The three A’s: authentication, authorization, access control. Here are some questions to ponder about a cloud service:
- How often does it clean up dormant accounts?
- What kind of authentication is necessary for a privileged user?
- Who can access or even see your data?
- Where is it physically stored?
- Does your organization share a common namespace with the service (something that greatly increases risks)?
- Are private keys shared among tenants if a data encryption is used?
- Ask your cloud vendor these questions. Get answers.
There’s always that concern of data inadvertently slipping out to tenants who share the cloud service with you. One little error can expose your data and set you up even for identity theft. Breaches that can occur include: accessing data from other tenants from supposedly new storage space; and peering into other tenants’ IP address and memory space.
There are four chief kinds of virtual exploit risks: 1) server host only, 2) host to guest, 3) guest to host, and 4) guest to guest. Many cloud customers are in the dark about virtual exploits and are clueless about the vendor’s virtualization tools. Ask the vendor:
- What virtualization products do you have running?
- What’s the version currently?
- Who is patching the virtualization host?
- How often?
- Who’s able to log into any virtualization host and guest?
Here’s a surprise: Quite a few cloud vendors state in their contracts that the customer’s data belongs to the vendor, not the customer. Vendors like ownership because they get to have more legal protection should a mishap occur. They can also do other things with the data that can bring more profit.
- Find out if the contract contains language referring to vendor ownership of data.
- Learn what the cloud provider can do with it if indeed, they get ownership.
Even the biggest and best cloud services can become dismantled due to service interruptions, attacks or some miscellaneous issue with the vendor.
Funny, because a cloud provider typically insists it has superior, super-protected data backups in place. Be aware that even when a provider claims a guarantee for data backup, data can indeed get lost, even permanently.
- Back up your data!
- Require some language in the contract that entitles you to damages should your data become permanently lost.
Cloud services haven’t been around long enough for analysts to have come up with a predictable, clear model of all the possible risks, how likely they are, likeliness of security failures and how much, if at all, risks will negatively impact customers. And that’s just in general. Figuring this out for a particular vendor is even more vexing.
- There are many unknowns, but at least you can work on minimizing them.
- Obtain a copy of the vendor’s last relevant, successful audit report.
- Seek out information from the vendor about prior incidents of tenant data problems.
- Ask the vendor about its policy of reporting data compromises to customers.
- Grind out just what the provider’s responsibility really is.
The author of this article is a security analyst and ID theft expert.