As more businesses  are taking advantage of the benefits of cloud services, evaluating the information security posture of a potential cloud provider is essential, but can often seem like an exercise in futility. If you are going to trust a third party you need to hold their feet to the proverbial fire by undertaking proper due diligence. Before deciding to engage with a cloud provider, ask them to answer (truthfully) this security questionnaire to gauge their information security maturity.

1.  Does the organization have formal written information security policies?

This is an indication of their information security program maturity (or lack thereof). Companies that have not formalized their security policies should not be trusted with your sensitive corporate/customer data. Policies form the framework and foundation and without security is merely an afterthought.

2.  Are external third-party contracts required to comply with policies and customer agreements?

Similar to the concept of subcontracting, if you entrust a cloud vendor with your information and they in-turn use another provider (to store your information for example) does the initial vendor ensure that their partners comply with the policies and security agreements that were laid out in your contract? If not, these partners weaken the overall security of the information chain.

3.  Does the organization have a formal change control process?

Companies that implement changes and configuration in an ad-hoc manner are more likely to experience significant downtime in their environment. The leading cause of network outages can be attributed to poor planning and lack of change control. If the data you are sending to the cloud is time sensitive, you want to go with a provider that abides by a formal change control process, thus managing the inherent risk in unplanned changes.

4.  Is physical access to data processing equipment (servers and network equipment) restricted?

Often overlooked, physical security is equally important as technical/logical controls. If someone can physically access your data, then all security bets are off. Ask your vendor about how they control physical access to their server rooms and what procedures they have in-place.

5.  Do they follow secure data destruction processes for confidential data and IT equipment/media?

If you are storing confidential/sensitive data in the cloud and if the vendor does not properly destroy data from decommissioned equipment, the data is needlessly put at risk. Ask your vendor about their data destruction process.

6.  Do they implement controls to segregate your data from other customers?

The multi-tenant paradigm of cloud computing introduces a significant avenue of attack. For instance, if a multi-tenant cloud service database is not properly secured, a flaw in one client application could allow an attacker access to other tenant’s data. Additionally, check that the vendor is not using system-wide administrator accounts with “God” access to their entire cloud environment. Usage of such accounts should be minimal and should be monitored.

7.  Does the organization encrypt (and regularly test) its backups?

An untested backup is a useless backup. An unencrypted backup defeats the security controls in the production environment. Information needs to be protected across its entire lifecycle.

8.  Does the organization have regularly tested disaster recovery plans for data processing facilities?

If the data your company is sending to the cloud is time-sensitive, check with the vendor to see if they regularly test their disaster recovery plans. Well defined plans will minimize the length and impact of the disaster.

9.  Can they provide results of a third-party external audit conducted within the past two years?

Generally, companies that undergo an external audit have foundational security framework in place and an acceptable baseline of security can be expected. A less then scrupulous vendor may claim to have undergone extensive auditing while actually an auditor hadn’t come within 10 square miles of their business. Ask a prospective cloud vendor to provide results of their last external audit. A transparent company will have no qualms in granting you those results. If they refuse, chances are they do not want you to know their shady auditing truth.

10.  Will they provide relevant certificates of applicable compliance certifications?

Vendors will often claim to be compliant with a whole gamut of certifications  – ITIL, COBIT, ISO 2700, and the list goes on. Ask the vendors to provide proof about such claims. If they balk, chances are they are hiding something.

The cloud can be as secure as you make it. It is up to each and every cloud user to hold their cloud providers to an expected standard of security. The vendor’s underlying cloud environment is likely more secure than your local data center, but without asking the probing security questions you’ll never know.

Sources: Dominic Vogel/TechRepublic

The post 10 Security Questions to Ask Cloud Vendors first appeared on Northstar IT.

Why BYOD?

Many users now have devices that they are comfortable using. For example, some users may have a Mac Book Pro, a Linux notebook, an iPad, or a smartphone. BYOD can assist a company by achieving savings in outlay on IT items such as laptops or PCs.  Staff can use their personal devices, and by so doing can also be more connected in their off-hours and consequently more productive. The growth in BYOD has been fuelled by the growth in tablet computers and smartphones.

Security Issues

BYOD does bring with it a host of security issues. Malware and eavesdropping (in the case of using public Wi-Fi) are two possible risks. What we will do in this post is to take a look at some of the preliminary steps required for implementing BYOD. Ideally, a policy document on BYOD should be created and all staff members should receive a copy.

What devices are supported?

A good starting point for BYOD is: What sort of devices should be able to access the corporate network? Following on from this, what sort of operating systems should be supported on the corporate network, and what version(s)? The supported devices will, in some respects, be driven by what applications are required. A Windows 7 application, for instance, may have no equivalent on an iPad. If it is a critical application, then personnel won’t be able to use an iPad on the corporate network until the application is ported to iOS.

What levels of access are permitted?

Some users may be allowed different access depending on their job function. As an example, sales people may use tablets more than standard laptops/PCs. Support staff may use laptops or tablets when on the road. What this may mean is that support staff will have intrinsically different requirements for access compared to say, sales. Support staff may, for example, require access to in-house knowledge bases or to other databases. Sales personnel may only require intranet, email and messaging access.

What corporate applications are required?

The next consideration is what applications need to be installed on the user’s device. Depending on the user groups, some users may have access to differing levels of data. As mentioned above, support staff would generally need to access support databases, whereas other staff may only need access to email and the corporate intranet.

In addition to deciding what corporate applications are required, you may need to decide what sort of antivirus protection should be installed on a device. Other applications that may need to be installed are email clients, messaging, and Virtual Private Network (VPN) software – for staff that are likely to be working remotely.

Using a VPN for Remote Access

In particular, using a device on public Wi-Fi networks is probably the biggest headache. This is where a VPN solution is required. A VPN will require authentication and will encrypt data. For this reason, a VPN client must be amongst the list of software solutions installed on a user device. There are a number available.  The ones I have used are the Cisco VPN client and its successor, AnyConnect.

Set Passcodes

There is an area that is overlooked many times on tablets and on smartphones: set a security code. This is possibly the most important part of BYOD, particularly for personnel that are likely to be using public Wi-Fi networks. Theft of a device that has no passcode may still not let a casual user in, but having a passcode should be the primary level of defense.

In summing up, your BYOD policy needs to cover:

• First, what types of devices are permitted access, such as Android, iPad, MacBook, Wintel, and what version of the operating system is required.
• Second, decide which access level your different groups of users require.
• Next, determine what applications are required for a user.
• Fourth, and most important, a VPN is required for personnel likely to be using public Wi-Fi networks.
• Finally, educate users about the importance of setting passwords and passcodes.

These guidelines should help maintain the security of corporate data.

Source: Scott Reeves, TechRepublic

The post Make sure BYOD doesn’t mean ‘Bring Your Own Disaster’ first appeared on Northstar IT.