Tips for Vetting the Security of Cloud Service Providers
How to Vet Cloud Vendors and Make Sure CSPs Are Used Securely
A modern enterprise uses the cloud and cloud service providers (CSP), period. Your employees might use DropBox or OneDrive to access work data remotely. You might communicate with your vendors mostly through a portal that accepts invoices and generates work orders.
At the top end, your organization might deploy a vast amount of custom software and customer data on top of a server cluster in someone else’s data center. The use of the cloud to host and share data within and between enterprises presents a wide array of attack surfaces to exploit.
Understanding all of the additional third and fourth party services the cloud service provider uses to make up its service is also of great concern when performing due diligence on cloud providers.
How can you vet cloud technologies and vendors, and make sure that these services are used securely?
Encryption Is Your First Line of Defense
Encryption is one of the best ways to secure data, both on and off the cloud. While some companies handle encryption independently of their cloud service providers, not all companies have the knowledge or budget to do so. In these cases, many cloud service providers (CSPs) can provide encryption services, and do so by default. However, there’s a bit of variance in the way that CSPs provide encryption.
Understanding in detail how CSPs handle encryption should be one of the earliest steps in the vetting process.
The Best CSPs Don’t Only Encrypt Data Once It Reaches Their Servers
Ideally, these services will use some protocol such as transport layer security (TLS) in order to prevent attackers from intercepting data as it is transmitted from the enterprise. While TLS is perfectly secure, some companies still use SSL, which should be a bit of a red flag. An exploit known as POODLE (akin to Heartbleed) has made SSL inadvisable for use as a secure transit protocol.
When a Cloud Service Provider Is Breached, Who’s at Fault?
The CSP might not be entirely to blame. In fact, it’s likely that a CSP devotes more of its attention and budget dollars to security than do most small and medium businesses. If a CSP provides you with security tools, and you fail to use them, or fail to use them correctly, then your enterprise might end up being the entry point for an attacker.
On the other hand, if the CSP’s security is weak, your company might end up becoming unfairly blamed (assuming you performed the necessary due diligence beforehand) for a breach you didn’t cause.
Tip for SecurityScorecard Customers: Type in a website address into the platform to perform an instant security audit and retrieve detailed security-risk information, without intruding on a vendor’s system.
These disputes are where your contract will come in handy. Here is some advice:
The first thing you really want to see is an indemnification clause, a paragraph stating that you will be reimbursed a certain amount (usually twelve months’ worth of fees) in the event that your CSP is responsible for a breach in which your data is compromised.
You’ll also want to clarify the means by which fault is determined. This is sometimes tricky in cases where the consumer provides more than just data. For example, in a platform as a service (PaaS) scenario, the vendor only provides the servers and the internet connection, whereas the customer configures the servers, installs software, and hosts data.
In this scenario, if a breach occurs, either the vendor or customer might have created a vulnerability.
Prepare for the Inevitable
Just because a CSP is well-known or widely used, that doesn’t mean it’s impervious to a breach. Evernote, Adobe Creative Cloud, and Slack are all popular services, and they’ve all suffered recent, high-profile attacks. At this year’s BlackHat, researchers from Imperva demonstrated that they could hijack a user’s DropBox account without even stealing login credentials.
At this point, it is wise to assume that no matter what CSP you choose, it will one day be breached. Therefore, it is imperative not only to vet a CSP on the basis of their security protections, but also their strategy for incident response and breach disclosure.
For example, Evernote had a particularly laudable breach disclosure strategy — which preemptively reset all customer passwords, sent out a detailed and informative email to all 50 million exposed customers, and patched their product across multiple platforms rapidly.
When your CSP is breached, do they have the will and the capability to perform similar remediation?