Simplifying cloud computing security audit procedures

As a channel partner, you're in the perfect spot to guide customers through the thicket of cloud services. Beth Cohen points out cloud computing security challenges and the best practices that can address them.

By now, everyone has heard that cloud computing is changing the world, and there is no question that it will. However, as with any new technology model or innovation, there are many bumps and detours along the way.

The channel customers have spoken and, far and away, the number one reason they consistently hold back on cloud service deployment is their perception that the cloud is insecure.

Fortunately, as a channel partner, you have direct insight and knowledge of both cloud technologies and the specific needs of your customers, so you are in a unique position to offer valuable cloud consulting services. This powerful combination puts the channel partner in the perfect spot to guide clients through the seemingly impenetrable thicket of cloud services, while avoiding potential security potholes along the way.

In this tip, we'll pinpoint common challenges and best practices that will help you simplify cloud computing security audit procedures.

Ultimately, as a trusted advisor, your goal is to identify and articulate to your customers their cloud security challenges and provide solutions that both save your customers' money, and build stronger client relations.

For more cloud computing tips

Make sure you know the current, essential secure cloud computing how-to documents.

VARS can also help customers by offering cloud based security services, including long term archival services and customized reports for specific compliance mandates.

The top cloud security challenges for businesses can be categorized into five broad areas:

  • Business: A lack of integration between cloud vendors, limited data portability and vendor lock-in (isn't that what the cloud is supposed to avoid?!) is giving business executives and IT departments heartburn. Deciding what data must stay in-house and what data can migrate to the cloud can be complex and fraught with hidden gotchas. As a trusted advisor, you can guide your customer through the audit process, pointing out potential problems and solutions. Look for systems that are already touching outside customers and networks -- a customer service system or Web portal is a good example of a natural cloud migration.
  • Financial: Companies need to determine if it makes more financial sense to purchase cloud services or build customized systems in house. Often companies underestimate the risks and cost of data loss, or the cost of mitigating and preventing the occurrence in the first place. With your knowledge of the real business cost of data loss, you can educate your clients about their level of exposure.
  • Legal: Companies need to determine the level of archiving and protection they need to provide for potential legal actions and e-discovery requests. In this day and age, it is not enough to say that the files are no longer accessible; companies can and will be held liable for the data recovery. As a channel partner, you can provide services, like information lifecycle management (ILM) or data privacy audits to ensure your clients are fully protected in the cloud.
  • Regulatory: HIPAA, state data protection laws, SOX and a myriad of other regulations affect your clients differently depending on their business and industry sector. Regulations are rapidly catching up with cloud technology, so understanding the often complex and sometimes contradictory regulatory environments are valuable skills to help your clients navigate the traitorous waters of using cloud services in a regulated industry. This is particularly true for PCI DSS and banking regulatory compliance.
  • Technical: Cloud vendors are not always forthcoming about the details of their services, particularly related to how customer data is authenticated, secured and protected. Understanding the technology behind cloud services is often a mystery to even the most sophisticated customer. As a channel partner who really does know cloud architectures, your guidance is invaluable for clients who need to protect their data no matter where it is located.

Each of these areas represents unique issues that must be addressed properly to ensure a cloud deployment project is successful. As with anything, half the battle is knowing what to look for when reviewing a potential channel opportunity with your client. To help with the audit process, here is a quick checklist to get you started. Not only will the answers to these questions help determine the appropriate cloud security offerings, but they will also deepen the client's understanding of their own business and how IT and the cloud might enable (or not enable) efficient process flows to meet their business objectives.

Cloud security audit best practices checklist:

  • Perform a data flow and privacy assessment: Look at where the client's data is and how it flows through the organization. Is it vulnerable at any point? Is it all internal, or is some data already out on the cloud?
  • Probe customer data for its suitability for the cloud: Rank the data into three pools: belongs on the cloud, does not belong on the cloud, and might belong on the cloud. For example, your corporate financial statements probably do not belong on the cloud, while your customer service systems and archives (as long as they are proper encrypted) do.
  • Evaluate the client's application portfolio: Evaluate the portfolio from both the business and data security perspectives. Which applications are available on the cloud and which ones are likely to be available in the future? Can some of the specialized applications currently in use be migrated to the cloud relatively easily or will they require extensive configuration and modification to business processes?
  • Audit the existing IT infrastructure, servers and networks: Look for potential cloud migration opportunities. Help your client understand what systems will benefit from moving to the cloud and which ones will not. Some good targets for cloud migration would be a client's email system or CRM system. Both of these systems are not only essential, but there are quite a few relatively mature cloud options available to choose from.
  • Review cloud vendor contracts: Watch for potential service-level discrepancies and make sure your customer understands the relative responsibilities of each party.
  • Help your customer develop a contingency plan: If a cloud vendor relationship does not work out, do not forget to include data extraction and portability as a key design goal to minimize vendor lock-in.

About the author:
Beth Cohen, president of Luth Computer Specialists, Inc. a consulting practice specializing in IT infrastructure for smaller companies, has over 20 years of experience building strong IT delivery organizations from both the user and vendor perspectives. Having worked as a technologist for BBN, the company that literally invented the Internet, she not only knows where technology is today, but where it is heading in the future.

Dig Deeper on Cloud Network Security Trends and Tactics