Up, Up and Away: Flying Securely into the Cloud
By: John Brady, Secure-24, CISO
This month, I have written my blog in an easy to read step-by-step method to help you quickly determine if your enterprise should use the cloud and if so, the steps to make ensure a secure migration to the Cloud. For more details on how to manage the related vendor security risk that comes with Cloud utilization, read my blogs on Vendor Risk Management, Part I and Part II.
Your pre-flight checklist and flight plan for migration to the Cloud are below. Buckle up and safe travels….
What is Your Destination?
Why do you want to save your data in the Cloud?
It sounds cool and everyone is doing it.
We’d like to reduce cost and save money.
Determine the cost associated with hosting.
Applications that our company needs are in the Cloud.
We do not have the internal resources to build the infrastructure.
It’s difficult to find, retain and compensate required skill sets.
Our infrastructure is not part of our core business.
We need to focus on our core business to maximize return on investment.
Purchasing Your Ticket
What data will be in the Cloud?
Confidential company information?
SOX rules may apply
Operational and reputational risk
Regulatory risk–privacy laws apply
PII, PCI, PHI
Document the regulatory risks
Consider the Special Requirements for Each Type of Data
Determine the Financial Risk?
Resources Required for Oversight
Cannot outsource your liability
Need to do due diligence
How do You Evaluate the Vendor?
SOC 2 Report
Review Service Auditor
Review the Complementary Controls that customers must have in place
Review the findings of the SA
What controls are covered?
Credentials of the Service Auditor
Subcontractors (e.g. data centers) used
For PCI-DSS compliance
Other Vendor Provided Third Party Reviews
ISO 27001 Certification
Summary of third party penetration and vulnerability testing
Look for experience in the security needs of your industry
Select a firm to conduct a vendor evaluation or conduct your own evaluation
GRC tools and libraries
Review vendor policy
Special Travel Requests
What are Key Questions for the Vendor?
Build upon what is covered in SOC
Security policies and procedures
Endorsed by management
At rest: storage and backups
Where are the keys held and how are they secured?
VPN with multifactor for remote access
Code reviews for secure coding practices
Documented Change Control
Data Loss Prevention
Security Incident Monitoring and Management
Malware Detection and Prevention
Multiple Layers of Defense
Threat Intelligence Program
Boarding Pass and Check-In
Right to Audit!
Applies to subcontractors
Breach notification (24 hours)
Review documentation to confirm secure arrangements
Testing of authentication, logging
After Take Off, keep your seatbelt on in the case of turbulence…..
Frequency dependent on risk
Complementary Controls in the SOC Report Must be Addressed and Documented
Remain Current on the Vendor Condition
Was there a breach?
Mergers and acquisitions
Remember the subcontractors
Cloud Security Alliance
Third Party Vulnerability Scorecard Services
Evaluate performance against original objectives.