Grilling vendors about security is a crucial part of assessing risk with cloud services, according to the Australian financial regulator, as is knowing when to walk away when they can't provide an adequate response.
In a speech at the CeBIT Conference in Sydney, Australian Prudential and Regulatory Authority security chief Mikhail Lopushanski urged infosec leaders to ditch discussions when vendors aren't forthcoming.
"[APRA] wanted to deploy a tool for agile development. When we approached the company, I said 'I can't see anything about security on the website, what do you do to secure your site', and they said 'we don't have anything on there'," Lopushanksi said.
"So we sent some questions about their security for them to answer. They said they wouldn't provide answers unless we bought a $20,000 subscription from them. Sometimes you have to know when to walk away."
Before engaging potential vendors, organsiations need to be clear about what their business requirements are and why they want to shift a given task to the cloud, Lopushanski said.
"One of the first questions that I ask executives, or business, or IT, when they say 'we want to use this cloud solution' is 'why do you want to use it?' And it's always interesting to hear the comment that comes back," he said.
"If it's [a non-IT department], it tends to be 'IT are too slow and unresponsive, we want to do it ourselves', without really realising the implications it has for them, and what sorts of things they're going to have to start looking after that they normally hand to IT."
If the push for a new tool is coming from a business division other than IT, the business needs to be aware of how processes will change, the security chief warned.
This includes the impact on any existing security controls and segregation of duties that might already be in place.
"What, specifically, is the information you're taking into the cloud? Is it confidential? Is it private information? Are there legal or legislative requirements around it? What kind of agreements are we being asked to sign?" Lopushanski said.
"In a lot of businesses you have shadow IT being formed where people are deploying solutions in the cloud without appreciating what information they're putting there, and what the security is around it."
The crucial questions
APRA takes a number of areas into consideration when conducting a risk assessment about a cloud provider, Lopushanski said.
These include the vendor's stance on classified information; data protection in transmission, storage and usage; credentials management; access control; physical security; logging; monitoring; availability; security architecture; operations; and administration.
Among the issues APRA considers is whether it can have access to breach logs or scan a service provider for vulnerabilities.
"We ask all service providers if we can run a vulnerability scanner. But it's important to ask first, otherwise they begin blocking your IP ranges and you can't use their services, so it's always best of ask them first," Lopushanski said.
"The other thing is logging. [Many organisations] have a solution that collates your logs and generates learning. When you go to cloud, are you still getting that feed?"
Particularly with software-as-a-service providers, Lopushanski said it is vitally important for businesses to be clear about data sovereignty and ownership.
"You should ask your service provider what kind of data centre they put their service in. Is it tier two? Tier three? Tier four? Basically, ask them where's the information housed and what sort of certification do they have for it," Lopushanski said.
"Where's that backed up to? Is it backed up to the [United] States? Is it backed up to India? You have to find out how far your data is extended to.
"Some countries treat data differently. For example, some countries don't have a privacy act, so data belongs to the company that holds the data. It's not you, it's them... That means they can use or on-sell your data."
An often overlooked consideration with software-as-a-service providers is how they back up their data, and whether databases are multi-tenanted.
"Most solutions are multi-tenanted, where you're sharing a database with everyone else. The question comes in 'how are you protecting the data' and that's a question start-up SaaS solutions struggle with," Lopushanski said.
"Usually a salesperson gives you a blank look and says 'oh it's separated, she'll be right'. But you have to take a look at how they are segregating your data.
"When you go into the cloud, what guarantee is there that your data can be restored? Find out what is written in the contract and, if you have cyber insurance, consider whether your cyber insurance extends all out to the cloud."
After a full risk assessment has been conducted, Lopushanski said businesses need to review whether a particular provider is suitable, along with any other issues that come up along the way.
"It's always important to go back and revisit it, because as you go through [your risk assessment process] process you'll find there's a couple of other risks coming along because they've deployed a particular way," Lopushanski said.