fbpx
1-888-310-4540 (main) / 1-888-707-6150 (support) info@spkaa.com
Select Page

Are You Asking The Right Cloud Security Questions?

Published by Mike Solinap
on September 25, 2014

In my most recent blog articles, I discussed a few aspects an organization might want to consider when looking at a cloud-based solution. Security is one of the top issues on the list. Regardless of whether your application consists of highly sensitive patient data for example, or if it consists of already publicly available information, security is still a major concern.

Sensitive data can fall into the wrong hands, and public websites can be defaced or modified in such a way that it misrepresents the original target. So at best, your website’s main page shows that it was hacked by the Anonymous group. At worse, credit card and personal information of your customers ends up in the hands of criminals.

There are obvious questions you might want to ask yourself when considering a potential cloud provider. Are they ISO 27001 certified? Are they PCI DSS compliant? If you’re a government related entity, have they gone through DIACAP testing procedures? Additionally, you might ask what type of infrastructure hardware is being used, or who has access to the infrastructure.

However, there are less obvious questions that you may be overlooking:

Do you have the right tools to discover vulnerabilities?

For network based vulnerabilities, a product such as Nessus or Qualys is essential. For more in depth penetration testing, Metasploit is also a great tool to have in your back pocket. Metasploit for instance, can do higher level tests such as SQL injection whereas Nessus and Qualys cannot. A Metasploit “cheat sheet” is available here.

Are secure transports available?

Your application uses SSL to interact with its clients. But what about backend connections? Does your database support SSL as well? What about WAN connectivity back to corporate? Is an IPsec tunnel available?

What types of tenancy are available?

In certain situations, a customer may not be allowed to share physical hardware with other customers. Are dedicated servers available? If so, do they allow the flexibility that a typical cloud offering has? Or are you essentially forced to buy hardware configurations that don’t easily scale?

Do you need encrypted storage?

If the data being stored is extremely sensitive, it is possible to have an encrypted filesystem in the cloud. On linux, LUKS is a great tool that allows you to easily encrypt partitions. If the cloud provider has a physical breach, or if somehow someone is able to mount an image of your partition, it would be unusable.

Have you secured your own applications?

You can choose to partner with the most secure cloud provider in the world, but the solution will only be as secure as the weakest link. Focus independently upon your own application before introducing additional variables.

Next Steps:

Latest White Papers

Total Economic Impact for Atlassian Open DevOps

Total Economic Impact for Atlassian Open DevOps

Forrester's Total Economic Impact Study found that Atlassian Open DevOps could net your organization a potential ROI of 358%. Discover an overview of this Forrester research paper below and download your free copy. Forrester Research Into Atlassian Open DevOps Agile...

Related Resources

Latest AWS News for Q3 2022

Latest AWS News for Q3 2022

With over 1100 product and service updates from AWS in 2022 alone, you may have missed some of the more important notifications from the cloud services giant.  Luckily, SPK’s team is here to provide you with a summary of the latest and greatest from Amazon Web...

Total Economic Impact for Atlassian Open DevOps

Total Economic Impact for Atlassian Open DevOps

Forrester's Total Economic Impact Study found that Atlassian Open DevOps could net your organization a potential ROI of 358%. Discover an overview of this Forrester research paper below and download your free copy. Forrester Research Into Atlassian Open DevOps Agile...

LastPass Business For Corporate and Client Security

LastPass Business For Corporate and Client Security

At SPK, we want to empower employees to safely manage their own passwords. Additionally, for organizations, we want to enable the enforcement of password standards. Businesses that follow good password standards, such as increased complexity, non-duplicate passwords ...