Assessing Cloud Application Vendors from a Security Perspective
Enterprises of all structures and sizes across the globe have been adopting cloud for all needs – for computing, storage, databases, to hosting business applications. They are also proactively addressing cyber-security needs – both as dictated by internal Info-Sec controls, as well as those coming from external regulatory mandates.
For enterprises looking out for new cloud applications, I think one needs to look deeper and go beyond ‘checking the box’, which is typically done by looking at Compliance Standards around SOC2 controls, PCI-DSS, HIPAA, etc. This deeper insight can be gathered by looking at few key areas as follows:
- Underlying cloud infrastructure approach – Is it multi-tenant or multi-instance? I believe a multi-instance strategy that ensures there is no co-mingling of data across customers in the back end provides a sounds foundation for security because of the physical segregation that it leads to. There are other benefits in terms of performance and SLAs, as well.
- Encryption with key management should rest with the enterprise and not the cloud provider. This capability provides the necessary foundation for ensuring that you and the enterprise can decide where and how to provide encryption, and align it to your business needs. This will help you stay independent of your cloud provider.
- Look for how user entitlement is managed. Cloud applications need to have a sophisticated org-role construct for the segregation of duty. Often, cloud applications have only a role-based primitive to decide what a user can do in the application. However in real life, people change roles, sometimes people have to do multiple things, and as such applications that support more sophisticated models (such as a Federated Org-Role-User Mapping) are able to ensure they not only address such real life scenarios in a robust manner but in addition they are able to effectively maintain segregation of duty.
- Cloud Vendors that implement automated scans and audits around the full stack go a long way in providing security assurance. This should include hardware vulnerability management, OS patching, and application penetration testing, to application segregation-of-duty testing. In short, it should be an automated machinery that keeps a constant vigil and enforces periodic remediation.
- Finally, not all cloud application vendors will disclose their software development practices, but it is worthwhile to look at those and ask pointed questions to ensure OWASP standards, security testing (ideally by an external third party), and other Secure Software Development Life Cycle approaches are followed.
I am not prescribing that all the above 5 should be met, but the above vectors should be used to arrive at an assessment. Based on that assessment appropriate security controls can be implemented to get the full business benefit of a cloud application.