In an article for GovInfoSecurity, Melissa Hathaway outlines 5 questions chief information officers and chief information security officers should ask regarding the risks and benefits of the cloud.
Question 1: “Does your provider ensure the confidentiality, integrity and availability with mature processes, proof of past performance, understanding of and mechanisms for disaster recovery options, and encrypted backups?” Hathaway asks.
It is important to receive answers to this question from your cloud provider to enhance your understanding of where data is stored, how is it protected, among other considerations.
“Presume that your data is replicated and know how quickly it can be restored in the event of an emergency,” Hathaway writes. “Understand the provider’s ability to surge on demand of need, so that if faced with a distributed denial of service attack or some other event that may affect essential services, you know you will be able to keep your mission critical applications up and running.”
Question 2: How will the cloud provider implement data segregation, particularly as the cloud often hosts multiple organizations’ data.
“Understand whose responsibility it is to notify another party of a breach in security,” Hathaway writes. “Demand transparency of the environment that you are “renting” and now responsible for maintaining the integrity and confidentiality of the data and service stored therein. After all, you are accountable to your cabinet secretary and to Congress for the services rendered by your agency.”
Question 3: Ask how your cloud provider maintains and collects activity logs.
“Presuming all of the data is stored in the United States, you should know when and if this data was accessed by any other entity,” Hathaway writes. “If this data is stored outside of the United States, know when it is accessed and under what authorities it is accessed. If data is shared or backed-up across multiple data centers, ensure that you know where it is stored and how readily it can be restored.”
Question 4: How compliant is the cloud provider when it comes to certification and applicable laws?
“Every government CIO and CISO must know these standards, wherever your data is stored, because unless Congress preempts the states, the laws of the states in which data resides are the laws you must follow,” Hathaway writes. “Demand to be able to audit your cloud provider. Ensure that you can implement continuous performance monitoring against your data in the cloud. Leave yourself flexibility for the next audit and compliance regime.”
Question 5: Is your cloud provider able to attest to the security of the environment?
“As a buyer of the service, you may need to implement data labeling (classification, releasability and authorities),” Hathaway writes. “You may also need to implement privileged based access controls for data stored in the cloud, as well as for users who access cloud-based applications. Finally, you will need to work with the cloud provider to ensure that the architecture, configuration, policies and processes meet your security needs and that you are permitted to regularly conduct vulnerability assessments and red-teaming or penetration testing to verify the security posture.”