can then use the RFP to formulate their responses. The RFP should specify what is required in terms of service-level agreements, cloud security controls, compliance requirements, data and systems integration needs, service management, access to cloud provider audit reports, and in some cases on-site reviews.
Customers should review the certifications obtained by cloud providers. Amazon Web Services (AWS), for example, publishes a risk and compliance whitepaper that describes its risk management practices and cloud security controls. It also lists its certifications with respect to ISO 9001, HIPAA, PCI DSS and others.
When reviewing certifications, consider which services the compliance applies to. For example, AWS EC2, S3 and Redshift are all certified for use with data subject to HIPAA regulation but others, such as Simple Queue Service and the Container Service, are not. In some cases, such as Elastic MapReduce, particular configurations are required to comply with HIPAA requirements.
When conducting due diligence, use multiple techniques including document review, proof of concepts and trial evaluation periods to collect as much information as possible, in order to mitigate risk to your organization.
Read more on assessing enterprise cloud security controls
Discover the security controls offered by Amazon Elastic File System
Dig Deeper on Evaluating Cloud Computing Providers
Related Q&A from Dan Sullivan
Docker's recent upgrade introduced support for hardware signing and in the future, automated security analysis on Docker images. Expert Dan Sullivan ... Continue Reading
Cisco's new project Contiv automates operational policies for containerized applications in the cloud. Expert Dan Sullivan explains the benefits of ... Continue Reading
Dropbox API abused by attackers posing as legitimate users in a huge spear phishing campaign. Expert Dan Sullivan explains how to mitigate the risks ... Continue Reading