When providing cloud services, security should be at the forefront of your concerns. Cloud security requires a collaborative effort between CSPs and MSPs. You must ensure that the cloud infrastructure is secure and that data remains protected at all times. This means determining who controls the various components of the cloud infrastructure and how security measures are applied.
Before we list the ten questions, it’s important to understand who is responsible for cloud security. The cloud provider must ensure services are reliable, available and secure. The primary security measures used to secure the Cloud include:
The three security measures at the control level are:
MSPs are responsible for access and identity management, where privileged identity management is a shared responsibility between the cloud provider and MSP.
IaaS, PaaS, SaaS: Of the different cloud models, the MSP must assume responsibility for IaaS security, but the cloud provider is responsible for the secure transition from IaaS to SaaS.
With PaaS and SaaS, the responsibility for cloud security is shared. With PaaS, the cloud provider must secure the database using sophisticated tools to monitor and secure access.
The cloud provider is responsible for securing application program interfaces (APIs) and auditing. Although the MSP controls the data, the cloud service is providing the application, and these security measures must be implemented:
For SaaS applications, the cloud provider develops and operates the application and delivers it to users. Application code scanning, security management, and vulnerability tests can provide a high level of security cloud services require.
Regarding infrastructure for SaaS, IaaS and PaaS, it’s up to the MSP to ensure security. With the SaaS model, the responsibility for the cloud consumer is with their infrastructure security.
MSPs must use appropriate security measures including:
The cloud provider must ensure the physical security of the cloud system. But as an MSP, you must provide the protection of endpoints your clients use to access cloud services.
With IaaS, the MSP is responsible for network security and communication encryption. With PaaS and SaaS, this responsibility lies with the cloud provider since they have appropriate security technologies in place.
A cloud provider should offer services for various IT security levels (e.g., identity and access management). They can help MSPs comply with security regulations with certifications like COBIT and SOC-2.
These particular certifications require that security controls are built during cloud application development. Other security measures include effective access management, vulnerability assessments, penetration testing, and compliance verification.
Always ensure that cloud storage services provide local encryption for data. This offers double security because files must be decrypted to gain access. Encryption keeps data from anyone including service providers and administrators. Taking this small preventive measures can ensure your clients’ most sensitive information remains highly secure.
1. What’s your role for protecting data in the Cloud? Most cloud providers assume a shared responsibility for security.
2. What is your uptime guarantee? (SLA) Most cloud providers offer a 99.9% uptime.
3. Where are your data centers located? They should reside in multiple locations within the US.
4. Who can view data in the Cloud? The must-have internal controls in place to prevent unauthorized viewing or copying of data.
5. Do you encrypt all data transmissions in data centers, including server-to-server transmissions? Traffic between the cloud provider and client should be encrypted to ensure integrity and confidentiality.
6. Do you keep signed audit trails of who performed what actions when, both through your UI and API? This is helpful for troubleshooting and performing root-cause analyses.
7. Do you provide access to all data logs? This is a given. Any CSP should provide this.
8. How do you handle the exit process to ensure secure and successful transitions to other cloud providers? Can they provide evidence that data will no longer reside on the cloud service after the transition?
9. Do you provide ISO27001:2013 certification? If so, what’s within its scope? This specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system.
10. Can we perform scheduled penetration tests for the production environment or another designated environment? CSPs that allow their customers to perform this testing are transparent about their security practices.
Both the cloud provider and the MSP must secure data in the Cloud. It’s a team effort.
In the meantime, stay up-to-date on what’s coming for MSPs regarding the Cloud. Visit our Blog where we provide current articles each month. Here are a few examples of what you’ll find: