Cloud Assurance: Ensuring Security and Compliance for your IT Environment



Similar documents
EARTHLINK BUSINESS. Simplify the Complex

Payment Card Industry Data Security Standard

Five keys to a more secure data environment

GETTING THE MOST FROM THE CLOUD. A White Paper presented by

The Cloud is Not Enough Why Hybrid Infrastructure is Shaping the Future of Cloud Computing

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

custom hosting for how you do business

Caretower s SIEM Managed Security Services

Managed Services. Business Intelligence Solutions

How To Choose A Cloud Computing Solution

THE BLUENOSE SECURITY FRAMEWORK

How To Protect Your Network From Attack From A Network Security Threat

White Paper How Noah Mobile uses Microsoft Azure Core Services

SAP Product and Cloud Security Strategy

The Value of Vulnerability Management*

Client Security Risk Assessment Questionnaire

Security. Security consulting and Integration: Definition and Deliverables. Introduction

BMC s Security Strategy for ITSM in the SaaS Environment

BIG SHIFT TO CLOUD-BASED SECURITY

Preemptive security solutions for healthcare

Addressing Cloud Computing Security Considerations

The Benefits of an Integrated Approach to Security in the Cloud

Cloud Contact Center. Security White Paper

DETECT AND RESPOND TO THREATS FROM THE DATA CENTER TO THE CLOUD

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

HIPAA Compliant Infrastructure Services. Real Security Outcomes. Delivered.

Security Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions

PCI Solution for Retail: Addressing Compliance and Security Best Practices

NEC Managed Security Services

Managed Security Services for Data

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

Securing the Cloud Infrastructure

Security Issues in Cloud Computing

The Production Cloud

VMware vcloud Air Security TECHNICAL WHITE PAPER

THE CXO S GUIDE TO MANAGING EXPANSION... WHILE CONTROLLING COSTS & COMPLIANCE CONSIDERATIONS

Strategies for assessing cloud security

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Cybersecurity Health Check At A Glance

Seven Things To Consider When Evaluating Privileged Account Security Solutions

Firewall Administration and Management

Cloud Computing Guidelines

BSM for IT Governance, Risk and Compliance: NERC CIP

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Internet threats: steps to security for your small business

Board Portal Security: How to keep one step ahead in an ever-evolving game

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Avoiding the Top 5 Vulnerability Management Mistakes

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

SMS. Cloud Computing. Systems Management Specialists. Grupo SMS option 3 for sales

eguide: Designing a Continuous Response Architecture Executive s Guide to Windows Server 2003 End of Life

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

PCI Compliance for Cloud Applications

Cyber Security. John Leek Chief Strategist

Xerox Litigation Services. In the Cybersecurity Hot Seat: How Law Firms are Optimizing Security While Reducing Cost and Risk

Alcatel-Lucent Services

How To Protect Your Data From Being Hacked

IBM Cognos TM1 on Cloud Solution scalability with rapid time to value

Information Technology Solutions. Managed IT Services

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

PREMIER SERVICES MAXIMIZE PERFORMANCE AND REDUCE RISK

External Supplier Control Requirements

10 Potential Risk Facing Your IT Department: Multi-layered Security & Network Protection. September 2011

John Essner, CISO Office of Information Technology State of New Jersey

THE SECURITY OF HOSTED EXCHANGE FOR SMBs

A Guide to. Cloud Services for production workloads

The Education Fellowship Finance Centralisation IT Security Strategy

A Case for Managed Security

Securing the Microsoft Cloud

PCI DSS COMPLIANCE DATA

Securing the Service Desk in the Cloud

NET ACCESS HIPAA COMPLIANT FLEXCloud

Whitepaper: 7 Steps to Developing a Cloud Security Plan

Remote Management Services Portfolio Overview

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

Cloud Security Who do you trust?

Leveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs

PCI DSS Top 10 Reports March 2011

ISSUE BRIEF. Cloud Security for Federal Agencies. Achieving greater efficiency and better security through federally certified cloud services

The Protection Mission a constant endeavor

NATIONAL CYBER SECURITY AWARENESS MONTH

Powering the Cloud Desktop: OS33 Data Centers

Vulnerability Management

Transcription:

Cloud Assurance: Ensuring Security and Compliance for your IT Environment A large global enterprise has to deal with all sorts of potential threats: advanced persistent threats (APTs), phishing, malware incursion, insider threats, compliance mandates, and more. Unfortunately, the middle-market business must deal with the exact same issues, regardless of the fact that they have limited resources compared to those of the behemoth global players against which they compete every day. 2 Executive Summary Maintaining security should always be a top concern for midsize businesses, especially as they consider cloud services. This paper covers the latest security trends, reinforces best practices in securing a cloud infrastructure, and outlines how best to meet compliance requirements (e.g., PCI, HIPAA). It also explains what a mid-market organization should look for in a cloud security provider. Security Matters for Midsize Enterprises and Small Businesses Those in charge of IT security for their companies know that maintaining the security of their IT landscape and satisfying compliance requirements is critical to business operations. When it comes to running a small business, the concerns are the same as for any other business. After all, there has been a shift from hackers only targeting large enterprises to them going after small and mid-sized companies as well. In other words, there is no such thing as being under the radar any more. Consider that last year, 50 percent of all targeted attacks hit businesses with less than 2,500 employees, and businesses with less than 250 employees accounted for 31 percent of all targeted attacks which represented the biggest growth sector in these attacks, according to a report from Symantec. As targeted cyber-attacks increased by 42 percent last year, nearly one-third of all of these attacks were aimed at businesses with less than 250 people. 1 The security concerns for midsize businesses are the same for every company loss of business, loss of reputation, and potential financial penalties, to name a few. Moreover, poor security can mean the failure to meet industry security compliance (PCI/HIPAA), which can lead to negative publicity and severe fines and penalties. The last thing any company wants is hackers infiltrating their environment, corrupting or stealing proprietary information, or simply disrupting business operations. Why the Cloud is a Good Move Not long ago, many businesses were concerned that moving to the cloud might in fact be less secure than hosting their IT environment and applications on-premises. But as more and more organizations have learned, developing a security policy and selecting the right cloud services provider can actually enhance security. That is why many businesses are addressing their security issues by exploring the possibility of hosting more of their infrastructure in the cloud. According to the State of IT SMB Report from SpiceWorks, 61 percent of SMBs are using cloud-based solutions. 3 Likewise, a report from TechNavio shows global SMB spending has increased in the area of cloud technologies. 4 2014 EarthLink, LLC. Trademarks are property of their respective owners. All rights reserved. 1071-07314

With an infrastructure as a Service (IaaS) cloud model, the customer takes control at the operating system (OS) layer and above. Though commonly associated with enterprise-class organizations, the cloud model is equally as good a fit for small and mid-sized businesses allowing them to accomplish more, faster, with fewer resources thus outmaneuvering their competition. Specifically, the cloud affords the opportunity to reduce upfront capital expenditures, scale up or down based on business needs, improve service with SLA guarantees, and support workforce collaboration and mobility. Just as important, it allows companies to focus on their core competencies and tap into the infrastructure and security expertise of a service provider. It s no wonder that 56 percent of mid-market executives say their organization is already using some form of cloud-based service. 5 Considerations When Moving to the Cloud To take advantage of the cloud while keeping the business safe and compliant, midsize enterprises should consider the following. Understand that the cloud is a shared-responsibility model. In other words, in almost all cases, the customer maintains control and management over one or more layers while the cloud provider manages the rest. As a result, the customer must address certain security and compliance issues. For example, if the organization runs an online store on top of the cloud stack, it must address all PCI requirements, monitor its e-commerce application for vulnerabilities and intrusions, and train its employees on how to keep the application secure and compliant. Similarly, if an organization needs to communicate by email about healthcare, HIPAA/HITECH compliance comes into play, requiring enhanced security to prevent the exposure of electronic Protected Healthcare Information (ephi). Securing a cloud infrastructure is really not much different from securing a noncloud environment. The physical infrastructure and each layer on top of it need to be secured. The organization has less control over the infrastructure layers/ components that it outsources. With an infrastructure as a Service (IaaS) cloud model, the customer takes control at the operating system (OS) layer and above. Moreover, the cloud introduces a virtualization layer (between the network and OS). Virtualization infrastructure is like another layer of OS with vulnerabilities, patches and security controls around user access. 2

Two elements of a sound security program: Layer NETWORK INTERNET Firewall Recommended Security Controls Edge Security App Filtering URL/Content Filtering Putting controls in place on the systems that house and control access to sensitive data. APPLICATIONS OPERATING SYSTEM App #1 App #2 Windows Server App #3 Authorization and Access Control Application Monitoring Penetration Testing OS Security Antivirus/Antimalware Integrity/Log Monitoring Server Hardening Ensuring employees are educated and do not work around controls or access, such as leaving secure passwords in plain sight on their desks. VIRTUALIZATION Hypervisor Deployment Best Practices User Network Isolation Hypervisor Hardening PHYSICAL INFRASTRUCTURE BUSINESS IT ENVIRONMENT Blade Servers San Storage Access Control Logging Physical Security Management & Network Isolation Your entire infrastructure needs to be secured, from the physical to the application layer. It s critical to deploy a managed firewall to protect all data and end points. This can be in the form of a device or appliance on the customer s premises to protect on-site users and infrastructure. The second type of firewall is either a physical or virtual appliance deployed in the cloud to protect applications in the data center and protect the entire cloud environment from the Internet. This firewall also enables segmentation of the virtual environment to address varying security requirements. Such measures are important in cloud environments because it makes it easy to host all applications in the cloud while protecting data and end points for users at distributed physical locations that need protecting. Securing mobile devices is a necessity. Remember that users travel in and out of a controlled IT environment and access the corporate data from various devices and many locations. As a result, it s critical to incorporate security of mobile devices into the overall plan. 3

Address the confidentiality, integrity and availability of data. To support the security criteria of confidentiality, integrity, and availability, make sure that: Data is not exposed to those not authorized to see it Data is readily accessible to authorized people who need access to it Authorized people can only see the data they should Data is protected from unauthorized changes Advantages of Augmenting Cloud Security Most businesses are aware of the need for security and likely have some solutions in place. Often they are using and managing a variety of cobbled-together vendor solutions. Unfortunately, when security is fragmented in this manner, holistic management becomes challenging and companies are more likely to experience security gaps. Consider that many mid-market enterprises have small IT staffs and whether managing security internally or dealing with multiple vendors, they are distracted from strategic IT projects. Moreover, some lack in-house security expertise (for example, security experts with CISA and CISSP certifications), or the resources to manage security 24/7 and take immediate actions when necessary. Not all cloud providers are created equal and not all cloud customers get equal results. So in addition to making good use of available best practices, organizations should seek a service provider that can actually help them improve their cloud security. As a result, many midsize enterprises are seeking more secure solutions. Specifically, they want ones that are more advanced, more unified, and better suited to address the requirements of standards such as PCI and HIPAA. Increasingly, they are turning to outsourced solutions via managed services. A Managed Security Provider can help ensure that an organization s networks and IT infrastructure remain secure and compliant. Outsourcing provides midmarket enterprises an opportunity to improve security, prevent loss of revenue, reduce expenses, and refocus IT staff. In addition, unified solutions also deliver efficiencies with centralized contact points and simplified processes that enable faster resolution when issues arise. The key is to find a partner and solution that provides the protection a midsize enterprise needs, without tying up the company s internal IT resources or costing too much. How to Select a Cloud Security Service Provider Not all cloud providers are created equal and not all cloud customers get equal results. So in addition to making good use of available best practices, organizations should seek a service provider that can actually help them improve their cloud security. First, the organization needs to determine what data and applications it will move to the cloud, and the compliance requirements and security policies that apply to its business. If the organization needs to safeguard sensitive data such as that related to credit cards, patient data, privacy, or financial transactions, it must expect the same of its cloud partner. 4

Will the provider work with you to understand your security and business requirements? Once an organization has assessed its risk and selected a short list of vendors, here s what it should ask of a cloud provider to ensure the best selection. Security Requirements: Will the provider work with you to understand your security and business requirements? When selecting a vendor, make sure it offers a standard solution that covers most of your needs but is willing to tailor and integrate a security solution with your cloud service. Roles and responsibilities should be clearly defined and the delineation of responsibilities should align with your organization s needs. Determine whether or not the vendor provides all products/services necessary. The ideal provider offers a full suite of services, addressing everything from email and the help desk to cloud hosting, servers, network, etc. How does the provider keep pace with the latest security threats? Make sure the provider takes measures to identify and manage risks impacting its customers, and prioritizes and implements remediation strategies where appropriate. Ascertain that it uses an automated network monitoring system to continuously evaluate its systems and proactively alert responsible IT support personnel when a potential problem arises. Find out if and how often it performs intrusion testing to ensure the controls protecting its infrastructure are sufficient to secure its customers from evolving threats. Can the provider help you gain an understanding of the full threat landscape? Because organizations will likely maintain a mix of internally managed security products while outsourcing some security to the cloud provider, they should look for a provider that can deliver a holistic view of security across the entire IT landscape. Ideally the provider can integrate all security solutions being used both in the customer s environment and the provider s environment and enable management through a single interface. The provider should also offer cohesive managed services for both the cloud IT environment and the customer-owned equipment on its premises. Industry Standard Compliance: Ask to see the terms of service and look for disaster recovery and business continuity processes and procedures and security provisions designed to preserve the confidentiality, integrity and availability of data as required by the standard. Determine whether or not the service provider helps detect and respond to security incidents or breaches. If so, make sure procedures for investigating security incidents and escalating potential or actual breaches are well defined. Look for a provider that has appropriate controls in place to ensure its products/services remain compliant with the industry standard/regulation. 5

Third-Party Certifications: Does the vendor employ independent and verifiable audits? Make sure the vendor observes common standards and audit methodologies, and can provide third-party verification of its adherence to standards. The provider should also have achieved key certifications, such as SSAE 16 SOC2 (formerly SAS 70), demonstrating its commitment to maintaining a secure, controlled environment for its customers data and applications. Ask the vendor if it is subject to periodic validation of its security infrastructure, and if it regularly conducts penetration and other testing to achieve certification or validation. How does the vendor ensure uptime, throughput, and other requirements as defined in the SLA? Service Level Agreements (SLA): What is included in the vendor s SLA? The vendor s SLA should include the guarantees required for the applications and data it will be hosting, based on an assessment of the organization s risk. At a minimum, it should cover availability of data and systems, response times for normal-issue severity levels, and custom response times when dealing with a specific security issue. One practical exercise is to map the company s SLA(s) to the provider s SLA(s) to identify any gaps. Reliability/Business Continuity: How does the vendor ensure uptime, throughput, and other requirements as defined in the SLA? Ask the vendor about the procedures it has in place for backup and disaster recovery, and how often those processes are validated and tested. In addition, find out how the vendor measures to ensure its satisfying guarantees for uptime, throughput, performance and any other requirements. Maintenance: Does the vendor conduct regular maintenance, patching, and upgrades? Look for a vendor that offers tiered service options, as well as additional integrated security services such as periodic vulnerability scanning. Find out how often the vendor s cloud platform is patched and upgraded, and how extensively patches and upgrades are tested before being released or deployed. Virtual Machine (VM)-Specific Security: Does the vendor configure security in multi-tenant virtual networks? If your organization will be sharing servers with the provider s other customers, ask the vendor how separation is ensured so that no data or access is shared. This can be established in several ways depending on your requirements, for example by creating private network segments or by installing virtual or physical firewalls. 6

What controls are in place to protect data in production, in transit, and in backup? How does the provider preserve the confidentiality, integrity and availability of data? Secure Access: How does the provider verify the credentials of users and determine their level of access? Are the endpoint machines accessing the cloud environment secured? It s important to discuss how, where, and from what devices applications and data will be accessed. Look for a vendor that offers endpoint security or asset management in addition to cloud services. Ideally the vendor will use two-factor authentication for remote endpoints to prevent breaches via compromised passwords. Data Security: What controls are in place to protect data in production, in transit, and in backup? How does the provider preserve the confidentiality, integrity and availability of data? Does the provider have solutions to protect all your endpoints? An organization s requirements vary based on the sensitivity of the data and regulatory environment. With that in mind, ask the provider how sensitive data will be protected (such as through encryption or firewalls, establishing user accounts with various admin rights, controlling access to the virtualization layer through network segmentation), who will have access to the data, and what measures it has in place to protect against data loss in the event of a disaster. In addition to data security, Denial of Service (DoS) attacks can cause extreme latency or availability issues.. Look for a vendor that proactively addresses risk assessment and deploys solutions that filter DoS attacks. Find out if the vendor deploys cloud applications to geographically dispersed data centers to ensure uptime. Ask if it routinely takes backups/snapshots so can quickly restore data in case of data loss or corruption, or service interruption. Make sure it applies industry-leading security measures to the network, OS and application layers, as this is where threats most commonly enter the IT environment. Does the provider make it possible for its customers and payment providers to connect to its infrastructure without traversing the Internet? Visibility: Does the provider offer visibility into the security of the hosted service? Review the tools the vendor provides to give customers control over the services it will be providing, and ensure that it can support any reporting requirements required for audits or compliance. Physical Security: Does the vendor follow best practices in securing its data center facilities? While many cloud providers maintain SSAE 16 compliance, they often fail to indicate the SOC level. A provider with an SSAE 16 audit of its data center(s) is better than one without. Better still is a provider who can supply its customers with the 7

appropriate type of Service Organization Control (SOC) report for the service being provided (SOC 1 for financial auditors, SOC 2 IT auditors, SOC 3 for more general audience) and (for SOC 2/3) covering the relevant Trust Services Principles for the type of data and service involved. Remember SOC 2 is where security starts. Security controls should include badge-protected facilities, 24 7 cameras, and most importantly, a policy on separation of duties and physical access to servers for the provider s personnel. If your organization is subject to regulatory requirements pertaining to data jurisdiction, verify the physical location of servers. Ready to get serious about security in the cloud? Request EarthLink s Cloud Assurance audit package for details on our security and compliance processes, policies and procedures. Look for measures that ensure visitors, customers, and authorized vendors adhere to access policies. Make sure the provider monitors its building perimeters, entrances and all essential mechanical devices and strategic points of the facilities 24 hours a day, 7 days a week. Transparency: It can be costly and time-consuming to evaluate potential managed service providers. To alleviate some of this burden, explore whether cloud providers offer visibility into their risk management program.. This model is meant to ensure consistency and efficiency as companies assess prospective partners. Find out if the vendor is willing to share details of their risk management program. Longevity: How long has the provider been delivering secure cloud services and to whom? Determine how the provider has evolved its security methods over time and whether or not companies requiring high security such as those in finance and healthcare are among the customer base. The questions outlined in this section provide a solid framework for evaluating an organization s options. By gaining a clear understanding of each vendor s capabilities, any organization can conduct a side-by-side comparison. Conclusion: EarthLink is a Best-in-Class Choice It s no longer a question of whether midsize enterprises should move to the cloud; the evolution is well underway, and there are clear business advantages to outsourcing. The question is, how can organizations move to the cloud and still maintain control of IT security and ensure compliance. Organizations can t simply select a cloud vendor based on its ability to support outsourced data or application requirements. They need to be able to trust the cloud vendor, and ensure that they can support the company s requirements with respect to security and compliance. After all, the business reputation and ability toservice its employees and customers depend on it. As a leading cloud hosting provider, EarthLink Business can actually improve an organization s security posture. EarthLink has been protecting its customers from cyber security risks since the start of the Internet revolution. We partner with 8

some of the most sophisticated and respected security companies in the industry to deliver our Next Generation Cloud Services. To enhance our cloud product offerings, we offer comprehensive security solution options designed to reduce risk from the Internet s greatest threats. The processes and controls supporting EarthLink s Next Generation Cloud platform have been designed to help customers meet or exceed all their cloud security and industry compliance requirements. With a comprehensive security portfolio, CISSP & CISA-certified professionals, SSAE 16 SOC2 compliant data centers, and over 3,000 deployments across industries, EarthLink enables businesses of all sizes to mitigate risk as they move to the cloud. Ready to get serious about security in the cloud? Request EarthLink s Cloud Assurance audit package for details on our security and compliance processes, policies and procedures. To learn more about how EarthLink can help your organization Email: getinfo@earthlinkbusiness.com Call: 1-877-355-1501 Visit: www.earthlinkbusiness.com Sources: 1. Dark Reading, Small Businesses Now Bigger Targets In Cyberattacks, April 16, 2013 http://www.spiceworks.com/marketing/state-of-smb-it/ 2. Middle Market Executive, Big Trouble in the Little Enterprise: Information Security and Middle- Market Firms, March 20, 2013, http://middlemarketexecutive.com/big-trouble-in-the-littleenterprise-information-security-and-middle-market-firms/ 3. http://www.itbusinessedge.com/blogs/smb-tech/most-analysts-predict-smb-cloud-adoption-tocontinue-skyward-growth.html 4. http://www.itbusinessedge.com/blogs/smb-tech/most-analysts-predict-smb-cloud-adoption-tocontinue-skyward-growth.html 5. ChiefExeutive.net, Cloud Technologies Offer Promise to Mid-Market Companies But Security Concerns Persist, August 9, 2013, http://chiefexecutive.net/cloud-technologies-offer-promiseto-mid-market-companies-but-security-concerns-persist#sthash.ji32uova.dhbv2mqf.dpuf 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information