At the Business of Cloud Computing Conference, I caught a presentation by Marlin Pohlman, who noted that No. 3 on the Cloud Security Alliance's "Top Threats to Cloud Computing" list is malicious insiders. This serves as a good reminder that old-fashioned physical security issues require a lot of attention when you're considering a cloud service provider.
Just as a bank is a central repository for money and thus an attractive target for a robber, so is the data center of a cloud provider a central repository for valuable data resources and thus an attractive target for malicious hackers. So it's important to vet the physical security of a cloud provider's data centers. Here are some of the key issues to investigate:
Security policy. A policy typically details the mechanisms that the vendor has in place to prevent security breaches. An incident response plan typically details steps the provider will take should a breach occur. If the vendor has such documents, carefully review them. If it doesn't, that's a big red warning flag.
Access Controls. Does the cloud provider have physical access controls in place to ensure that only authorized personnel are able to access the IT infrastructure on which your data is stored and processed? Ask the following questions:
• Are the data centers in nondescript facilities?
• Do those facilities have security guards, gates and checkpoints?
• Do they have video surveillance systems?
• Does the vendor use intrusion-detection technology?
• Does it use multifactor authentication?
• Does it have a need-based access policy, with access rescinded if a user's need changes?
Background checks. Does the cloud provider conduct background checks on everyone who has access to its infrastructure and your data? This can prevent malicious insiders from getting inside in the first place.
Additionally, you should determine if the cloud provider requires all staffers to receive training that covers the issues pertinent to data security and the provider's own security policies.
Segregation of duties. Does the cloud provider distribute key tasks among multiple employees? This can help ensure that no single person is able to execute an unauthorized or inaccurate end-to-end transaction and go undetected. And if there are malicious insiders, the practice of distributing tasks among various people will make it harder for them to get away with anything.
Third-party adherence. If the cloud provider works with third parties, does it contractually require that those third parties understand and abide by the same security policies that apply to the provider's employees? Also, does the provider have processes in place to monitor the activities of third parties to ensure compliance? This can help prevent a malicious third party from becoming a malicious insider.
As always, you need to address these issues in the contract. If the cloud provider's security policy and incident response plan pass muster, then simply attach those documents to the contract and designate them as the cloud provider's minimum security requirements. If the policy and plan are lacking, you can address any shortcomings with additional corrective language in the contract.
Following this process and codifying requirements in the cloud service contract is the best way to effectively minimize risks in the cloud.
Special note: For anyone interested in intensive, deep-dive training on cloud computing contract issues, I'll be teaching my next UCLA Extension seminar, "Contracting for Cloud Computing Services," Jan. 19-20, 2012, in Los Angeles. It would be great to see you there.
Thomas J. Trappler is director of software licensing at UCLA and a nationally recognized expert in cloud computing risk mitigation, as well as a regular contributor to Computerworld.com on the topic of cloud computing contract issues. For more information, visit ThomasTrappler.com.