momius - Fotolia
What cloud security controls are best for due diligence?
With increasing use of cloud sending more enterprise data outside of the organization's control, due diligence is crucial. Expert Dan Sullivan offers advice on how to get it right.
My organization is increasing cloud use and was told that extensive due diligence was critical. What are some of the cloud security controls that should be considered for both internal and cloud provider due diligence?
Due diligence is the process of evaluating cloud vendors, and in some cases internal procedures and resources, to ensure business objectives are met and the company's interests are protected. In the case of selecting a cloud computing provider, due diligence entails investigating the potential cloud providers to understand how they implement best practices, protect their customers' assets and meet the scope of your requirements.
Due diligence should include verifying that the cloud provider can offer the cloud security controls and meet the scope of services expected by the enterprise. A request for proposal (RFP) can be used to define what is expected and cloud providers can then use the RFP to formulate their responses. The RFP should specify what is required in terms of service-level agreements, cloud security controls, compliance requirements, data and systems integration needs, service management, access to cloud provider audit reports, and in some cases on-site reviews.
Customers should review the certifications obtained by cloud providers. Amazon Web Services (AWS), for example, publishes a risk and compliance whitepaper that describes its risk management practices and cloud security controls. It also lists its certifications with respect to ISO 9001, HIPAA, PCI DSS and others.
When reviewing certifications, consider which services the compliance applies to. For example, AWS EC2, S3 and RedShift are all certified for use with data subject to HIPAA regulation but others, such as Simple Queue Service and the Container Service, are not. In some cases, such as Elastic MapReduce, particular configurations are required to comply with HIPAA requirements.
When conducting due diligence, use multiple techniques including document review, proof of concepts and trial evaluation periods to collect as much information as possible, in order to mitigate risk to your organization.