Navigate

Up, Up and Away: Flying Securely into the Cloud

By: John Brady, Secure-24, CISO

This month, I have written my blog in an easy to read step-by-step method to help you quickly determine if your enterprise should use the cloud and if so, the steps to make ensure a secure migration to the Cloud. For more details on how to manage the related vendor security risk that comes with Cloud utilization, read my blogs on Vendor Risk  Management, Part I and Part II.

Your pre-flight checklist and flight plan for migration to the Cloud are below.  Buckle up and safe travels….

 What is Your Destination?

Why do you want to save your data in the Cloud?      Jet in The Clouds

 It sounds cool and everyone is doing it.

We’d like to reduce cost and save money.

Determine the cost associated with hosting.

Applications that our company needs are in the Cloud.

We do not have the internal resources to build the infrastructure.

It’s difficult to find, retain and compensate required skill sets.

Our infrastructure is not part of our core business.

We need to focus on our core business to maximize return on investment.

 

Purchasing Your Ticket

What data will be in the Cloud?

Confidential company information?

SOX rules may apply

Operational and reputational risk

Employee data?

Regulatory risk–privacy laws apply

Client Data?

PII, PCI, PHI

Document the regulatory risks

HIPAA

PCI-DSS

EU Regulations

FFIEC

Consider the Special Requirements for Each Type of Data

Determine the Financial Risk?

Resources Required for Oversight

Cannot outsource your liability

Need to do due diligence

Seat Selection  

How do You Evaluate the Vendor?

SOC 2 Report

Review Service Auditor

Review the Complementary Controls that customers must have in place

Review the findings of the SA

What controls are covered?

Credentials of the Service Auditor

Subcontractors (e.g. data centers) used

PCI Attestation

For PCI-DSS compliance

Other Vendor Provided Third Party Reviews

HIPAA

HITRUST

ISO 27001 Certification

Summary of third party penetration and vulnerability testing

Industry References

Look for experience in the security needs of your industry

Detailed Questionnaires

Select a firm to conduct a vendor evaluation or conduct your own evaluation

GRC tools and libraries

Conference calls

Review vendor policy

Onsite visit

Special Travel Requests

What are Key Questions for the Vendor?

Build upon what is covered in SOC

Security policies and procedures

Endorsed by management

Regular reviews

Employee Screenings

Data Encryption

In motion

At rest: storage and backups

Endpoint

Where are the keys held and how are they secured?

Secure Communications

Employees

VPN with multifactor for remote access

Clients

Secure Websites

Multi-factor authentication

Code reviews for secure coding practices

Documented Change Control

Data Loss Prevention

Security Incident Monitoring and Management

Logging

Alerting

Incident handling

Malware Detection and Prevention

Multiple Layers of Defense

Threat Intelligence Program

Vulnerability Management

Patch management

Boarding PassBoarding Pass and Check-In

Contract Requirements

Right to Audit!

Confidentiality

Applies to subcontractors

Breach notification (24 hours)

Indemnification

Implementation

Review documentation to confirm secure arrangements

Testing of authentication, logging

SeatbeltAfter Take Off, keep your seatbelt on in the case of turbulence…..

Regular Reviews

Frequency dependent on risk

Committing Resources

Complementary Controls in the SOC Report Must be Addressed and Documented

Remain Current on the Vendor Condition

Was there a breach?

Mergers and acquisitions

Remember the subcontractors

Cloud Security Alliance

Third Party Vulnerability Scorecard Services

Bitsight

Security Scorecard

Evaluate performance against original objectives.

 Happy landings…..