With technology budgets increasingly managed outside of IT, it’s not unusual for enterprise business units to champion new cloud technology initiatives only to have them hit a roadblock with InfoSec. If you and your team are lobbying for a particular cloud solution, you can avoid such pitfalls by anticipating questions commonly posed by InfoSec.
I once led an innovative, game-changing marketing initiative at a Fortune 500 company that involved a third-party, hosted cloud service. Buoyed by the endorsement of every C-Level executive, the project was cruising towards success but encountered problems post-launch since I didn’t get complete buy-in from the InfoSec team (doh!). To sum it up, the vendor’s website hosting model didn’t meet InfoSec’s requirements, causing our company network to block user access in some regions.
As the saying goes, this experience represented another ______ growth opportunity. Over a gut-wrenching few weeks, I worked with InfoSec and the cloud services provider to address the security gaps that threatened the project. Thankfully, my company saw the project’s value and the vendor hustled to address outstanding issues. In the end, the program launched successfully, with most of my colleagues blissfully unaware of the rocky start
Why the Close Call?
I learned some hard lessons through this experience. As an innovator in my business unit, I was focused on launching a brand new initiative. At the time, there were no processes in place to facilitate my engagement with InfoSec nor did I know to pursue this on my own. However, in the course of launching the program, I unwittingly uncovered some serious security loopholes.
For those of us outside of IT, a meeting with InfoSec can feel like a visit to the dentist, where fear, pain, and laborious protocols delay our impatient ascent to more important things. While this speaks volumes to the problems of siloed departments – a good topic for another blog – let’s just say that a few days spent in the InfoSec doghouse showed me I had InfoSec all wrong.
It’s their Job to Ask Questions
InfoSec teams are trained to think like hackers and look for vulnerabilities that can take down the company. Like IT bloodhounds, they sniff out risks, and their meticulous and skeptical approach is what helps their company avoid breaches. It’s InfoSec’s job to ask tough questions. As a new idea champion, it’s your job to help them to their job, and to ensure your shiny new project doesn’t take on undue risk for the company as a whole.
20 Questions for Your Cloud Vendor
Based on my hard-won lessons, below are 20 questions an enterprise InfoSec team is likely ask your chosen cloud vendor. By educating yourself ahead of time and ensuring that your vendor can nail these questions up front, your awesome, new cloud project may actually see the light of day. Moreover, you’ll be able to partner with the InfoSec team rather than needlessly force them to undertake your due diligence.
- Does the vendor and its subcontractors have an enterprise security mindset and certifications to prove it? Enterprise-level cloud vendors should have credentials such as ISO27001, NIST 800-53, PCi DSS, SSAE-16 that are also easy to audit. Be ready to list these certifications in detail and provide proof. If the vendor gets glassy-eyed at this request, they may not be enterprise-ready. In Druva’s case, we certify our application as well as our Service Providers, addressing fourth party risk.
- What SLAs are in place? Make sure to select a cloud vendor with security SLAs that are even better than your internal ones.
- Can customers do a penetration (PEN) test? PEN testing is where a company accesses vendor code and then attempts to breach security, reporting back afterwards on issues to be addressed before project adoption. Any vendor worth their salt will be willing to support this step, which will add roughly 2 weeks to your project schedule.
- How many vendor personnel have access to customer data? Ideally, no one outside your company will have access to your data, but you’ll need strict rules, regulations and encryption in place to make this a reality.
- Does the vendor do background screening for its employees? You should make sure that the vendor exercises appropriate caution regarding who they trust with your data.
- What are the procedures surrounding the on-boarding and off-boarding of vendor personnel? InfoSec will want to see solid training and security protocols around access, equipment, etc.
- Do vendor employees have remote capabilities? If their employees work remotely, the vendor will need to demonstrate that they have specific measures in place to ensure security.
- Does the vendor outsource any service operations? InfoSec will want to know if there are any weak links in the vendor chain that could spell problems later on.
- How is data encrypted? Look for encryption methods that allow customer to maintain control of their encryption keys.
- Does the vendor’s data encryption model prevent vendor lock-in? Avoid vendors that use proprietary point solutions to manage data encryption and the encryption keys themselves. Just because an organization chooses to encrypt its data doesn’t mean they have to be locked into a single vendor forever.
- What cloud does data live on? Does customer data reside on a private cloud or public cloud? Or perhaps a hybrid cloud? Many vendors will provide detailed information on this to educate their customers.
- Will customer information be stored in a fashion that gives segmentation from other tenants? How does the cloud vendor’s security mechanisms enforce segmentation and prevent data leakage? Look beyond simple vendor encryption as the only form of enforcing segmentation between customers. Encryption coupled with deduplication technology that shards data into non-contiguous objects that simultaneously segments metadata provides multiple layers of security. This type of functionality only comes with cloud native enterprise data protection technologies.
- How does the cloud service provider manage encryption keys? Look for a cloud service provider that uses a standards based mechanism for encryption and key management. While envelope encryption is a very mature mechanism for protecting data in the cloud, key management standards are by no means mature. Be wary of any cloud vendor who requires the use of proprietary key management solutions. These are not only unvalidated from a security perspective, but lead to significant vendor lock in as well as put your data at risk.
- Where is vendor data stored by region? You should know the vendor’s data residency policies and whether their data abides by the European Union’s General Data Protection Regulation (GDPR) or other regulations.
- How does the vendor identify, respond to, and mitigate suspected or known security incidents? During an incident investigation, is evidence properly collected and maintained? Is there a formal process for escalating and communicating incidents internally or to outside authorities?
- Who should customers contact in case of a security issue involving or impacting the vendor’s product? There are several things to look for here, including a specific contact person(s), the vendor’s guaranteed response to initial contact, how they prioritize issues (e.g. low vs. high, a 0-4 scale, etc.) and how quickly they’ll implement fixes based on priority.
- How does the vendor manage privileged accounts? The vendor should be able to explain how they keep holders of administrative accounts from using those accounts for non-administrative activities such as e-mail and web browsing.
- What sort of physical security does the vendor maintain on premise, where customer information is stored? Be able to explain how the vendor use security guards, closed circuit television, or other security measures to protect their physical infrastructure where data is stored.
- Has the vendor ever experienced a denial-of-service attack? It’s important to see the vendor’s response to attacks that try to withhold data or thwart backup or restore functions.
- Has the vendor experienced any data breaches in last 364 days? You want to know if the vendor is the target of recent attacks and if so, how they handled them.
Getting Your Ducks in a Row
The key to working with InfoSec is to engage them early on, at the demo and proof of concept (POC) portion of your new idea. InfoSec needs to be engaged at the beginning of the project and someone from InfoSec should be assigned as a resource on your project so there are no surprises. Better yet, start the project off right by arming the InfoSec team with a project FAQ or spreadsheet and the Request for Proposal (RFP) to show that you know your stuff. If your InfoSec team is cloud savvy or already familiar with the vendor, it won’t be so bad. If not, prepare to send them audit reports, questionnaires, CERTs, and white papers. This approach will help build important trust while investing InfoSec in the project’s success. Conversely, if you wait until the 11th hour to pull them in, it won’t be pretty and worst case scenario, they’ll pull the plug on your project. So if you want your awesome cloud project to succeed, take my advice and “respect the InfoSec.”
Ready to consider moving backup and recovery to the cloud? Get a free trial of Druva’s single dashboard for backup, availability, and governance, or find out more information by checking out these useful resources: