1 Security Checklist for Cloud Software
2 Security Checklist for Cloud Software 2 I. Overview Cloud computing has shaped the way businesses view and manage data - so much so that cloud computing terminology is ingrained into everyday business vernacular. For instance, cloud storage applications are often used as a seamless way of collaborating on, and managing key data sets in an efficient and cost-effective way. But as business leaders and technology analysts look to the future of cloud software implementation on an enterprise level, there is still a growing concern over security. In fact, security has always been the primary criticism of cloud technology. most organizations are not taking the proper precautions when moving their sensitive data to the cloud Without the facts it s easy to assume that cloud security has evolved in such a way that these concerns have subsided entirely. While it is true that cloud security has dramatically improved in recent years this still doesn t represent the big picture. The reality is that even as organizations migrate their data to cloud-based solutions, it is incredibly difficult to measure and evaluate the security of a particular cloud application, especially if you don t know what to look for. As for cloud growth, according to a recent Forbes article, The Poneman Institute conducted a study of over 4,200 business and IT managers. The study revealed that enterprise cloud adoption has grown by roughly 10% from Another Poneman survey given to nearly 800 IT professionals revealed that most organizations are not taking the proper precautions when moving their sensitive data to the cloud. The survey also indicated that roughly 54% of all respondents experienced five major data breaches that involved theft or data loss from a mobile device. Both of these studies reveal two sides of the same coin. On one side, cloud computing - particularly cloud storage - is drastically changing how organizations are managing and housing data. On the other side is the reality that while more enterprise data is being managed in the cloud, it is becoming more susceptible to major data vulnerabilities. In this whitepaper we will unpack eight essential components of cloud security, and how each organization should use this criteria to heavily scrutinize cloud applications before adopting them. It s important to note that while this whitepaper provides a solid framework to start from, this is by no means a comprehensive guide for every potential cloud security situation.
3 Security Checklist for Cloud Software 3 II. The Security Checklist 1. SSL Encryption While cloud security is not a one-size-fits-all solution for every organization out there, SSL Encryption should be a non-negotiable component of every cloud application an organization evaluates. To the untrained eye, SSL encryption seems like an outdated and archaic approach to data security when compared to a groundbreaking technology like cloud computing. However, it still remains one of the most effective ways to ensure data remains secure in the cloud. Essentially, SSL Encryption technology prevents unauthorized users from viewing and/or accessing data within a cloud system. Originally developed by Netscape, SSL Encryption uses a public key infrastructure. This means that when a file is uploaded into a cloud server, the file in question is encrypted with a public key. From there the file is deciphered with a private key. This ensures that only the file owners can view the data. In other words, all files are encrypted in both the downloading and uploading process. From here it s tempting to assume that all SSL Encryption solutions are created equal. In fact, the opposite is actually true. There is certain criteria that every SSL and Certificate Authority (CA) should meet. For instance, SSLs should use independently verified CAs. This means the CA should support at least AES 128-bit encryption, but preferably should support 256-bit data encryption based on the 2028-bit global root system. 2. Uptime Downtime is a major concern for any organization migrating data into the cloud. According to a 2012 survey by the Seagate cloud storage subsidiary Evault, roughly 54% of all IT departments experienced major data loss from downtime in the preceding 12 months. While downtime instances have improved, downtime still remains one of the main issues surrounding fullscale cloud adoption. 54% of all IT departments experienced major data loss from downtime in the preceding 12 months
4 Security Checklist for Cloud Software 4 For better or worse, a cloud application is only as effective as its hosting provider. The cloud provider should be able to almost guarantee at least 99.9% uptime. Anything less than that is not worth the investment. Downtime is costly, not just for the cloud provider, but for any organization implementing the cloud application. Depending on the scope of the cloud application and the size of the adopting organization, downtime can cost upwards of hundreds of thousands of dollars per hour. 3. Regular Backups & Disaster Recovery For any organization migrating massive amounts of data to a cloud provider, regular and automated backups are essential. At a bare minimum, a quality cloud provider should provide backups and data snapshots on a daily basis. Data loss due to faulty backup methods is a major area concern for enterprise organizations migrating to the cloud. A cloud provider s backup technology should work in harmony with any future or existing disaster recovery plan set in place. a quality cloud provider should provide backups and data snapshots on a daily basis Failover and Disaster Recovery should be deeply integrated into any cloud solution. In other words, a disaster recovery plan should be in place from day one to deal with any unforeseen disaster - natural or man made. This means that the cloud provider in question should have a clear plan for recovering and restoring lost data quickly and effectively. This often involves having trusted and verified backup vendors, as well as a clear path for quick response times to a data-related crisis. 4. Internal Audits While not at the very top of the security list, Internal Audits are incredibly important to establishing secure cloud applications. This involves regularly auditing internal business processes, as well as accreditation (SSAE16 and SAS70, for example) and certifications of cloud applications. Additionally, a quality cloud provider should be certified under industry-accepted ISO 27001, SOC1/2 and PCI Level 1 certifications. The bottom line is that having an audit trail in place, accounting for all user activity, mitigates risk - especially if you re in the mid-
5 Security Checklist for Cloud Software 5 dle of a deal. It documents who has access to specific data sets. Beyond deal management, internal audits provide an added layer of operational efficiency. It allows every administrative user to view every user s activity within the cloud application. It aids in project management by showing who is working on a specific project, and who is interested in a specific deal. 5. Strong Password Policy One of the easiest and most effective ways to manage cloud security is through a robust password policy. This is primarily carried out on the software level. In other words, strong password policy should be encouraged and easily implemented within the cloud application. For instance, on the software side of things there should be some visual indicators of a weak, strong or passable password within the application. Any valuable cloud provider will have a strong password policy built into their applications. 6. Activity Tracking Robust reporting is essential to managing and implementing security measures throughout a cloud-based system. Ensure that there reports are easy to create and access in a way the leaves a clear audit trail of all cloud-based processes and tools. In basic terms, everything should be trackable within a quality cloud solution. everything should be trackable within a quality cloud solution Reporting should work in tandem with any internal audits that are conducted. In fact, as data becomes increasingly larger and more complex in the cloud, every process within an application should be tracked. Not only does activity tracking the internal audit process along, but it aids in project management, as it allows every administrative user access to critical information on data essential to closing all kinds of transactions in the cloud. 7. Administrative Control Any organization should have deep administrative control over any cloud application they integrate. This generally means that it
6 Security Checklist for Cloud Software 6 is easy to manage administrative accounts in a way that ensures the IT department knows exactly who has access to mission-critical data in the cloud. From here, modifying user controls should be quick and easy. 8. Avoid Java & Flash-based Cloud Applications Lastly, avoid any cloud solution that is based on Java or Flash. First off, Java and Flash are inherently incompatible with ios devices, which dramatically limits any organization s ability to mobilize their cloud-based data management efforts. Secondly, both Java and Flash bog down browsers, and generally require that users download endless plugins to remain compatible. Lastly, Java poses major security risks. According to a recent NBC article, Java-designed applications were responsible for well over 50% of all cyber attacks in Java-designed applications were responsible for well over 50% of all cyber attacks in 2012 III. Conclusion For many organizations, when considering all the security risks, moving data to the cloud is a scary prospect. The good news is that it does not have to be that way. Cloud applications are designed to make life easier for any organization. It all comes down to preparation for adopting a new cloud application. If the cloud application meets all of the above criteria it is definitely worth the investment. Caplinked is at the forefront of the robust cloud security movement. With Capsafe Security, all cloud-based data is backed up and protected with cutting edge security and encryption technologies. References: https://blog.cloudsecurityalliance.org/2011/09/30/when-it-comes-to-cloud-security-don%e2%80%99t-forget-ssl/