Secure-24 is now NTT!

NTT brought the world's best technology companies and emerging innovators together, to deliver sustainable outcomes to your business and the world. Together we are one. Together we do great things.

Learn More

Cloud Hosting, Compliance, Managed Services, Security

Up, Up and Away: Flying Securely into the Cloud

May 16, 2017

By: John Brady, Secure-24, CISO

This month, I have written my blog in an easy to read step-by-step method to help you quickly determine if your enterprise should use the cloud and if so, the steps to make ensure a secure migration to the Cloud. For more details on how to manage the related vendor security risk that comes with Cloud utilization, read my blogs on Vendor Risk  Management, Part I and Part II.

Your pre-flight checklist and flight plan for migration to the Cloud are below.  Buckle up and safe travels….

 What is Your Destination?

Why do you want to save your data in the Cloud?      Jet in The Clouds

 It sounds cool and everyone is doing it.

We’d like to reduce cost and save money.

Determine the cost associated with hosting.

Applications that our company needs are in the Cloud.

We do not have the internal resources to build the infrastructure.

It’s difficult to find, retain and compensate required skill sets.

Our infrastructure is not part of our core business.

We need to focus on our core business to maximize return on investment.


Purchasing Your Ticket

What data will be in the Cloud?

Confidential company information?

SOX rules may apply

Operational and reputational risk

Employee data?

Regulatory risk–privacy laws apply

Client Data?


Document the regulatory risks



EU Regulations


Consider the Special Requirements for Each Type of Data

Determine the Financial Risk?

Resources Required for Oversight

Cannot outsource your liability

Need to do due diligence

Seat Selection  

How do You Evaluate the Vendor?

SOC 2 Report

Review Service Auditor

Review the Complementary Controls that customers must have in place

Review the findings of the SA

What controls are covered?

Credentials of the Service Auditor

Subcontractors (e.g. data centers) used

PCI Attestation

For PCI-DSS compliance

Other Vendor Provided Third Party Reviews



ISO 27001 Certification

Summary of third party penetration and vulnerability testing

Industry References

Look for experience in the security needs of your industry

Detailed Questionnaires

Select a firm to conduct a vendor evaluation or conduct your own evaluation

GRC tools and libraries

Conference calls

Review vendor policy

Onsite visit

Special Travel Requests

What are Key Questions for the Vendor?

Build upon what is covered in SOC

Security policies and procedures

Endorsed by management

Regular reviews

Employee Screenings

Data Encryption

In motion

At rest: storage and backups


Where are the keys held and how are they secured?

Secure Communications


VPN with multifactor for remote access


Secure Websites

Multi-factor authentication

Code reviews for secure coding practices

Documented Change Control

Data Loss Prevention

Security Incident Monitoring and Management



Incident handling

Malware Detection and Prevention

Multiple Layers of Defense

Threat Intelligence Program

Vulnerability Management

Patch management

Boarding PassBoarding Pass and Check-In

Contract Requirements

Right to Audit!


Applies to subcontractors

Breach notification (24 hours)



Review documentation to confirm secure arrangements

Testing of authentication, logging

SeatbeltAfter Take Off, keep your seatbelt on in the case of turbulence…..

Regular Reviews

Frequency dependent on risk

Committing Resources

Complementary Controls in the SOC Report Must be Addressed and Documented

Remain Current on the Vendor Condition

Was there a breach?

Mergers and acquisitions

Remember the subcontractors

Cloud Security Alliance

Third Party Vulnerability Scorecard Services


Security Scorecard

Evaluate performance against original objectives.

 Happy landings…..