Cloud Assessments

Assessing the risk of a Cloud vendor has some unique challenges.

The biggest challenge to assessing a Cloud vendor is massiveness. The chief advantage of Cloud Computing is the massive scale of a service can bring functionality, resiliency and security to a organization that could probably not build one of its own. This massiveness works against traditional methods of assessing risk.  

The traditional method would be for an organization's security team ask a bunch of questions of the vendor, some would have questionnaires or checklists for the vendor. 

Can you imagine the scene? A Disneyland ride through a Google data center. Thousands of security professionals representing hundreds of organizations lining up to enter per day. Their ticket to enter? a checklist of security questions and standards. Their purpose?  The assessment of the Google Cloud. The ride's track on one side of the glass wall, blinking lights on the other. Automatonic robots answering the same security questions patiently. At the end of the ride each security professional has his ticket of questions returned completely filled out. 

Clearly, this won't work. 

The Cloud Security Alliance (CSA) provides a lot of information about Cloud security standards and how a Cloud vendor can be measured. Most of their information is for folks who want to be in the business of assessing Cloud vendors but regular organizations can use this information too.

If you have been asked to evaluate the security of a Cloud vendor then this is where you should start. Familiarize yourself with how CSA thinks about Cloud security and what they think is important. It's a mistake to think of the vendors infrastructure as like yours, just bigger. They have different technologies than you do and their stack is probably much different.

The point of this is that many of the security controls that we might implement at the enterprise level probably don't make any sense for a cloud vendor and the security controls a Cloud vendor implements would not necessarily make any sense in our environments. So, become familiar with the CSA criteria and use it to your advantage. 

You can't stop there and buy a ticket to Google's Disneyland. The CSA also has  something called the CSA STAR Registry. The STAR Registry is a great resource because it contains each participating Cloud vendors answers to the CSA standard. 

If a Cloud vendor is a member of CSA or even in the registry that is information you can use to evaluate them. Expecially, if their documentation in the registry aligns with your goals.  

Every Cloud vendor risk assessment should address information contained (or not) in the CSA registry.

Some vendors are not in the registry or the information you get from the registry is not enough for you to evaluate. Some vendors don't even belong to the CSA! What to do?

Many Cloud vendors go the route of adherence to standards like ISO 2700 or FISMA/NIST 800-53. Many document third party assessments like SSAE 16 or SAS 70. Others may document compliance to things like HIPAA or the PCI DSS.

Another resource of information is the vendors own marketing material and white papers. Yes, unsubstantiated claims are little more that empty boasts but they might give you insight into how things work.

Use Google search. Ask, "How secure is...." and you will get lots of information. Just remember, the Internet contains all possible opinions, some smart and some not. Your job is to judge the merits of these opinions and come to a conclusion.

Don't rely on contracts to help you much. Cloud vendors will never take responsibilities for damages beyond the cost of the service. Yes, negotiate for the best possible deal but realize promises in a contract are not iron clad assurances. Contracts simply spell out expectations and consequences.   

An analysis of what sort of impact a breach would have on a vendor can give you a rational idea of how they should  prioritize security but remember people and organizations aren't always rational. Look for signs of arrogance or excessive risk taking.

All of these factors should be documented in a formal risk analysis document and a group of both technical and business members should make a determination. Remember, it doesn't make sense to spend a lot of money securing the pictures of the last company picnic... or maybe it does.